Advertisement
Guest User

Untitled

a guest
Apr 4th, 2025
24
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. function Get-UserGraphPermissions {
  2.   # Get members
  3.   $groupMembers = Get-MgGroupMember -GroupId (Get-MgGroup -Filter "displayName eq 'Entra-Graph-Command-Line-Access'").Id
  4. #  $Users = foreach ($member in $groupMembers) {
  5. #    Get-MgUser -UserId $member.Id
  6. #  }
  7.  
  8.   $totalUsers = $groupMembers.Count
  9.   $results = [System.Collections.Generic.List[PSCustomObject]]::new()
  10.   $count = 1
  11.  
  12.   foreach ($User in $groupMembers) {
  13.     # Progress bar
  14.     $percentComplete = ($count / $totalUsers) * 100
  15.     Write-Progress -Activity "Processing users" -Status "Processing user $count of $totalUsers" -PercentComplete $percentComplete
  16.  
  17.     Write-Verbose "`nProcessing user $count of $totalUsers $($User.AdditionalProperties.UserPrincipalName)"
  18.  
  19.     # Extract UserIdentifier (everything before @)
  20.     $UserIdentifier = ($User.AdditionalProperties.UserPrincipalName -split '@')[0].ToLower()
  21.  
  22.     $hasPermissions = $false
  23.  
  24.     try {
  25.       # Get user's OAuth2 permissions
  26.       $uri = "https://graph.microsoft.com/v1.0/users/$($User.Id)/oauth2PermissionGrants"
  27.       $permissions = Invoke-MgGraphRequest -Uri $uri -Method Get -ErrorAction Stop
  28.       # Get app role assignments
  29.       $appRoleAssignments = Get-MgUserAppRoleAssignment -UserId $User.Id -ErrorAction Stop
  30.       # Process OAuth2 permissions (delegated permissions)
  31.       foreach ($permission in $permissions.value) {
  32.         $scopes = $permission.scope -split ' '
  33.         foreach ($scope in $scopes) {
  34.           $hasPermissions = $true
  35.           $results.Add([PSCustomObject]@{
  36.               UserIdentifier    = $UserIdentifier
  37.               UserPrincipalName = $User.AdditionalProperties.UserPrincipalName
  38.               PermissionType    = "Delegated"
  39.               Permission        = $scope
  40.               ResourceId        = $permission.resourceId
  41.               ClientAppId       = $permission.clientId
  42.             })
  43.         }
  44.       }
  45.       # Process app role assignments (application permissions)
  46.       foreach ($assignment in $appRoleAssignments) {
  47.         $appRole = Get-MgServicePrincipal -ServicePrincipalId $assignment.ResourceId |
  48.         Select-Object -ExpandProperty AppRoles |
  49.         Where-Object { $_.Id -eq $assignment.AppRoleId }
  50.  
  51.         if ($appRole) {
  52.           $hasPermissions = $true
  53.           $results.Add([PSCustomObject]@{
  54.               UserIdentifier    = $UserIdentifier
  55.               UserPrincipalName = $User.AdditionalProperties.UserPrincipalName
  56.               PermissionType    = "Application"
  57.               Permission        = $appRole.Value
  58.               ResourceId        = $assignment.ResourceId
  59.               ClientAppId       = $assignment.PrincipalId
  60.             })
  61.         }
  62.       }
  63.       # If user has no permissions, add empty row
  64.       if (-not $hasPermissions) {
  65.         $results.Add([PSCustomObject]@{
  66.             UserIdentifier    = $UserIdentifier
  67.             UserPrincipalName = $User.AdditionalProperties.UserPrincipalName
  68.             PermissionType    = "NULL"
  69.             Permission        = "NULL"
  70.             ResourceId        = "NULL"
  71.             ClientAppId       = "NULL"
  72.           })
  73.       }
  74.     }
  75.     catch {
  76.       Write-Verbose "Error processing user $($User.AdditionalProperties.UserPrincipalName): $($_.Exception.Message)"
  77.       # Add user with empty permissions in case of error
  78.       $results.Add([PSCustomObject]@{
  79.           UserIdentifier    = $UserIdentifier
  80.           UserPrincipalName = $User.AdditionalProperties.UserPrincipalName
  81.           PermissionType    = "NULL"
  82.           Permission        = "NULL"
  83.           ResourceId        = "NULL"
  84.           ClientAppId       = "NULL"
  85.         })
  86.     }
  87.  
  88.     $count++
  89.   }
  90.   # Export results to CSV
  91.   $timestamp = Get-Date -Format "yyyyMMdd-HHmmss"
  92.   $exportPath = "c:\temp\UserGraphPermissions_$timestamp.csv"
  93.   $results | Export-Csv -Path $exportPath -NoTypeInformation
  94.   Write-Verbose "`nExport completed. File saved to: $exportPath"
  95.  
  96. }
  97.  
  98. Get-UserGraphPermissions -Verbose
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement