How to find specific permissions assigned to applications in Entra

Specific Microsoft Graph permissions expose more data than others, while some can lead to escalated privileges inside your tenant. Hundreds of different permissions can be assigned to applications in Microsoft Entra, in either the app-only or delegated context. With this in mind, you must keep a fair eye on which permissions are consented to which applications, especially those important to your organisation.

In this article, you will learn how to use the Get-MgAllAppsByPermission script I have developed and published to the PSGallery to find which apps are assigned specific Microsoft Graph API permissions in Microsoft Entra. With this, you will be able to search by permission, which applications have consented to your tenant.

Install the Get-MgAllAppsByPermission script

The script is published to the PowerShell Gallery and can be installed on any device using the Install-Script cmdlet or the Install-PSResource cmdlet. Use the below examples to install the Get-MgAllAppsByPermission script.

Install-PSResource "Get-MgAllAppsByPermission"

#or 

Install-Script "Get-MgAllAppsByPermission"

Verify that the script is installed by running Get-InstalledScript -Name Get-MgAllAppsByPermission.

Get-MgAllAppsByPermission installed
Get-MgAllAppsByPermission installed

Run the Get-MgAllAppsByPermission cmdlet

To run the script, simply define the -Scope parameter with the Microsoft Graph API permission you want to search for. Ensure you type the permission name with the correct capitalisation, as it is case-sensitive.

Get-MgAllAppsByPermission -Scope "Directory.ReadWrite.All"

Once you run the command, like the one above, the script will check if you have the supporting PowerShell modules installed:

  • Microsoft.Graph.Authentication
  • Microsoft.Graph.Applications
  • Microsoft.Graph.Identity.SignIns

It will then connect to Microsoft Graph for you and ask you to consent to the following permissions:

  • Application.Read.All
  • DelegatedPermissionGrant.Read.All

Lastly, it will return an array of permissions, as per the below:

Get-MgAllAppsByPermission

To learn more about permissions with Microsoft Graph PowerShell, check out my article: How To Find Permissions For Microsoft Graph PowerShell.

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply