Get all your Azure Enterprise Apps with Owner and Usage Count

Recently I prepared an au2mator Solution to Self Service Azure App Registrations and Enterprise App Management. So I decided to show you a Report of your Enterprise Apps, Owners, and Usage Count with the Logins. So you can easily see which Apps are not used anymore.

Prerequisites

First, we need to create an Azure App to provide all permissions required.

MS Graph References:

Create an Azure App Registration and add the following GRAPH API Application Permissions

  • Application.ReadWrite.All
  • Directory.Read.All
  • Directory.ReadWrite.All
  • AuditLog.Read.All

Create a Secret and copy the Value

If your are not familiar with Azur eapp Regs, and how als this work together, see my Blogs Post for Details:

To learn more from Microsoft GRAPH API, see my Blog Series:
Part 1 – Authentication and Azure App – Use Microsoft Graph API with PowerShell – Part 1 » TechGuy
Part 2 – Oauth2.0 – Use Microsoft Graph API with PowerShell – Part 2 » TechGuy
Part 3 – First Powershell Script to get a Teams Lis and Walkthrough – Use Microsoft Graph API with PowerShell – Part 3 » TechGuy
Part 4 – this one – Use Microsoft Graph API with PowerShell – Part 4 » TechGuy

With all those information, we can take a look at the Script

The Script

$clientID = 'yourClientID'
$tenantId = 'yourTenantID'
$Clientsecret = 'yourSecret'

$BaseURL = "https://graph.microsoft.com/v1.0"

#Enter the Timefram in Days for the Usage
$TimeFrameInDays = 30

#Build a Dateformat for the Filter
$TimeFrameDate = Get-Date -format yyyy-MM-dd  ((Get-Date).AddDays(-$TimeFrameInDays))

#Build Array to store PSCustomObject
$Array = @()

#Auth MS Graph API and Get Header
$tokenBody = @{  
    Grant_Type    = "client_credentials"  
    Scope         = "https://graph.microsoft.com/.default"  
    Client_Id     = $clientID  
    Client_Secret = $Clientsecret  
}   
$tokenResponse = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$tenantID/oauth2/v2.0/token" -Method POST -Body $tokenBody  
$headers = @{
    "Authorization" = "Bearer $($tokenResponse.access_token)"
    "Content-type"  = "application/json"
}

#Get all Enterprise Apps
$URLGetApplications = "$BaseURL/applications"

$Applications = Invoke-RestMethod -Method GET -Uri $URLGetApplications -Headers $headers

foreach ($App in $Applications.value) {
    #Get Sign In/Usage
    $SignIns = Invoke-RestMethod -Method GET  -Uri "https://graph.microsoft.com/v1.0/auditLogs/signIns?`$filter=appid eq '$($App.appId)' and createdDateTime gt $TimeFrameDate" -Headers $headers
    
    Start-Sleep -Seconds 1

    #Get Owners
    $URLGetOwner = "$BaseURL/applications/$($App.id)/owners"
    $Owner = Invoke-RestMethod -Method GET -Uri $URLGetOwner -Headers $headers
    
    if ($Owner) {
        foreach ($O in $Owner.value) {

            $Array += [PSCustomObject]@{
                "App ID"           = $App.id
                "App AppID"        = $App.appId
                "App Name"         = $App.displayName
                "Owner UPN"        = $o.userprincipalname
                "Owner Name"       = $o.displayName
                "Owner ID"         = $o.id
                "Usage Count"      = ($SignIns.value ).count
            }

        }
    }
    else {
        $Array += [PSCustomObject]@{
            "App ID"           = $App.id
            "App AppID"        = $App.appId
            "App Name"         = $App.displayName
            "Owner UPN"        = "NONE"
            "Owner Name"       = "NONE"
            "Owner ID"         = "NONE"
            "Usage Count"      = ($SignIns.value ).count
        }
    }
}

$Array | Select-Object -Property "App Name", "Owner UPN", "Usage Count" | Sort-Object -Property "Usage Count" -Descending

The Result

You will get the following Result

GitHub Repo

Here you can find the GitHub Repo: Seidlm/Microsoft-Azure: Azure Rest API Examples (github.com) with the Script

Michael Seidl aka Techguy
au2mate everything

Leave a Comment

Your email address will not be published.

*

%d bloggers like this: