Report all Application Owners in Microsoft Entra with PowerShell

  • Post author:
  • Post category:Microsoft Graph
  • Post last modified:January 15, 2024
  • Reading time:3 mins read

By default, users in your organisation can create new app registrations in Microsoft Entra. This means that, if configured, they can also request an admin to consent permissions to said application to meet the needs of the business. 

When permissions are consented to the applications, and the application is functioning as expected, it is often overlooked that the user (now the application owner) can facilitate application-level access by creating a client secret or certificate. This means they may access privileged actions they were not previously authorised to perform.

In this post, I will show you how to use Microsoft Graph PowerShell to generate a report of application owners in your tenant. 

Requirements

This script requires the following Microsoft Graph PowerShell modules to be installed:

  • Microsoft.Graph.Authentication
  • Microsoft.Graph.Beta.Applications

For guidance, please see my post: How To Install the Microsoft Graph PowerShell Module.

You will also need a Global Administrator account to consent the Application.Read.All permission to the built-in Microsoft Graph Command Line Tools application.

Use the application owners report script

The script below will first get all app registrations in your tenant with the Get-MgBetaApplication cmdlet with the -All switch.

It will then send batch requests containing 20 requests to quickly gather the application owners from each application. 

A loop is then performed with the data cached locally in variables to generate a report which can be exported. 

The report is then exported to the defined location. Ensure you change the final line to export the report to your desired location.

This script can also be downloaded from my GitHub.

#Connect to Microsoft Graph
Connect-MgGraph -Scopes Application.Read.All

#Get all applications
$AllApps = Get-MgBetaApplication -All 

#Initialise array 
$Report = @()

#Send batch requests to get application owners
for($i=0;$i -lt $AllApps.count;$i+=20){
    $batch = @{}
    $batch['requests'] = ($AllApps[$i..($i+19)] | select @{n='id';e={$_.id}},@{n='method';e={'GET'}},`
		@{n='url';e={"/applications/$($_.id)/owners"}})
    $response = invoke-mggraphrequest -Method POST -URI "https://graph.microsoft.com/v1.0/`$batch" -body ($batch | convertto-json) -OutputType PSObject -ResponseHeadersVariable string
    $Report += $response.responses
}

#Create a new array list
$owners = [System.Collections.Generic.List[Object]]::new()

#Loop through locally caches items and add to array list
Foreach ($app in $report) {
     $owner = $app.body.value.userprincipalname -join ", "
     $obj = [PSCustomObject][ordered]@{
        "Application" = ($allapps | Where {$_.id -eq $app.id} | Select DisplayName).displayname
        "Owners" = $owner
    }
    $owners.Add($obj)
}

#Export to CSV
$owners | Export-CSV -Path C:\temp\Appowners5.csv -NoTypeInformation

Summary

While preventing users from registering new applications in Microsoft Entra is recommended, this does not solve the fact that applications may have already been created previously by standard users. This script will help you review existing application owners, enabling you to decide if action needs to be taken.

Leave a Reply