坦白说,我不是 powershell 专家
Currently I are working to fetch azure ad application expired or about to expire details for that I have found a script but owner id is missing on that, i am aware that below line will print the owner id but that ownerid also should be present on Json object $appWithCredentials
$owner = Get-AzureADApplicationOwner -ObjectId $_.ObjectId -Top 1
以下是原始脚本
[CmdletBinding()]
param(
[Parameter(HelpMessage = 'Will output credentials if within this number of days, use 0 to report only expired and valid as of today')]
$ExpiresInDays = 90
)
Write-Host 'Gathering necessary information...'
$applications = Get-AzADApplication
$servicePrincipals = Get-AzADServicePrincipal
$appWithCredentials = @()
$appWithCredentials += $applications | Sort-Object -Property DisplayName,ObjectId | % {
$application = $__
$sp = $servicePrincipals | ? ApplicationId -eq $application.ApplicationId
Write-Verbose ('Fetching information for application {0}' -f $application.DisplayName)
$application | Get-AzADAppCredential -ErrorAction SilentlyContinue | Select-Object -Property @{Name='DisplayName'; Expression={$application.DisplayName}}, @{Name='ObjectId'; Expression={$application.Id}}, @{Name='ApplicationId'; Expression={$application.ApplicationId}}, @{Name='KeyId'; Expression={$_.KeyId}}, @{Name='Type'; Expression={$_.Type}},@{Name='StartDate'; Expression={$_.StartDate -as [datetime]}},@{Name='EndDate'; Expression={$_.EndDate -as [datetime]}}
}
Write-Host 'Validating expiration data...'
$today = (Get-Date).ToUniversalTime()
$limitDate = $today.AddDays($ExpiresInDays)
$appWithCredentials | Sort-Object EndDate | % {
if($_.EndDate -lt $today) {
$_ | Add-Member -MemberType NoteProperty -Name 'Status' -Value 'Expired'
} elseif ($_.EndDate -le $limitDate) {
$_ | Add-Member -MemberType NoteProperty -Name 'Status' -Value 'ExpiringSoon'
} else {
$_ | Add-Member -MemberType NoteProperty -Name 'Status' -Value 'Valid'
}
}
$appWithCredentials
Write-Host 'Done.'
最佳答案
Get-AzAdApplication 或 Get-AzADServicePrincipal 均不会返回应用程序所有者详细信息。您可以通过运行命令、获取单个 SP 或应用程序并检查属性来验证这一点。例如:
获取 AzADApplication -前 1 |转换为 json -深度 30。
您可以通过查询 Microsoft Graph 来检索应用程序所有者。我在您的脚本中添加了一个示例,该示例使用 Azure CLI(必须安装并登录)获取 Azure AD token ,然后使用该 token 查询每个应用程序的 Microsoft Graph。
此外,在 $application = $__ 行上,我将 $__ 替换为 $_ 以正确引用当前项目。
Write-Host 'Gathering necessary information...'
$applications = Get-AzADApplication
$servicePrincipals = Get-AzADServicePrincipal
$tokenSS = ConvertTo-SecureString -String (az account get-access-token --resource-type ms-graph) -Force -AsPlainText
$appWithCredentials = @()
$appWithCredentials += $applications | Sort-Object -Property DisplayName, ObjectId | % {
$application = $_
$sp = $servicePrincipals | ? ApplicationId -eq $application.ApplicationId
Write-Verbose ('Fetching information for application {0}' -f $application.DisplayName)
Write-Verbose "Getting application owners"
$uri = ('https://graph.microsoft.com/v1.0/applications/{0}/owners' -f $application.id)
$response = Invoke-RestMethod -Method GET -Uri $uri -ContentType 'application/json' -Authentication Bearer -Token $tokenSS
$owners = $response.value
$application | Get-AzADAppCredential -ErrorAction SilentlyContinue | Select-Object -Property @{
Name = 'DisplayName'; Expression = { $application.DisplayName } },
@{Name = 'ObjectId'; Expression = { $application.Id } },
@{Name = 'ApplicationId'; Expression = { $application.ApplicationId } },
@{Name = 'KeyId'; Expression = { $_.KeyId } },
@{Name = 'Type'; Expression = { $_.Type } },
@{Name = 'StartDate'; Expression = { $_.StartDate -as [datetime] } },
@{Name = 'EndDate'; Expression = { $_.EndDate -as [datetime] } },
@{Name = 'Owners'; Expression = { $owners }}
}
关于azure - 从azure AD应用程序获取ownerid,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/66319207/