Table of Contents
The Export-MsIdAppConsentGrantReport Cmdlet Makes it Easier for Tenant Administrators to Track OAuth Permissions for Apps
As readers of my articles know, I have often discussed the topic of monitoring and checking OAuth permissions assigned to apps, usually using the Microsoft Graph PowerShell SDK to fetch and interpret permissions in a way that makes sense to tenant administrators. A recent example is an article about how to generate a report about OAuth permissions.
The need to understand the permissions assigned to apps was underscored by the recent Midnight Blizzard attack on Microsoft corporate mailboxes. The fact that an OAuth app can exist with permissions necessary to exfiltrate email and attachments from mailboxes without Microsoft’s administrators and security professionals detecting its presence for several months, highlights the challenge facing every tenant administrator.
A New MsIdentityTools Cmdlet
And that’s why the creation of the Export-MsIdAppConsentGrantReport cmdlet is such welcome news. Not every tenant administrator can master the PowerShell cmdlets used to interrogate apps or understand the data that comes back. It’s a lot easier when a single cmdlet does the job. Export-MsIdAppConsentGrantReport is part of the MSIdentity Tools module, developed and maintained by members of the Entra ID product group to help with different aspects of directory management.
You can get version 2.0.52 of the MsIdentityTools module by installing it from the PowerShell gallery.
Install-Module -Name MSIdentityTools -Force -Scope AllUsers -RequiredVersion 2.0.52
Because of a dependency, the MSIdentityTools module also installs the Microsoft.Graph.Authentication module (part of the Microsoft Graph PowerShell SDK). Oddly, it installs version 2.9.1 of the Authentication module instead of the current version (2.12). Apart from occupying some extra disk space, no great harm is done and MSIdentityTools is happy to use 2.12.
Running Export-MsIdAppConsentGrantReport
Generating a report with the Export-MsIdAppConsentGrantReport cmdlet is easy. This code connects to the Microsoft Graph PowerShell SDK, imports the ImportExcel module (needed to generate an Excel worksheet), and creates the report in the form of a worksheet:
Connect-MgGraph -Scopes Directory.Read.All -NoWelcome Import-Module ImportExcel Export-MsIdAppConsentGrantReport -ReportOutputType ExcelWorkbook -ExcelWorkbookPath c:\temp\OAuthAppPermissionsReport.xlsx
The cmdlet uses Microsoft Graph API calls to read and analyze information about service principals. It then calls cmdlets from the ImportExcel module to generate a multi-sheet workbook. Figure 1 shows one of the sheets listing Graph and other permissions (like the right for an app to run cmdlets from the Teams PowerShell module as an administrator).
Even better, the Export-MsIdAppConsentGrantReport cmdlet can generate its data as a PowerShell object:
[array]$AppData = Export-MsIdAppConsentGrantReport -ReportOutputType PowerShellObjects
The reason why this facility is so good is that the cmdlet does a lot of heavy lifting to fetch information about service principals and permissions and delivers them in an array that’s easy for PowerShell scripts to consume. In effect, this eliminates a lot of code in scripts like those that I’ve written to report permission assignments. Instead of running Get-MgServicePrincipal and parsing the results to find and interpret data, developers can run Export-MsIdAppConsentGrantReport and use its output instead.
For example, this command finds the service principals that hold the Mail.Send permission. This is a high-priority permission because Mail.Send allows the app to send email from any mailbox unless limited by RBAC for Applications.
$Appdata | Where-Object Permission -match 'Mail.Send' | Format-Table ClientDisplayName, Appid, Permissiontype ClientDisplayName AppId PermissionType ----------------- ----- -------------- MalwareExample d868053d-58bc-4010-a659-23de72d14669 Application PowerShellGraph 8f005189-8c58-4fb5-a226-8851e13490cb Application MailSendApp 970e01d1-ce75-46ba-a054-4b61c787f682 Application ExoAutomationAccount_Y6LgjDYIfPnxmFzrqdbaClsnTD/gN4BNnVMywiju5hk= 45923847-be5b-4e29-98c5-bc9ab0b5dc95 Application ManagedIdentitiesAutomation b977a222-3534-4625-980d-e2f864d3a2d5 Application Microsoft Graph PowerShell SDK Cert d86b1929-b818-411b-834a-206385bf5347 Application PnP Management Shell 31359c7f-bd7e-475c-86db-fdb8c937548e Delegated-AllPr… MailSendAppDelegate 0fb521aa-8d32-4c0b-b124-565a1d8c4abe Delegated-AllPr… MailSendAppDelegate 0fb521aa-8d32-4c0b-b124-565a1d8c4abe Delegated-AllPr… PowerShellGraph 8f005189-8c58-4fb5-a226-8851e13490cb Delegated-AllPr… IMAP access to Shared Mailbox 6a90af02-6ac1-405a-85e6-fb6ede844d92 Delegated-AllPr… Microsoft Graph Command Line Tools 14d82eec-204b-4c2f-b7e8-296a70dab67e Delegated-AllPr… Microsoft Graph Command Line Tools 14d82eec-204b-4c2f-b7e8-296a70dab67e Delegated-AllPr…
Notice that some duplicates are present. These are probably due to a glitch in the cmdlet that will be squashed soon.
Because the array is a PowerShell object, you can export it in whatever format you want, including CSV, Excel, and HTML.
Not a Panacea, Just a Tool
The Export-MsIdAppConsentGrantReport cmdlet is a valuable contribution to the tenant administrator toolbox, but it’s not a silver bullet that will stop over permissioned OAuth apps. It’s also not a replacement for administrators acquiring knowledge about how Entra ID apps acquire and use permissions (application and delegated) and how to extract that information from Entra ID using Graph API requests or Microsoft Graph PowerShell SDK cmdlets. Think of Export-MsIdAppConsentGrantReport as a useful tool, no more, no less. It’s great to have.
Make sure that you’re not surprised about changes that appear inside Office 365 applications by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.