Avoid repeated API calls for delegated permission name lookup

Author: zh54321

modules/check_AgentIdentities.psm1

@@ -33,7 +33,6 @@ function Invoke-AgentIdentities {
     #Define basic variables
     $ProgressCounter = 0
     $Inactive = $false
-    $ApiAppDisplayNameCache = @{}
     $SponsorResolutionCache = @{}
     $AppLastSignIns = $ServicePrincipalSignInActivityLookup
     $AllServicePrincipal = [System.Collections.ArrayList]::new()
@@ -612,44 +611,7 @@ function Invoke-AgentIdentities {
             }
         }
 
-        $DelegatedPermissionDetails = foreach ($permission in $DelegatedPermission) {
-
-            # Check if DisplayName for the ResourceId is already cached
-            if (-not $ApiAppDisplayNameCache.ContainsKey($permission.ResourceId)) {
-
-                # Retrieve and cache the DisplayName if not cached
-                $QueryParameters = @{
-                    '$select' = "DisplayName"
-                }
-                #Set odata.metadata=none to avoid having metadata in the response
-                $headers = @{
-                    'Accept' = 'application/json;odata.metadata=none'
-                }
-                $ApiAppDisplayNameCache[$permission.ResourceId] = Send-GraphRequest -AccessToken $GLOBALMsGraphAccessToken.access_token -Method GET -Uri "/servicePrincipals/$($permission.ResourceId)" -QueryParameters $QueryParameters -AdditionalHeaders $headers -BetaAPI -UserAgent $($GlobalAuditSummary.UserAgent.Name)
-            }
-
-            # Split the Scope field by spaces to get individual permissions. Ignores whitespece at the start of the string
-            $scopes = $permission.Scope.Trim() -split " "
-
-            if ($permission.ConsentType -eq "Principal") {
-                $principal = $permission.PrincipalId
-            } else {
-                $principal = "-"
-            }
-            # Create a custom object for each scope with ResourceId, ConsentType, Scope, and DisplayName
-            foreach ($scope in $scopes) {
-                $resourceAppId = Get-AppRoleReferenceResourceAppId -AppRoleReferenceCache $AppRoleReferenceCache -ResourceId $permission.ResourceId
-                [pscustomobject]@{
-                    ResourceId                  = $permission.ResourceId
-                    ResourceAppId               = $resourceAppId
-                    ConsentType                 = $permission.ConsentType
-                    Scope                       = $scope
-                    APIName                     = $ApiAppDisplayNameCache[$permission.ResourceId].displayname  # Get the cached DisplayName
-                    Principal                   = $principal
-                    ApiPermissionCategorization = Get-APIPermissionCategory -InputPermission $scope -PermissionType "delegated"
-                }
-            }
-        }
+        $DelegatedPermissionDetails = Resolve-DelegatedPermissionGrantDetails -AppRoleReferenceCache $AppRoleReferenceCache -DelegatedPermissions @($DelegatedPermission)
 
 
         #Store unique permission to show in table

modules/check_AgentIdentityBlueprintsPrincipals.psm1

@@ -34,7 +34,6 @@ function Invoke-AgentIdentityBlueprintsPrincipals {
     #Define basic variables
     $ProgressCounter = 0
     $Inactive = $false
-    $ApiAppDisplayNameCache = @{}
     $AppLastSignIns = $ServicePrincipalSignInActivityLookup
     $AllServicePrincipal = [System.Collections.ArrayList]::new()
     if ($null -eq $global:GLOBALUserAppRoles) { $global:GLOBALUserAppRoles = @{} }
@@ -464,44 +463,7 @@ function Invoke-AgentIdentityBlueprintsPrincipals {
             }
         }
 
-        $DelegatedPermissionDetails = foreach ($permission in $DelegatedPermission) {
-
-            # Check if DisplayName for the ResourceId is already cached
-            if (-not $ApiAppDisplayNameCache.ContainsKey($permission.ResourceId)) {
-
-                # Retrieve and cache the DisplayName if not cached
-                $QueryParameters = @{
-                    '$select' = "DisplayName"
-                }
-                #Set odata.metadata=none to avoid having metadata in the response
-                $headers = @{
-                    'Accept' = 'application/json;odata.metadata=none'
-                }
-                $ApiAppDisplayNameCache[$permission.ResourceId] = Send-GraphRequest -AccessToken $GLOBALMsGraphAccessToken.access_token -Method GET -Uri "/servicePrincipals/$($permission.ResourceId)" -QueryParameters $QueryParameters -AdditionalHeaders $headers -BetaAPI -UserAgent $($GlobalAuditSummary.UserAgent.Name)
-            }
-
-            # Split the Scope field by spaces to get individual permissions. Ignores whitespece at the start of the string
-            $scopes = $permission.Scope.Trim() -split " "
-
-            if ($permission.ConsentType -eq "Principal") {
-                $principal = $permission.PrincipalId
-            } else {
-                $principal = "-"
-            }
-            # Create a custom object for each scope with ResourceId, ConsentType, Scope, and DisplayName
-            foreach ($scope in $scopes) {
-                $resourceAppId = Get-AppRoleReferenceResourceAppId -AppRoleReferenceCache $AppRoleReferenceCache -ResourceId $permission.ResourceId
-                [pscustomobject]@{
-                    ResourceId                  = $permission.ResourceId
-                    ResourceAppId               = $resourceAppId
-                    ConsentType                 = $permission.ConsentType
-                    Scope                       = $scope
-                    APIName                     = $ApiAppDisplayNameCache[$permission.ResourceId].displayname  # Get the cached DisplayName
-                    Principal                   = $principal
-                    ApiPermissionCategorization = Get-APIPermissionCategory -InputPermission $scope -PermissionType "delegated"
-                }
-            }
-        }
+        $DelegatedPermissionDetails = Resolve-DelegatedPermissionGrantDetails -AppRoleReferenceCache $AppRoleReferenceCache -DelegatedPermissions @($DelegatedPermission)
 
 
         #Store unique permission to show in table

modules/check_EnterpriseApps.psm1

@@ -38,7 +38,6 @@ function Invoke-CheckEnterpriseApps {
     $ProgressCounter = 0
     $Inactive = $false
     $EnterpriseAppsScriptWarningList = @()
-    $ApiAppDisplayNameCache = @{}
     $AppRegistrations = @{}
     $AppLastSignIns = $ServicePrincipalSignInActivityLookup
     $AllServicePrincipal = [System.Collections.ArrayList]::new()
@@ -560,42 +559,7 @@ function Invoke-CheckEnterpriseApps {
             }
         }
 
-        $DelegatedPermissionDetails = foreach ($permission in $DelegatedPermission) {
-
-            # Check if DisplayName for the ResourceId is already cached
-            if (-not $ApiAppDisplayNameCache.ContainsKey($permission.ResourceId)) {
-
-                # Retrieve and cache the DisplayName if not cached
-                $QueryParameters = @{
-                    '$select' = "DisplayName"
-                }
-                #Set odata.metadata=none to avoid having metadata in the response
-                $headers = @{ 
-                    'Accept' = 'application/json;odata.metadata=none' 
-                }
-                $ApiAppDisplayNameCache[$permission.ResourceId] = Send-GraphRequest -AccessToken $GLOBALMsGraphAccessToken.access_token -Method GET -Uri "/servicePrincipals/$($permission.ResourceId)" -QueryParameters $QueryParameters -AdditionalHeaders $headers -BetaAPI -UserAgent $($GlobalAuditSummary.UserAgent.Name)
-            }
-
-            # Split the Scope field by spaces to get individual permissions. Ignores whitespece at the start of the string
-            $scopes = $permission.Scope.Trim() -split " "
-            
-            if ($permission.ConsentType -eq "Principal") {
-                $principal = $permission.PrincipalId
-            } else {
-                $principal = "-"
-            }
-            # Create a custom object for each scope with ResourceId, ConsentType, Scope, and DisplayName
-            foreach ($scope in $scopes) {
-                [pscustomobject]@{
-                    ResourceId  = $permission.ResourceId
-                    ConsentType = $permission.ConsentType
-                    Scope       = $scope
-                    APIName = $ApiAppDisplayNameCache[$permission.ResourceId].displayname  # Get the cached DisplayName
-                    Principal = $principal
-                    ApiPermissionCategorization = Get-APIPermissionCategory -InputPermission $scope -PermissionType "delegated"
-                }
-            }
-        }
+        $DelegatedPermissionDetails = Resolve-DelegatedPermissionGrantDetails -AppRoleReferenceCache $AppRoleReferenceCache -DelegatedPermissions @($DelegatedPermission)
 
 
         #Store unique permission to show in table

modules/shared_Functions.psm1

@@ -6628,6 +6628,48 @@ function Get-AppRoleReferenceApiName {
     return "-"
 }
 
+# Build normalized delegated permission rows using the shared app-role reference cache.
+function Resolve-DelegatedPermissionGrantDetails {
+    [CmdletBinding()]
+    Param (
+        [Parameter(Mandatory = $true)][hashtable]$AppRoleReferenceCache,
+        [Parameter(Mandatory = $false)][object[]]$DelegatedPermissions = @()
+    )
+
+    $rows = [System.Collections.ArrayList]::new()
+    foreach ($permission in @($DelegatedPermissions)) {
+        if ($null -eq $permission) { continue }
+
+        $resourceId = if ($permission.PSObject.Properties['ResourceId']) { [string]$permission.ResourceId } else { '' }
+        $resourceAppId = Get-AppRoleReferenceResourceAppId -AppRoleReferenceCache $AppRoleReferenceCache -ResourceId $resourceId
+        $apiName = Get-AppRoleReferenceApiName -AppRoleReferenceCache $AppRoleReferenceCache -ResourceId $resourceId -ResourceAppId $resourceAppId
+        $scopeText = if ($permission.PSObject.Properties['Scope']) { [string]$permission.Scope } else { '' }
+        $scopes = @($scopeText.Trim() -split '\s+' | Where-Object { -not [string]::IsNullOrWhiteSpace($_) })
+        if ($scopes.Count -eq 0) { continue }
+
+        $consentType = if ($permission.PSObject.Properties['ConsentType']) { [string]$permission.ConsentType } else { '' }
+        $principal = if ($consentType -eq "Principal" -and $permission.PSObject.Properties['PrincipalId']) {
+            [string]$permission.PrincipalId
+        } else {
+            "-"
+        }
+
+        foreach ($scope in $scopes) {
+            [void]$rows.Add([pscustomobject]@{
+                ResourceId                  = $resourceId
+                ResourceAppId               = $resourceAppId
+                ConsentType                 = $consentType
+                Scope                       = $scope
+                APIName                     = $apiName
+                Principal                   = $principal
+                ApiPermissionCategorization = Get-APIPermissionCategory -InputPermission $scope -PermissionType "delegated"
+            })
+        }
+    }
+
+    return @($rows)
+}
+
 # Build the normalized permission object used by report modules from a cached app-role lookup.
 function Resolve-AppRoleAssignmentRecord {
     [CmdletBinding()]
@@ -7645,4 +7687,4 @@ function Show-EntraFalconBanner {
     Write-Host ""
 }
 
-Export-ModuleMember -Function Show-EntraFalconBanner,AuthenticationMSGraph,Get-TenantReportAvailability,Get-TenantDomains,Initialize-TenantReportTabs,Set-GlobalReportManifest,Get-EffectiveEntraLicense,Get-Devices,Get-UsersBasic,Get-AgentObjectBasics,Get-ServicePrincipalSignInActivityLookup,Resolve-DirectoryObjectReference,start-CleanUp,Format-ReportSection,Get-OrgInfo,Get-LogLevel, Write-Log,Invoke-MsGraphRefreshPIM,Write-LogVerbose,Invoke-AzureRoleProcessing,Get-RegisterAuthMethodsUsers,Invoke-EntraRoleProcessing,Get-EntraPIMRoleAssignments,AuthCheckMSGraph,RefreshAuthenticationMsGraph,EnsureAuthSecurityFindingsMsGraph,RefreshAuthenticationSecurityFindingsMsGraph,Get-PimforGroupsAssignments,Invoke-CheckTokenExpiration,Invoke-MsGraphAuthPIM,EnsureAuthMsGraph,Get-AzureRoleDetails,Get-AdministrativeUnitsWithMembers,Get-ConditionalAccessPolicies,Get-EntraRoleAssignments,Get-APIPermissionCategory,New-AppRoleReferenceCache,Resolve-AppRoleReference,Get-AppRoleReferenceApiName,Get-AppRoleReferenceResourceAppId,Resolve-AppRoleAssignmentRecord,Get-ApiPermissionImpactSummary,Get-ObjectInfo,EnsureAuthAzurePsNative,checkSubscriptionNative,Get-AllAzureIAMAssignmentsNative,Get-PIMForGroupsAssignmentsDetails,Show-EnumerationSummary,start-InitTasks,Get-HighestTierLabel,Merge-HigherTierLabel,Get-GroupDetails,Get-GroupActiveRoleMetrics,Get-EntraFalconHostOs,Test-NonWindowsAuthFlowCompatibility
+Export-ModuleMember -Function Show-EntraFalconBanner,AuthenticationMSGraph,Get-TenantReportAvailability,Get-TenantDomains,Initialize-TenantReportTabs,Set-GlobalReportManifest,Get-EffectiveEntraLicense,Get-Devices,Get-UsersBasic,Get-AgentObjectBasics,Get-ServicePrincipalSignInActivityLookup,Resolve-DirectoryObjectReference,start-CleanUp,Format-ReportSection,Get-OrgInfo,Get-LogLevel, Write-Log,Invoke-MsGraphRefreshPIM,Write-LogVerbose,Invoke-AzureRoleProcessing,Get-RegisterAuthMethodsUsers,Invoke-EntraRoleProcessing,Get-EntraPIMRoleAssignments,AuthCheckMSGraph,RefreshAuthenticationMsGraph,EnsureAuthSecurityFindingsMsGraph,RefreshAuthenticationSecurityFindingsMsGraph,Get-PimforGroupsAssignments,Invoke-CheckTokenExpiration,Invoke-MsGraphAuthPIM,EnsureAuthMsGraph,Get-AzureRoleDetails,Get-AdministrativeUnitsWithMembers,Get-ConditionalAccessPolicies,Get-EntraRoleAssignments,Get-APIPermissionCategory,New-AppRoleReferenceCache,Resolve-AppRoleReference,Get-AppRoleReferenceApiName,Get-AppRoleReferenceResourceAppId,Resolve-DelegatedPermissionGrantDetails,Resolve-AppRoleAssignmentRecord,Get-ApiPermissionImpactSummary,Get-ObjectInfo,EnsureAuthAzurePsNative,checkSubscriptionNative,Get-AllAzureIAMAssignmentsNative,Get-PIMForGroupsAssignmentsDetails,Show-EnumerationSummary,start-InitTasks,Get-HighestTierLabel,Merge-HigherTierLabel,Get-GroupDetails,Get-GroupActiveRoleMetrics,Get-EntraFalconHostOs,Test-NonWindowsAuthFlowCompatibility