The Application Principal Reporting - Import Application Principals flow should be scheduled to run on a periodic basis. This flow is responsible for importing all Entra ID app registrations which have one or more SharePoint Online or Microsoft Graph sites/files related permission consented.
|
|
This section of the flow is variable declaration.
The following variable values are populated directly from their respective environment variables:
The Compose action is a JSON mapping from all the Microsoft Graph and SharePoint Online permissions; including id, display name and scope. The flow uses this array as a way to easily determine the scope and display name for permissions returned application list returned by Microsoft Graph. The display name values map directly to the choice field values in the SharePoint list. The remaining variables (not shown) are internal arrays used within the flow. |
|
|
This section attempts to read the client secret value from the AKV environment variable.
If the Secret (Azure Key Vault) environment variable is not configured or fails to load, the flow will attempt to read the Secret (Plaintext) environment variable. |
|
|
This section queries for all existing SharePoint list items and builds an array of objects consisting of the (List) ItemId and ApplicationId. This mapping is used later to determine if the flow needs to update an existing entry or add a new entry. |
|
|
This section is a “do until” loop that keeps fetching pages of applications from Graph API, until there are no more results. The format of the JSON response is as follows:
The flow then iterates through each application result on the current page. |
|
|
For each application found, the flow will iterate all objects in the requiredResourceAccess (consented services) array.
The Switch action is checking if the current consented service, identified by the resourceAppId GUID, is either the SharePoint Online or Microsoft Graph service. All other services are out of scope for this flow. |
|
|
The flow will branch according to the GUID value for resourceAppId. |
|
|
If the GUID value for resourceAppId maps to Microsoft Graph, the flow enumerates each object in the resourceAccesss (consented role) array.
The Filter array action is looking up the role details from the JSON mapping to determine the scope and display name of the application role. The Condition action checks if the permission exists to verify that the Microsoft Graph role is one in scope. The later Condition action determines if the permission scope is either Delegated or Application scope, adding the permission’s display name to the appropriate permissions array. |
|
|
If the GUID value for resourceAppId maps to SharePoint Online, the flow enumerates each object in the resourceAccesss (consented role) array.
The Filter array action is looking up the role details from the JSON mapping to determine the scope and display name of the application role. The Condition action determines if the permission scope is either Delegated or Application scope, adding the permission’s display name to the appropriate permissions array. |
|
|
The Condition action checks if any permissions have been added to any of the four permissions arrays.
If added, the flow looks for an existing entry in the list item cache with a matching ApplicationId. If not found (TRUE), the list item is added (POST), otherwise (FALSE) the existing list item is updated (PATCH). |
