Recently I prepared an au2mator Solution to Self Service Azure App Registrations and Enterprise App Management. So I decided to show you a Report of your Enterprise Apps, Owners, and Usage Count with the Logins. So you can easily see which Apps are not used anymore.
Prerequisites
First, we need to create an Azure App to provide all permissions required.
MS Graph References:
- List applications – Microsoft Graph v1.0 | Microsoft Docs
- List signIns – Microsoft Graph v1.0 | Microsoft Docs
- List owners – Microsoft Graph v1.0 | Microsoft Docs
Create an Azure App Registration and add the following GRAPH API Application Permissions
- Application.ReadWrite.All
- Directory.Read.All
- Directory.ReadWrite.All
- AuditLog.Read.All
Create a Secret and copy the Value
If your are not familiar with Azur eapp Regs, and how als this work together, see my Blogs Post for Details:
To learn more from Microsoft GRAPH API, see my Blog Series:
Part 1 – Authentication and Azure App – Use Microsoft Graph API with PowerShell – Part 1 » TechGuy
Part 2 – Oauth2.0 – Use Microsoft Graph API with PowerShell – Part 2 » TechGuy
Part 3 – First Powershell Script to get a Teams Lis and Walkthrough – Use Microsoft Graph API with PowerShell – Part 3 » TechGuy
Part 4 – this one – Use Microsoft Graph API with PowerShell – Part 4 » TechGuy
With all those information, we can take a look at the Script
The Script
$clientID = 'yourClientID'
$tenantId = 'yourTenantID'
$Clientsecret = 'yourSecret'
$BaseURL = "https://graph.microsoft.com/v1.0"
#Enter the Timefram in Days for the Usage
$TimeFrameInDays = 30
#Build a Dateformat for the Filter
$TimeFrameDate = Get-Date -format yyyy-MM-dd ((Get-Date).AddDays(-$TimeFrameInDays))
#Build Array to store PSCustomObject
$Array = @()
#Auth MS Graph API and Get Header
$tokenBody = @{
Grant_Type = "client_credentials"
Scope = "https://graph.microsoft.com/.default"
Client_Id = $clientID
Client_Secret = $Clientsecret
}
$tokenResponse = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$tenantID/oauth2/v2.0/token" -Method POST -Body $tokenBody
$headers = @{
"Authorization" = "Bearer $($tokenResponse.access_token)"
"Content-type" = "application/json"
}
#Get all Enterprise Apps
$URLGetApplications = "$BaseURL/applications"
$Applications = Invoke-RestMethod -Method GET -Uri $URLGetApplications -Headers $headers
foreach ($App in $Applications.value) {
#Get Sign In/Usage
$SignIns = Invoke-RestMethod -Method GET -Uri "https://graph.microsoft.com/v1.0/auditLogs/signIns?`$filter=appid eq '$($App.appId)' and createdDateTime gt $TimeFrameDate" -Headers $headers
Start-Sleep -Seconds 1
#Get Owners
$URLGetOwner = "$BaseURL/applications/$($App.id)/owners"
$Owner = Invoke-RestMethod -Method GET -Uri $URLGetOwner -Headers $headers
if ($Owner) {
foreach ($O in $Owner.value) {
$Array += [PSCustomObject]@{
"App ID" = $App.id
"App AppID" = $App.appId
"App Name" = $App.displayName
"Owner UPN" = $o.userprincipalname
"Owner Name" = $o.displayName
"Owner ID" = $o.id
"Usage Count" = ($SignIns.value ).count
}
}
}
else {
$Array += [PSCustomObject]@{
"App ID" = $App.id
"App AppID" = $App.appId
"App Name" = $App.displayName
"Owner UPN" = "NONE"
"Owner Name" = "NONE"
"Owner ID" = "NONE"
"Usage Count" = ($SignIns.value ).count
}
}
}
$Array | Select-Object -Property "App Name", "Owner UPN", "Usage Count" | Sort-Object -Property "Usage Count" -Descending
The Result
You will get the following Result
GitHub Repo
Here you can find the GitHub Repo: Seidlm/Microsoft-Azure: Azure Rest API Examples (github.com) with the Script
Michael Seidl aka Techguy
au2mate everything
