` Find Entra ID Applications with High-Risk API Permissions

M365Corner
M365 PowerShell

List Entra ID Applications with High-Risk API Permissions Using Graph PowerShell

API permissions allow applications to access Microsoft 365 resources such as users, groups, files, and mailboxes. While these permissions enable powerful integrations, certain permissions are considered high risk because they grant broad access to directory data or allow modification of sensitive resources.

Examples include permissions like:

  • Directory.ReadWrite.All
  • User.ReadWrite.All
  • Application.ReadWrite.All

Applications with such permissions can potentially modify users, change directory settings, or access sensitive data, making them important targets for security reviews.

This Graph PowerShell script helps administrators identify applications that have high-risk API permissions assigned and export the results into a CSV report for auditing and governance purposes.

🚀 Community Edition Released!

Try the M365Corner Microsoft 365 Reporting Tool — your DIY pack with 20+ out-of-the-box M365 reports for Users, Groups, and Teams.

The Script

Below is the script that scans all Entra ID applications and lists those containing high-risk API permissions.

                            
# Connect to Microsoft Graph
Connect-MgGraph -Scopes Application.Read.All

Write-Host "Scanning applications for high-risk API permissions..." -ForegroundColor Cyan

# Define high-risk permissions
$HighRiskPermissions = @(
"Directory.ReadWrite.All",
"User.ReadWrite.All",
"Application.ReadWrite.All",
"RoleManagement.ReadWrite.Directory",
"Group.ReadWrite.All",
"Mail.ReadWrite",
"Files.ReadWrite.All"
)

# Get all applications
$Applications = Get-MgApplication -All -Property Id,DisplayName,RequiredResourceAccess

$Results = @()

foreach ($App in $Applications) {

    $MatchedPermissions = @()

    foreach ($Resource in $App.RequiredResourceAccess) {

        foreach ($Access in $Resource.ResourceAccess) {

            # Resolve permission name
            $PermissionId = $Access.Id

            # Get permission details from service principal
            $ServicePrincipal = Get-MgServicePrincipal -Filter "appId eq '$($Resource.ResourceAppId)'" -Property AppRoles,Oauth2PermissionScopes

            $PermissionName = ($ServicePrincipal.AppRoles + $ServicePrincipal.Oauth2PermissionScopes | Where-Object {$_.Id -eq $PermissionId}).Value

            if ($HighRiskPermissions -contains $PermissionName) {

                $MatchedPermissions += $PermissionName
            }
        }
    }

    if ($MatchedPermissions.Count -gt 0) {

        Write-Host "$($App.DisplayName) contains high-risk API permissions" -ForegroundColor Red

        $Results += [PSCustomObject]@{
            ApplicationName      = $App.DisplayName
            ApplicationId        = $App.Id
            HighRiskPermissions  = ($MatchedPermissions -join ", ")
        }
    }
}

# Export report
$ExportPath = "D:\HighRisk_Application_Permissions_Report.csv"

$Results | Export-Csv $ExportPath -NoTypeInformation

Write-Host "Report exported to $ExportPath" -ForegroundColor Cyan

How the Script Works

Let’s walk through the script step by step.

  1. Connect to Microsoft Graph
    2. Connect-MgGraph -Scopes Application.Read.All

    The script starts by authenticating to Microsoft Graph.

    The Application.Read.All permission allows the script to retrieve application registration details from Microsoft Entra ID.

    This permission is necessary because application metadata and API permissions are stored within the directory.

  2. Define High-Risk Permissions
    3. $HighRiskPermissions = @(...)

    A list of high-risk API permissions is defined in an array.

    These permissions are considered sensitive because they allow applications to:

    • Modify directory objects
    • Access or modify user accounts
    • Manage applications
    • Read or modify files and mailboxes

    Administrators can expand this list depending on their organization's security policies.

  3. Retrieve All Applications
    4. $Applications = Get-MgApplication -All -Property Id,DisplayName,RequiredResourceAccess

    This command retrieves all application registrations in the tenant.

    Key properties retrieved include:

    Property Purpose
    Id Unique identifier of the application
    DisplayName Application name
    RequiredResourceAccess API permissions assigned to the application

    The RequiredResourceAccess property contains details of the APIs and permissions the application requests.

  4. Scan Application Permissions

    5. The script loops through each application and inspects its API permissions.

    foreach ($App in $Applications)

    For each application:

    • The script checks every API resource
    • It then checks every permission assigned to that resource.
  5. Resolve Permission Names

    6. API permissions are stored internally as permission IDs, not readable names.

    The script resolves these IDs by retrieving the associated service principal.

    $ServicePrincipal = Get-MgServicePrincipal

    It then searches both:

    • AppRoles
    • Oauth2PermissionScopes

    to find the matching permission name.

  6. Match Against High-Risk Permissions

    7. The resolved permission name is compared against the predefined list.

    if ($HighRiskPermissions -contains $PermissionName)

    If a match is found:

    • The permission is flagged
    • It is stored in a collection of matched permissions.
  7. Record Applications with Risky Permissions

    8. If one or more high-risk permissions are detected:

    if ($MatchedPermissions.Count -gt 0)

    The script:

    • Displays a warning in the console
    • Adds the application details to a result object.

    The report includes:

    • Application Name
    • Application ID
    • High-Risk Permissions assigned
  8. Export the Security Report

    9. Finally, the script exports the results to a CSV file.

    $ExportPath = "D:\HighRisk_Application_Permissions_Report.csv"

    The report can then be used for:

    • Security audits
    • Compliance checks
    • Application governance reviews
    • Permission cleanup initiatives.

Further Enhancements

Administrators can extend this script in several ways.

  1. Include Application Owners

    2. You can retrieve application owners to identify who manages the application.

    Example:

    Get-MgApplicationOwner

    This helps administrators contact the responsible owner before making permission changes.

  2. Add Permission Risk Scoring

    3. Organizations may categorize permissions into:

    • Low risk
    • Medium risk
    • High risk

    This allows for more structured risk reporting.

  3. Export Additional Application Details

    4. You could extend the report to include:

    • Application creation date
    • Publisher information
    • Application owners
    • Consent type (Delegated or Application)

    This would provide a more comprehensive security overview.

  4. Automate Security Audits

    5. This script can be scheduled using:

    • Task Scheduler
    • Azure Automation
    • Automation Runbooks

    Automating the script ensures continuous monitoring of risky application permissions.


Possible Errors & Solutions

Below are some common errors administrators may encounter.

Error Cause Solution
Insufficient privileges to complete the operation The account running the script lacks the required permissions. Reconnect with the required scope:
Connect-MgGraph -Scopes Application.Read.All
Ensure the user has one of these roles:
  • Global Administrator
  • Cloud Application Administrator
  • Application Administrator
Graph PowerShell module not installed
Get-MgApplication : The term 'Get-MgApplication' is not recognized		 The Microsoft Graph PowerShell module is missing. Install the module:
Install-Module Microsoft.Graph -Scope CurrentUser
Then import it:
Import-Module Microsoft.Graph
Cannot export CSV file
Access to the path 'D:\HighRisk_Application_Permissions_Report.csv' is denied		 The specified path may not exist or the script does not have permission to write to that location. Either:
  • Run PowerShell as Administrator
    or
  • Change the export path.

Example:
C:\Temp\HighRisk_Application_Permissions_Report.csv

Conclusion

Applications with high-risk API permissions pose a significant security concern in Microsoft Entra ID environments. These permissions can grant applications the ability to modify users, manage applications, or access sensitive organizational data.

This Graph PowerShell script helps administrators quickly identify applications that contain high-risk API permissions and generate a structured report for review.

Regularly auditing application permissions ensures that:

  • unnecessary permissions are removed
  • abandoned applications are identified
  • tenant security posture remains strong

Running scripts like this periodically can greatly improve Microsoft 365 security governance and application lifecycle management.

Table of Contents

X

Table of Contents

Graph PowerShell Explorer Widget

20 Graph PowerShell cmdlets with easily accessible "working" examples.


Permission Required

Example:


                            

                            

                            

                            

                            

                        

                    

                


                
            

        

    


    
    
  
    

        
© Created and Maintained by LEARNIT WELL SOLUTIONS. All Rights Reserved.