Thursday, May 20, 2021

Azure Active Directory Commands

You may request to read registrations in AAD even if you have not enough permissions to do that from the Azure Portal. You can, for example request the name of the groups you are in, or even the members of a group or an application.

First thing you need to do in PowerShell is to make sure you have Azure AD module installed. Then you need to log into your Azure AD

## Connect to Azure AD
# In case Connect-AzureAD is not recognized as a cpommandlet, install it:
# Install-Module AzureAD -Force

Now you can query the AAD. The following are some samples:

# Get the name of applications that I have been part of?
Get-AzureADUser -SearchString "Pouya Panahy" | Get-AzureADUserAppRoleAssignment -All $true

# Get the list of groups that I am part of Get-AzureADUser -SearchString "Pouya Panahy" ` | Get-AzureADUserMembership -All $true ` | Sort-Object -Property DisplayName

# Where am I direct descendent from Get-AzRoleAssignment -SignInName ''

# Show all rights I've got Get-AzRoleAssignment -SignInName '' -ExpandPrincipalGroups `
| Sort-Object -Property DisplayName `
| Select-Object ObjectType, RoleDefinitionName, DisplayName, Scope `
| Format-Table

# Is my application registered? Get-AzureADUser -SearchString "Pouya Panahy" `
| Get-AzureADUserCreatedObject -All $true `
| Sort-Object -Property ObjectType `
| Select-Object ObjectType, AppId, DisplayName, HomePage, IdentifierUris `
| Format-Table

# Looking for an application that some one else have registered Get-AzureADServicePrincipal -All $true -Filter "startswith(DisplayName, 'AppName')"

# Who has access to my resources in a given resource group? Get-AzRoleAssignment -Scope "/subscriptions/xxxxxxxx-xxxx-xxxx-dxxx-xxxxxxxxxxxx/resourceGroups/res-grp-name" `
| Sort-Object -Property RoleDefinitionName, DisplayName `
| Select-Object ObjectType, RoleDefinitionName, DisplayName, Scope `
| Format-Table

# List the members of a group Get-AzureAdGroup -All $true -SearchString 'Group Name' | Get-AzureADGroupMember