forked from directorcia/Office365
-
Notifications
You must be signed in to change notification settings - Fork 1
/
graph-adappperm-del.ps1
132 lines (122 loc) · 6.75 KB
/
graph-adappperm-del.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
param(
[switch]$debug = $false ## if -debug parameter don't prompt for input
)
<# CIAOPS
Script provided as is. Use at own risk. No guarantees or warranty provided.
Description - Delete permissions from an Azure AD enterprise application
Source - https://github.com/directorcia/Office365/blob/master/graph-adappperm-del.ps1
Prerequisites = 1
1. Azure AD Module loaded
More scripts available by joining http://www.ciaopspatron.com
#>
## Variables
$systemmessagecolor = "cyan"
$processmessagecolor = "green"
$errormessagecolor = "red"
$warningmessagecolor = "yellow"
$version = "1.00"
Clear-Host
if ($debug) {
Start-transcript "..\graph-adappperm-del.txt" | Out-Null ## Log file created in current directory that is overwritten on each run
}
write-host -foregroundcolor $systemmessagecolor "Script started. Version = $version`n"
write-host -foregroundcolor cyan -backgroundcolor DarkBlue ">>>>>> Copyright www.ciaops.com <<<<<<`n"
write-host "--- Script to delete app permissions from an Azure AD application in a tenant ---"
write-host -foregroundcolor $processmessagecolor "`nCheck for Azure AD PowerShell module"
if (get-module -listavailable -name AzureAD) {
## Has the AzureAD PowerShell module been loaded?
write-host -foregroundcolor $processmessagecolor "Azure AD PowerShell Module found"
}
else {
write-host -foregroundcolor $warningmessagecolor -backgroundcolor $errormessagecolor "Azure AD PowerShell Module not installed. Please install and re-run script`n"
write-host "You can install the Azure AD Powershell module by:`n"
write-host " 1. Launching an elevated Powershell console then,"
write-host " 2. Running the command,'install-module AzureAD'.`n"
Stop-Transcript | Out-Null ## Terminate transcription
Pause ## Pause to view error on screen
exit 0 ## Terminate script
}
$results = get-azureadserviceprincipal -All $true | sort-object displayname | Out-GridView -PassThru -title "Select Enterprise Application (Multiple selections permitted)"
foreach ($result in $results) { # loop through all selected options
write-host -foregroundcolor $processmessagecolor "Commencing",$result.displayname
# Get Service Principal using objectId
$sp = Get-AzureADServicePrincipal -ObjectId $results.ObjectId
# Menu selection for USer or Admin consent types
$consenttype = @()
$consenttype += [PSCustomObject]@{
Name = "Admin consent";
type = "allprincipals"
}
$consenttype += [PSCustomObject]@{
Name = "User consent";
type = "principal"
}
$consentselects = $consenttype | Out-GridView -PassThru -title "Select Consent type (Multiple selections permitted)"
foreach ($consentselect in $consentselects) { # Loop through all selected options
write-host -foregroundcolor $processmessagecolor "Commencing",$consentselect.Name
# Get all delegated permissions for the service principal
$spOAuth2PermissionsGrants = Get-AzureADOAuth2PermissionGrant -All $true | Where-Object { $_.clientId -eq $sp.ObjectId }
$info = $spOAuth2PermissionsGrants | Where-Object { $_.consenttype -eq $consentselect.type }
if ($info) { # if there are permissions set
if ($consentselect.type -eq "principal") { # user consent
$usernames = @()
foreach ($item in $info) {
$usernames += get-azureaduser -ObjectId $item.PrincipalId
}
$selectusers = $usernames | select-object Displayname, userprincipalname, objectid | sort-object Displayname | Out-GridView -PassThru -title "Select Consent type (Multiple selections permitted)"
foreach ($selectuser in $selectusers) { # Loop through all selected options
$infoscopes = $info | Where-Object { $_.principalid -eq $selectuser.ObjectId }
write-host -foregroundcolor $processmessagecolor "`n"$consentselect.name,"permissions for user",$selectuser.displayname
foreach ($infoscope in $infoscopes) {
write-host $infoscope.resourceid
$assignments = $infoscope.scope -split " "
foreach ($assignment in $assignments) {
write-host "-",$assignment
}
}
do {
$answer = Read-host -prompt "`nDo you wish to remove all these permissions (Y/N)?"
} until (-not [string]::isnullorempty($answer))
if ($answer -eq 'Y' -or $answer -eq 'y') {
foreach ($infoscope in $infoscopes) {
Remove-AzureADOAuth2PermissionGrant -ObjectId $infoscope.ObjectId
}
write-host -ForegroundColor $processmessagecolor "Removed"
}
else {
write-host -ForegroundColor $processmessagecolor "No change made"
}
}
}
elseif ($consentselect.type -eq "allprincipals") { # Admin consent
$infoscopes = $info | Where-Object { $_.principalid -eq $null}
write-host -foregroundcolor $processmessagecolor $consentselect.name,"permissions"
foreach ($infoscope in $infoscopes) {
write-host $infoscope.resourceid
$assignments = $infoscope.scope -split " "
foreach ($assignment in $assignments) {
write-host "-",$assignment
}
}
do {
$answer = Read-host -prompt "`nDo you wish to remove all these permissions (Y/N)?"
} until (-not [string]::isnullorempty($answer))
if ($answer -eq 'Y' -or $answer -eq 'y') {
foreach ($infoscope in $infoscopes) {
Remove-AzureADOAuth2PermissionGrant -ObjectId $infoscope.ObjectId
}
write-host -ForegroundColor $processmessagecolor "Removed"
}
else {
write-host -ForegroundColor $processmessagecolor "No change made"
}
}
} else {
write-host -foregroundcolor $warningmessagecolor "`nNo",$consentselect.name,"permissions found for" ,$results.displayname,"`n"
}
}
}
Write-Host -ForegroundColor $systemmessagecolor "`nScript Finished"
if ($debug) {
Stop-transcript | Out-Null
}