|
| 1 | +$userinput = Read-Host -Prompt "Type 1 if you want to execute the script for one or few apps via CSV OR Type 2 if you want to execute the script for the whole tenant" |
| 2 | +if($userinput -eq '1') |
| 3 | +{ |
| 4 | +$fpth=Read-Host -Prompt "Enter file path" |
| 5 | +Write-Host "the filepath you entered is $fpth" |
| 6 | +Disconnect-MgGraph |
| 7 | +Select-MgProfile -Name "beta" |
| 8 | +Connect-Graph -Scopes "Application.ReadWrite.All,DelegatedPermissionGrant.ReadWrite.All" |
| 9 | +$aa = Import-Csv -Path $fpth |
| 10 | +$bb = $aa.Id |
| 11 | +$output = @() |
| 12 | +foreach($spobjidd in $bb){ |
| 13 | +$cc= Get-MgServicePrincipalOauth2PermissionGrant -ServicePrincipalId $spobjidd |
| 14 | +$dd = $cc.Id |
| 15 | +$ee = $cc.Scope |
| 16 | +if($dd.count-eq 1 -and $ee -eq 'User.Read'){ |
| 17 | +$output += New-Object psobject -Property @{ |
| 18 | +Id= $cc.ClientId |
| 19 | +AppId = (Get-MgServicePrincipal -ServicePrincipalId $cc.ClientId ).AppId |
| 20 | +} |
| 21 | +} |
| 22 | +}$output|Export-Csv -NoTypeInformation -Path C:\mango.csv |
| 23 | +Start-Sleep -Seconds 10 |
| 24 | +$xx= Import-Csv -Path C:\mango.csv |
| 25 | +$b= $xx.Id |
| 26 | +$d=$xx.AppId |
| 27 | +$graphResourceId = "00000003-0000-0000-c000-000000000000" |
| 28 | +$newResourceAccess = @{ |
| 29 | + ResourceAppId = $graphResourceId; |
| 30 | + ResourceAccess = @( |
| 31 | + |
| 32 | + ## Replace the following with values of ID and type for all permissions you want to configure for the app |
| 33 | + @{ |
| 34 | + # User.Read scope (delegated permission) to sign-in and read user profile |
| 35 | + id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d"; |
| 36 | + type = "Scope"; |
| 37 | + } |
| 38 | + ) |
| 39 | +} |
| 40 | + |
| 41 | +foreach($spobjid in $b){ |
| 42 | +$x = Get-MgServicePrincipalOauth2PermissionGrant -ServicePrincipalId $spobjid |
| 43 | +$c= $x.Id |
| 44 | +Remove-MgOauth2PermissionGrant -OAuth2PermissionGrantId $c |
| 45 | +} |
| 46 | + |
| 47 | +foreach($appid in $d){ |
| 48 | +$m=Get-MgApplication -Filter "AppId eq '$appid' " |
| 49 | +$n= $m.Id |
| 50 | +Update-MgApplication -ApplicationId $n -RequiredResourceAccess $newResourceAccess |
| 51 | +} |
| 52 | + |
| 53 | +##use the objectid of SP of the app in ClientID and under Resource ID, give the ObjectID of Microsoft Graph(this can be found under Enterprise Apps of the Azure AD tenant) |
| 54 | +foreach($spoid in $b){ |
| 55 | +New-MgOauth2PermissionGrant -ClientId $spoid -ConsentType AllPrincipals -ResourceId 41c5375f-db2f-49ea-92fb-e5c29d4b064d -Scope User.Read |
| 56 | +} |
| 57 | +} |
| 58 | +elseif($userinput -eq '2') |
| 59 | +{ |
| 60 | +Disconnect-MgGraph |
| 61 | +Select-MgProfile -Name "v1.0" |
| 62 | +Connect-Graph -Scopes "Application.ReadWrite.All,DelegatedPermissionGrant.ReadWrite.All" |
| 63 | +$aa = Get-MgServicePrincipal -All | where-object {$_.Tags -Contains "WindowsAzureActiveDirectoryOnPremApp"} |
| 64 | +$bb = $aa.Id |
| 65 | +$output = @() |
| 66 | +foreach($spobjidd in $bb){ |
| 67 | +$cc= Get-MgServicePrincipalOauth2PermissionGrant -ServicePrincipalId $spobjidd |
| 68 | +$dd = $cc.Id |
| 69 | +$ee = $cc.Scope |
| 70 | +if($dd.count-eq 1 -and $ee -eq 'User.Read'){ |
| 71 | +$output += New-Object psobject -Property @{ |
| 72 | +Id= $cc.ClientId |
| 73 | +AppId = (Get-MgServicePrincipal -ServicePrincipalId $cc.ClientId ).AppId |
| 74 | +} |
| 75 | +} |
| 76 | +}$output|Export-Csv -NoTypeInformation -Path C:\mango.csv |
| 77 | +Start-Sleep -Seconds 10 |
| 78 | +$xx= Import-Csv -Path C:\mango.csv |
| 79 | +$b= $xx.Id |
| 80 | +$d=$xx.AppId |
| 81 | +$graphResourceId = "00000003-0000-0000-c000-000000000000" |
| 82 | +$newResourceAccess = @{ |
| 83 | + ResourceAppId = $graphResourceId; |
| 84 | + ResourceAccess = @( |
| 85 | + |
| 86 | + ## Replace the following with values of ID and type for all permissions you want to configure for the app |
| 87 | + @{ |
| 88 | + # User.Read scope (delegated permission) to sign-in and read user profile |
| 89 | + id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d"; |
| 90 | + type = "Scope"; |
| 91 | + } |
| 92 | + ) |
| 93 | +} |
| 94 | +foreach($spobjid in $b){ |
| 95 | +$x = Get-MgServicePrincipalOauth2PermissionGrant -ServicePrincipalId $spobjid |
| 96 | +$c= $x.Id |
| 97 | +Remove-MgOauth2PermissionGrant -OAuth2PermissionGrantId $c |
| 98 | +} |
| 99 | + |
| 100 | +foreach($appid in $d){ |
| 101 | +$m=Get-MgApplication -Filter "AppId eq '$appid' " |
| 102 | +$n= $m.Id |
| 103 | +Update-MgApplication -ApplicationId $n -RequiredResourceAccess $newResourceAccess |
| 104 | +} |
| 105 | + |
| 106 | +##use the objectid of SP of the app in ClientID and under Resource ID, give the ObjectID of Microsoft Graph(this can be found under Enterprise Apps of the Azure AD tenant) |
| 107 | +foreach($spoid in $b){ |
| 108 | +New-MgOauth2PermissionGrant -ClientId $spoid -ConsentType AllPrincipals -ResourceId 41c5375f-db2f-49ea-92fb-e5c29d4b064d -Scope User.Read |
| 109 | +} |
| 110 | +} |
| 111 | +else{ "Sorry,you entered a wrong choice"} |
0 commit comments