|
| 1 | +function Get-CIPPOAuthAppsReport { |
| 2 | + <# |
| 3 | + .SYNOPSIS |
| 4 | + Generates an OAuth consented applications report from the CIPP Reporting database |
| 5 | +
|
| 6 | + .DESCRIPTION |
| 7 | + Retrieves OAuth2 permission grants and enriches them with service principal data from the reporting database |
| 8 | +
|
| 9 | + .PARAMETER TenantFilter |
| 10 | + The tenant to generate the report for |
| 11 | + #> |
| 12 | + [CmdletBinding()] |
| 13 | + param( |
| 14 | + [Parameter(Mandatory = $true)] |
| 15 | + [string]$TenantFilter |
| 16 | + ) |
| 17 | + |
| 18 | + try { |
| 19 | + if ($TenantFilter -eq 'AllTenants') { |
| 20 | + $AllOAuthItems = Get-CIPPDbItem -TenantFilter 'allTenants' -Type 'OAuth2PermissionGrants' |
| 21 | + $Tenants = @($AllOAuthItems | Where-Object { $_.RowKey -ne 'OAuth2PermissionGrants-Count' } | Select-Object -ExpandProperty PartitionKey -Unique) |
| 22 | + |
| 23 | + $TenantList = Get-Tenants -IncludeErrors |
| 24 | + $Tenants = $Tenants | Where-Object { $TenantList.defaultDomainName -contains $_ } |
| 25 | + |
| 26 | + $AllResults = [System.Collections.Generic.List[PSCustomObject]]::new() |
| 27 | + foreach ($Tenant in $Tenants) { |
| 28 | + try { |
| 29 | + $TenantResults = Get-CIPPOAuthAppsReport -TenantFilter $Tenant |
| 30 | + foreach ($Result in $TenantResults) { |
| 31 | + $Result | Add-Member -NotePropertyName 'Tenant' -NotePropertyValue $Tenant -Force |
| 32 | + $AllResults.Add($Result) |
| 33 | + } |
| 34 | + } catch { |
| 35 | + Write-LogMessage -API 'OAuthAppsReport' -tenant $Tenant -message "Failed to get report for tenant: $($_.Exception.Message)" -sev Warning |
| 36 | + } |
| 37 | + } |
| 38 | + return $AllResults |
| 39 | + } |
| 40 | + |
| 41 | + $OAuthGrants = @(New-CIPPDbRequest -TenantFilter $TenantFilter -Type 'OAuth2PermissionGrants') |
| 42 | + if (-not $OAuthGrants) { |
| 43 | + throw 'No OAuth2 permission grant data found in reporting database. Sync the report data first.' |
| 44 | + } |
| 45 | + |
| 46 | + $ServicePrincipals = @(New-CIPPDbRequest -TenantFilter $TenantFilter -Type 'ServicePrincipals') |
| 47 | + $SPLookup = @{} |
| 48 | + foreach ($SP in $ServicePrincipals) { |
| 49 | + if ($SP.id) { |
| 50 | + $SPLookup[$SP.id] = $SP |
| 51 | + } |
| 52 | + } |
| 53 | + |
| 54 | + $CacheTimestamp = (Get-CIPPDbItem -TenantFilter $TenantFilter -Type 'OAuth2PermissionGrants' | Where-Object { $_.Timestamp } | Sort-Object Timestamp -Descending | Select-Object -First 1).Timestamp |
| 55 | + |
| 56 | + $Results = [System.Collections.Generic.List[PSCustomObject]]::new() |
| 57 | + foreach ($Grant in $OAuthGrants) { |
| 58 | + $SP = $SPLookup[$Grant.clientId] |
| 59 | + $Results.Add([PSCustomObject]@{ |
| 60 | + Name = if ($SP) { $SP.displayName } else { $Grant.clientId } |
| 61 | + ApplicationID = if ($SP) { $SP.appId } else { '' } |
| 62 | + ObjectID = $Grant.clientId |
| 63 | + Scope = ($Grant.scope -join ',') |
| 64 | + StartTime = $Grant.startTime |
| 65 | + CacheTimestamp = $CacheTimestamp |
| 66 | + }) |
| 67 | + } |
| 68 | + |
| 69 | + return $Results | Sort-Object -Property Name |
| 70 | + |
| 71 | + } catch { |
| 72 | + Write-LogMessage -API 'OAuthAppsReport' -tenant $TenantFilter -message "Failed to generate OAuth apps report: $($_.Exception.Message)" -sev Error |
| 73 | + throw |
| 74 | + } |
| 75 | +} |
0 commit comments