For M365Permissions I wanted to categorize service principals in an actually useful way.
This is what I came up with so far
function get-servicePrincipalType{
Param(
[Parameter(Mandatory=$true)][object]$spn
)
#managed identities are simple :)
if($spn.servicePrincipalType -eq "ManagedIdentity"){
return "ManagedIdentity"
}
#other SPN's can be hosted by us, by Microsoft or by a third party
#Although 9188040d-6c67-4c5b-b112-36a304b66dad is also officially Msft, it contains consumer apps not built or vetted by Microsoft thus we treat it as third party
if($spn.appOwnerOrganizationId -in ("f8cdef31-a31e-4b4a-93e4-5f571e91255a","72f988bf-86f1-41af-91ab-2d7cd011db47","7579c9b7-9fa5-4860-b7ac-742d42053c54")){
return "MicrosoftApplication"
}elseif($spn.appOwnerOrganizationId -eq <YOURTENANTID>){
#this is either a homebrew app or an AI agentic app
if($spn.tags -and ($spn.tags -contains "AgenticApp" -or $spn.tags -contains "AIAgentBuilder")){
return "AiAgent"
}else{
return "InHouseApplication"
}
}else{
return "ThirdPartyApplication"
}
}
Today’s release has a ‘special guest’; Morten (blog)! He completely rewrote the entra user and group retrieval code, greatly improving both performance and total capacity!
Other changes of note:
Add support for Onenote Notebook sharing permissions
Treat anonymous sharing links as ‘deleted’ if the sharing level at the site forbids anonymous sharing
Are you also curious about all those PowerApps and Flows in your environment? Orphaned ones maybe? Or when someone leaves the company?
1.2.2 adds scanning of PowerApps and Flows! Only when using SPN auth. (setup instructions)
In addition to that, I’ve also added provisional support for scans of tenants in USGOV, USDOD and China. Since I don’t have a test tenant there, I’ll have to rely on you to test how it performs there.
Yes, we finally have Microsoft Azure! All active and eligible permissions are in scope from the subscription level and below.
If you use a service principal for scanning, be sure to assign read permissions for it to all subscriptions (or lower level resource groups) you want it to index.
1.1.6 brings all separate catagories we scan in line by making the report columns the same (=Common Data Mode). This makes comparing and pivoting a LOT easier 🙂
Also, added Partner Permissions and Entra Devices (including Cloud PC’s).
