Get All Enterprise Apps and their Owners

2025-12-17 08:25:20 +00:00 · 2024-12-02 16:16:52 +05:30 · 2024-12-02 16:16:52 +05:30 · 529426933e
commit 529426933e
parent 9d25981d93
1 changed files with 212 additions and 0 deletions
--- a/Owners/GetEnterpriseAppsReport.ps1
+++ b/Owners/GetEnterpriseAppsReport.ps1
@ -0,0 +1,212 @@
+
+<#
+=============================================================================================
+Name:           Get all enterprise apps and their owners 
+Version:        1.0
+Website:        o365reports.com
+
+
+Script Highlights:  
+~~~~~~~~~~~~~~~~~
+1. The script exports all enterprise apps along with its owners in Microsoft Entra.  
+2. Generates report for sign-in enabled applications alone. 
+3. Exports report for sign-in disabled applications only. 
+4. Filters applications that are hidden from all users except assigned users. 
+5. Provides the list of applications that are visible to all users in the organization. 
+6. Lists applications that are accessible to all users in the organization.  
+7. Identifies applications that can be accessed only by assigned users. 
+8. Fetches the list of ownerless applications in Microsoft Entra. 
+9. Assists in filtering home tenant applications only. 
+10. Exports applications from external tenants only. 
+11. The script uses MS Graph PowerShell and installs MS Graph PowerShell SDK (if not installed already) upon your confirmation.  
+12. Exports the report result to CSV. 
+13. The script can be executed with an MFA enabled account too. 
+14. It can be executed with certificate-based authentication (CBA) too. 
+15. The script is schedular-friendly.  
+
+For detailed Script execution: https://o365reports.com/2024/11/26/export-all-enterprise-apps-and-their-owners-in-microsoft-entra/
+
+
+============================================================================================
+#>
+Param
+(
+    [switch]$CreateSession,
+    [string]$TenantId,
+    [string]$ClientId,
+    [string]$CertificateThumbprint,
+    [switch]$SigninEnabledAppsOnly,
+    [Switch]$SigninDisabledAppsOnly,
+    [Switch]$HiddenApps,
+    [Switch]$VisibleToAllUsers,
+    [Switch]$AccessScopeToAllUsers,
+    [Switch]$RoleAssignmentRequiredApps,
+    [Switch]$OwnerlessApps,
+    [Switch]$HomeTenantAppsOnly,
+    [Switch]$ExternalTenantAppsOnly
+)
+Function Connect_MgGraph
+{
+ #Check for module installation
+ $Module=Get-Module -Name Microsoft.Graph -ListAvailable
+ if($Module.count -eq 0) 
+ { 
+  Write-Host Microsoft Graph PowerShell SDK is not available  -ForegroundColor yellow  
+  $Confirm= Read-Host Are you sure you want to install module? [Y] Yes [N] No 
+  if($Confirm -match "[yY]") 
+  { 
+   Write-host "Installing Microsoft Graph PowerShell module..."
+   Install-Module Microsoft.Graph -Repository PSGallery -Scope CurrentUser -AllowClobber -Force
+  }
+  else
+  {
+   Write-Host "Microsoft Graph PowerShell module is required to run this script. Please install module using Install-Module Microsoft.Graph cmdlet." 
+   Exit
+  }
+ }
+ #Disconnect Existing MgGraph session
+ if($CreateSession.IsPresent)
+ {
+  Disconnect-MgGraph
+ }
+
+
+ Write-Host Connecting to Microsoft Graph...
+ if(($TenantId -ne "") -and ($ClientId -ne "") -and ($CertificateThumbprint -ne ""))  
+ {  
+  Connect-MgGraph  -TenantId $TenantId -AppId $ClientId -CertificateThumbprint $CertificateThumbprint -NoWelcome
+ }
+ else
+ {
+  Connect-MgGraph -Scopes "Application.Read.All"  -NoWelcome
+ }
+}
+Connect_MgGraph
+
+$Location=Get-Location
+$ExportCSV = "$Location\EnterpriseApps_and_their_Owners_Report_$((Get-Date -format yyyy-MMM-dd-ddd` hh-mm-ss` tt).ToString()).csv"
+$PrintedCount=0
+$Count=0
+$TenantGUID= (Get-MgOrganization).Id
+
+
+$RequiredProperties=@('DisplayName','AccountEnabled','Id','SigninAudience','Tags','AppRoleAssignmentRequired','ServicePrincipalType','AdditionalProperties','AppDisplayName')
+Get-MgServicePrincipal -All | foreach {
+ $Print=1
+ $Count++
+ $EnterpriseAppName=$_.DisplayName
+ Write-Progress -Activity "`n     Processed enterprise apps: $Count - $EnterpriseAppName "
+ $UserSigninStatus=$_.AccountEnabled
+ $Id=$_.Id
+ $Tags=$_.Tags
+ if($Tags -contains "HideApp")
+ {
+  $UserVisibility="Hidden"
+ }
+ else
+ {
+  $UserVisibility="Visible"
+ }
+ $IsRoleAssignmentRequired=$_.AppRoleAssignmentRequired
+ if($IsRoleAssignmentRequired -eq $true)
+ {
+  $AccessScope="Only assigned users can access"
+ }
+ else
+ {
+  $AccessScope="All users can access"
+ }
+ [DateTime]$CreationTime=($_.AdditionalProperties.createdDateTime)
+ $CreationTime=$CreationTime.ToLocalTime()
+ $ServicePrincipalType=$_.ServicePrincipalType
+ $AppRegistrationName=$_.AppDisplayName
+ $AppOwnerOrgId=$_.AppOwnerOrganizationId
+ if($AppOwnerOrgId -eq $TenantGUID)
+ {
+  $AppOrigin="Home tenant"
+ }
+ else
+ {
+  $AppOrigin="External tenant"
+ }
+ $Owners=(Get-MgServicePrincipalOwner -ServicePrincipalId $Id).AdditionalProperties.userPrincipalName
+ $Owners=$Owners -join ","
+ if($owners -eq "")
+ {
+  $Owners="-"
+ }
+
+ #Filtering the result
+ if(($SigninEnabledAppsOnly.IsPresent) -and ($UserSigninStatus -eq $false))
+ {
+  $Print=0
+ }
+ elseif(($SigninDisabledAppsOnly.IsPresent) -and ($UserSigninStatus -eq $true))
+ {
+  $Print=0
+ }
+ if(($HiddenApps.IsPresent) -and ($UserVisibility -eq "Visible"))
+ {
+  $Print=0
+ }
+ elseif(($VisibleToAllUsers.IsPresent) -and ($UserVisibility -eq "Hidden"))
+ {
+  $Print=0
+ }
+ if(($AccessScopeToAllUsers.IsPresent) -and ($AccessScope -eq "Only assigned users can access"))
+ {
+  $Print=0
+ }
+ elseif(($RoleAssignmentRequiredApps.IsPresent) -and ($AccessScope -eq "All users can access"))
+ {
+  $Print=0
+ }
+ if(($OwnerlessApps.IsPresent) -and ($Owners -ne "-"))
+ {
+  $Print=0
+ }
+ if(($HomeTenantAppsOnly.IsPresent) -and ($AppOrigin -eq "External tenant"))
+ {
+  $Print=0
+ }
+ elseif(($ExternalTenantAppsOnly.IsPresent) -and ($AppOrigin -eq "Home tenant"))
+ {
+  $Print=0
+ }
+
+ if($Print -eq 1)
+   {
+   $PrintedCount++
+   $ExportResult=[PSCustomObject]@{'Enterprise App Name'=$EnterpriseAppName;'App Id'=$Id;'App Owners'=$Owners;'App Creation Time'=$CreationTime;'User Signin Allowed'=$UserSigninStatus;'User Visibility'=$UserVisibility;'Role Assignment Required'=$AccessScope;'Service Principal Type'=$ServicePrincipalType;'App Registration Name'=$AppRegistrationName;'App Origin'=$AppOrigin;'App Org Id'=$AppOwnerOrgId}
+   $ExportResult | Export-Csv -Path $ExportCSV -Notype -Append
+  }
+}
+
+ Write-Host `n~~ Script prepared by AdminDroid Community ~~`n -ForegroundColor Green
+ Write-Host "~~ Check out " -NoNewline -ForegroundColor Green; Write-Host "admindroid.com" -ForegroundColor Yellow -NoNewline; Write-Host " to get access to 1800+ Microsoft 365 reports. ~~" -ForegroundColor Green `n`n
+ 
+
+
+#Open output file after execution 
+ If($PrintedCount -eq 0)
+ {
+  Write-Host No data found for the given criteria
+ 
+ }
+ else
+ {
+  Write-Host `nThe script processed $Count enterprise apps and the output file contains $PrintedCount records.
+  if((Test-Path -Path $ExportCSV) -eq "True") 
+  {
+
+   Write-Host `n The Output file available in: -NoNewline -ForegroundColor Yellow
+   Write-Host $ExportCSV 
+   $Prompt = New-Object -ComObject wscript.shell      
+  $UserInput = $Prompt.popup("Do you want to open output file?",`   
+ 0,"Open Output File",4)   
+  If ($UserInput -eq 6)   
+   {   
+    Invoke-Item "$ExportCSV"   
+   } 
+  }
+ }