{"id":4443,"date":"2025-02-14T11:05:14","date_gmt":"2025-02-14T10:05:14","guid":{"rendered":"https:\/\/www.lieben.nu\/liebensraum\/?p=4443"},"modified":"2025-02-14T11:05:14","modified_gmt":"2025-02-14T10:05:14","slug":"scanning-unattended-using-a-service-principal","status":"publish","type":"post","link":"https:\/\/lieben.nu\/liebensraum\/2025\/02\/scanning-unattended-using-a-service-principal\/","title":{"rendered":"Scanning unattended using a Service Principal"},"content":{"rendered":"\n

If you want to use the M365Permissions module<\/a> in unattended (or headless) mode, e.g. from a runbook or on a server as scheduled task, you’ll need to create an app registration in Entra with sufficient permissions to scan your tenant.<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

Setup instructions (automated)<\/strong><\/h2>\n\n\n\n
    \n
  1. Install the module using Install-Module<\/code> -Name<\/code> M365Permissions<\/code> -Force<\/code><\/em><\/li>\n\n\n\n
  2. Load the module using Import-Module<\/code> -Name<\/code> M365Permissions<\/code><\/em><\/li>\n\n\n\n
  3. Create a service principal using Set-ScanPermissions -switchToSPNAuth<\/em> -appName \"M365Permissions (AppOnly)\"<\/em><\/code><\/li>\n\n\n\n
  4. Run Connect-M365 -ServicePrincipal<\/em><\/code><\/li>\n\n\n\n
  5. Start a scan (e.g. using get-allM365Permissions<\/em><\/code>)<\/li>\n\n\n\n
  6. Scroll down if you also want to scan PowerBI<\/li>\n<\/ol>\n\n\n\n

    Setup instructions (manual)<\/h2>\n\n\n\n
      \n
    1. Go to https:\/\/portal.azure.com\/#view\/Microsoft_AAD_RegisteredApps\/CreateApplicationBlade\/quickStartType~\/null\/isMSAApp~\/false<\/a><\/li>\n\n\n\n
    2. Decide on a name and click Register<\/li>\n\n\n\n
    3. Go to API permissions and enter as follows:<\/li>\n<\/ol>\n\n\n\n
      \"\"<\/a><\/figure>\n\n\n\n
        \n
      1. Don’t forget to click ‘Grant admin consent’<\/li>\n\n\n\n
      2. Note down the ‘Application (client) id’ and ‘Directory (tenant) id’ from the ‘Overview’ page<\/li>\n\n\n\n
      3. run the new-SpnAuthCert command from the M365Permissions module, it will output a .cer file. Make sure to use the tenant ID from step 5.<\/li>\n\n\n\n
      4. The PFX file has to be imported on any machine you wish to run the module on, except for the machine where you ran the new-SpnAuthCert command.<\/li>\n\n\n\n
      5. Go to ‘Certificates & secrets’ and upload the .cer file<\/li>\n<\/ol>\n\n\n\n
        \"\"<\/a><\/figure>\n\n\n\n
          \n
        1. Go to the Roles and Administrators<\/a> in Entra and select the Global Administrator role.<\/li>\n\n\n\n
        2. Add the new app registration to the global administrator role:<\/li>\n<\/ol>\n\n\n\n
          \"\"<\/a><\/figure>\n\n\n\n
            \n
          1. Run set-M365PermissionsConfig -LCTenantId <tenant ID> -LCClientId <client id> with the values from step 5 to configure the module to use your new SPN to log in.<\/li>\n\n\n\n
          2. Alternatively, you can configure the LCTENANTID and LCCLIENTID environment variables with above information.<\/li>\n\n\n\n
          3. If you also configure the LCAUTHMODE environment variable with a value of “ServicePrincipal”, the module will log in to your tenant fully automatically the moment it is imported.<\/li>\n\n\n\n
          4. If you’re running interactively, you can now use connect-M365 -ServicePrincipal before running a scan to use the SPN instead of delegated authentication<\/li>\n<\/ol>\n\n\n\n

            Scanning PowerBI<\/h2>\n\n\n\n

            If you also want to include PowerBI in your scans, you’ll have to authorize the service principal.<\/a><\/p>\n\n\n\n

            PFX certificate location<\/h2>\n\n\n\n

            If you want to run from an automation account, Azure function etc, for now you’ll have to retrieve the .pfx file dynamically and install it before the module loads because the module looks in the local certificate store for a certificate with your tenant ID as subject.<\/p>\n\n\n\n

            I will consider adding support for Managed Identities in the future to make this simpler, and possibly also add keyvault integration or direct path configuration an option.<\/p>\n\n\n\n

            Restrictions<\/h2>\n\n\n\n

            When scanning as service principal, you cannot scan:<\/p>\n\n\n\n