Public/Get-KritTcmServicePrincipalState.ps1
|
function Get-KritTcmServicePrincipalState { <# .SYNOPSIS Read the TCM service principal, companion M365 Admin Services principal, and granted Graph app-role assignments in the connected tenant. #> [CmdletBinding()] param() if (-not (Get-Command Get-MgServicePrincipal -ErrorAction SilentlyContinue)) { Import-Module Microsoft.Graph.Applications -ErrorAction Stop } $context = Get-MgContext -ErrorAction SilentlyContinue if (-not $context) { throw 'Not connected to Microsoft Graph. Run Connect-KritTcm or Connect-MgGraph first.' } $tcmAppId = Get-KritTcmConstant -Name TcmServicePrincipalAppId $adminAppId = Get-KritTcmConstant -Name M365AdminServicesAppId $graphAppId = Get-KritTcmConstant -Name MsGraphAppId $tcmSp = Get-MgServicePrincipal -Filter "appId eq '$tcmAppId'" -ErrorAction SilentlyContinue $adminSp = Get-MgServicePrincipal -Filter "appId eq '$adminAppId'" -ErrorAction SilentlyContinue $graphSp = Get-MgServicePrincipal -Filter "appId eq '$graphAppId'" -ErrorAction SilentlyContinue $assignments = if ($tcmSp) { @(Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $tcmSp.Id -All -ErrorAction SilentlyContinue) } else { @() } $permissionRows = @( foreach ($assignment in $assignments) { $role = $graphSp.AppRoles | Where-Object Id -eq $assignment.AppRoleId | Select-Object -First 1 [pscustomobject]@{ Permission = if ($role) { $role.Value } else { [string]$assignment.AppRoleId } AppRoleId = $assignment.AppRoleId ResourceId = $assignment.ResourceId PrincipalId = $assignment.PrincipalId } } ) [pscustomobject]@{ Action = 'Get-KritTcmServicePrincipalState' TenantId = $context.TenantId Account = $context.Account TcmServicePrincipal = $tcmSp M365AdminServicesServicePrincipal = $adminSp MicrosoftGraphServicePrincipal = $graphSp TcmConfigured = [bool]$tcmSp M365AdminServicesConfigured = [bool]$adminSp GrantedGraphPermissions = @($permissionRows | Sort-Object Permission) GrantedGraphPermissionCount = $permissionRows.Count } } |