Skip to main content

Get App Registrations by User Principal Name

Graph API permission "Application.Read.All" or Cloud Application Administrator Role.

This guide explains how you can get all App Registrations by a certain user. This can be handy when someone leaves a company and it needs to be evaluated which app registration was maintained by that person.

Preparations

For this script to work you need the permission to list the App Registrations. This needs the Application.Read.All permission. The access token can be acquired either by delegated or application permissions.

This is a manual for application based token acquisition: Create application acc... | LNC DOCS (lucanoahcaprez.ch)
And this one is for user based tokens: Create user access tok... | LNC DOCS (lucanoahcaprez.ch)

Evaluate App Registration Owners

This is the script that evaluates the owners of the app registrations and the app registrations of the corresponding user are stored in the $UsersApplication variable. In advance, the UPN of the user to be evaluated must be stored in the $UserPrincipleName variable.

$AccessToken = "<yourazureadaccesstoken>"
$UserPrincipalName = "<userprincipalnametosearchfor>"

$Header = @{
    "Authorization" = "Bearer $($AccessToken)"
}

$Params = @{
    "Method"      = "Get"
    "Uri"         = "https://graph.microsoft.com/v1.0/applications"
    "Headers"     = $Header
    "ContentType" = "application/json"
}

$Result = Invoke-RestMethod @Params
$AllApplications = $Result.value
while ($Result.'@odata.nextLink') {
    $Result = Invoke-RestMethod -Uri $Result.'@odata.nextLink' -Headers $Header
    $AllApplications += $Result.value
}

$UsersApplication = @()

Foreach($Application in $AllApplications){
    $Params.Uri = "https://graph.microsoft.com/v1.0/applications/$($Application.id)/owners?`$select=id,userPrincipalName"
    $ApplicationInfo = (Invoke-RestMethod @Params).value
    if($ApplicationInfo.userPrincipalName -eq $UserPrincipalName){# -and $ApplicationInfo.userPrincipalName.count -eq 1){ #This can be displayed if you want to serach only for apps where the user is the only owner
        $UsersApplication += $Application
    }
}