Manage user and group assignments
Enterprise applications in Microsoft Entra ID represent the service principals that allow users and groups to access various resources. You might need to export user and group assignments for several reasons. These reasons include performing audits and ensuring compliance with security policies. It also helps in managing user access efficiently and identifying any unauthorized access or potential security risks within the organization.
In this article, you learn how to manage user and group assignments to enterprise applications in Microsoft Entra ID using PowerShell. This scenario is crucial for maintaining security and compliance. It allows you to efficiently audit access, manage permissions, and mitigate unauthorized access risks within their organization.
Prerequisites
To report assignments of users and groups to enterprise apps with Microsoft Entra PowerShell, you need:
- A Microsoft Entra user account. If you don't already have one, you can Create an account for free.
- One of the following roles:
- Microsoft Entra PowerShell module installed. Follow the Install the Microsoft Entra PowerShell module guide to install the module.
Export user and group assignments to all service principals
The following example shows how to use Microsoft Entra PowerShell to report user and group assignments to enterprise applications.
Connect to Microsoft Entra ID with the necessary permissions and sign in with at least a Cloud Application Administrator role.
Connect-Entra -Scopes 'Directory.Read.All', 'Application.Read.All'Run the following script to export all user and group assignments to service principals to a CSV file. The script performs the following actions:
- Data Retrieval:
- Fetches all user and group assignments associated with each service principal.
- Utilizes directory APIs or CLI commands to gather comprehensive assignment details.
- Parses the retrieved data to extract relevant information such as:
- User Names: Identifies individual users assigned to service principals.
- Group Names: Identifies groups that have assignments to service principals.
- Service Principal Details: Includes IDs, names, and roles associated with each service principal.
- Exporting to CSV:
- Organizes the extracted data into a structured format.
- Writes the organized data into a CSV file, making it easy to view, share, or further analyze the assignments.
# Get all service principals. $servicePrincipals = Get-EntraServicePrincipal -All # Initialize an array to hold the results. $results = @() #Loop through each service principal. foreach ($sp in $servicePrincipals) { Write-Host "Processing Service Principal: $($sp.DisplayName)" -ForegroundColor Cyan # Get assigned users and groups $assignedUsers = Get-EntraServicePrincipalAppRoleAssignedTo -ServicePrincipalId $sp.Id | Where-Object { $_.PrincipalType -eq 'User' } | Select-Object -ExpandProperty PrincipalId $assignedGroups = Get-EntraServicePrincipalAppRoleAssignedTo -ServicePrincipalId $sp.Id | Where-Object { $_.PrincipalType -eq 'Group' } | Select-Object -ExpandProperty PrincipalId # Resolve user and group names $userNames = $assignedUsers | ForEach-Object { (Get-EntraUser -UserId $_).DisplayName } $groupNames = $assignedGroups | ForEach-Object { (Get-EntraGroup -GroupId $_).DisplayName } # Only add to results if there are assigned users or groups if ($userNames.Count -gt 0 -or $groupNames.Count -gt 0) { # Create a result object $result = [PSCustomObject]@{ ServicePrincipalName = $sp.DisplayName AssignedUsers = ($userNames -join "; ") AssignedGroups = ($groupNames -join "; ") } # Add the result to the results array $results += $result } } # Check if results array is not empty before exporting if ($results.Count -gt 0) { # Define CSV export parameters. Replace the path with your desired location. $csvParams = @{ Path = "C:\Users\$env:USERNAME\Downloads\ServicePrincipalAssignments.csv" NoTypeInformation = $true } # Export the results to a CSV file $results | Export-Csv @csvParams Write-Host "Service principal assignments exported to CSV file." -ForegroundColor Green } else { Write-Host "No service principals found or no data to export." }- Data Retrieval:
This script retrieves all service principals in your Microsoft Entra tenant and exports the user and group assignments to a CSV file. The CSV file contains the service principal name, assigned users, and assigned groups.
Unassign users and groups from a service principal
By unassigning specific users and groups, you can ensure that only authorized personnel have the necessary permissions. Unassigning unwanted users and groups reduces the risk of unauthorized access and enhancing overall system integrity.
The following example shows how to use Microsoft Entra PowerShell to unassign specific users and groups from a service principal.
Connect to Microsoft Entra ID with the necessary permissions and sign in with at least a Cloud Application Administrator role.
Connect-Entra -Scopes 'Application.Read.All'Get all service principals and display their IDs.
$servicePrincipals = Get-EntraServicePrincipal -All $servicePrincipals | Select-Object DisplayName, IdThis command retrieves all service principals in your Microsoft Entra tenant and displays their display names and IDs.
DisplayName Id ----------- -- Test-app1 aaaaaaaa-1111-2222-3333-bbbbbbbbbbbb Test-app2 bbbbbbbb-2222-3333-4444-cccccccccccc Test-app3 cccccccc-3333-4444-5555-ddddddddddddRecord the ID of the service principal from which you want to unassign users or groups.
Get the principal IDs of the users and groups assigned to the service principal using the Get-EntraServicePrincipalAppRoleAssignedTo cmdlet.
Connect-Entra -Scopes 'Application.Read.All' Get-EntraServicePrincipalAppRoleAssignedTo -ServicePrincipalId "aaaaaaaa-1111-2222-3333-bbbbbbbbbbbb" -All |Select-Object Id, AppRoleId, PrincipalDisplayName, PrincipalId, PrincipalType, ResourceDisplayName | Format-TableThis command retrieves all users and groups assigned to the specified service principal and displays their details. The ID column represents the unique ID of the assignment. Record the ID of the assignment you want to remove.
Id AppRoleId PrincipalDisplayName PrincipalId PrincipalType ResourceDisplayName -- --------- -------------------- ----------- ------------- ------------------- A1bC2dE3fH4iJ5kL6mN7oP8qR9sT0uV1wX2yZ3c4vB 00000000-0000-0000-0000-000000000000 testUser1 dddddddd-5555-6666-7777-eeeeeeeeeeee User Test-app1 B2cD3eF4gH5iJ6kL7mN8oP9qR0sT1uV2wX3yZ4c5v6 00000000-0000-0000-0000-000000000000 testUser2 ffffffff-6666-7777-8888-ffffffffffff User Test-app1 C3dE4fG5hH6iJ7kL8mN9oP0qR1sT2uV3wX4yZ5c6v7 00000000-0000-0000-0000-000000000000 testGroup1 gggggggg-7777-8888-9999-gggggggggggg Group Test-app1Remove the user or group assignment using the Remove-EntraServicePrincipalAppRoleAssignment cmdlet.
Connect-Entra -Scopes 'AppRoleAssignment.ReadWrite.All' $servicePrincipal = Get-EntraServicePrincipal -ServicePrincipalId 'aaaaaaaa-1111-2222-3333-bbbbbbbbbbbb' Remove-EntraServicePrincipalAppRoleAssignment -ServicePrincipalId $servicePrincipal.Id -AppRoleAssignmentId 'B2cD3eF4gH5iJ6kL7mN8oP9qR0sT1uV2wX3yZ4c5v6'This command removes the specified app role assignment from the service principal.
Unassign all users and groups from a service principal
The following example demonstrates how to use Microsoft Entra PowerShell to unassign all users and groups from a service principal.
Connect to Microsoft Entra with the necessary permissions.
Connect-Entra -Scopes 'AppRoleAssignment.ReadWrite.All' $servicePrincipal = Get-EntraServicePrincipal -ServicePrincipalId '31f1d894-0a2b-4901-b30c-b61a0e87acfe' # Remove all app role assignments from the service principal $assignments = Get-EntraServicePrincipalAppRoleAssignedTo -ServicePrincipalId $servicePrincipal.Id foreach ($assignment in $assignments) { Remove-EntraServicePrincipalAppRoleAssignment -ServicePrincipalId $servicePrincipal.Id -AppRoleAssignmentId $assignment.Id }This example unassigns all users and groups from the specified service principal in your Microsoft Entra tenant.