Public/Get-KritTcmServicePrincipalState.ps1

function Get-KritTcmServicePrincipalState {
    <#
    .SYNOPSIS
        Read the TCM service principal, companion M365 Admin Services principal,
        and granted Graph app-role assignments in the connected tenant.
    #>

    [CmdletBinding()]
    param()

    if (-not (Get-Command Get-MgServicePrincipal -ErrorAction SilentlyContinue)) {
        Import-Module Microsoft.Graph.Applications -ErrorAction Stop
    }

    $context = Get-MgContext -ErrorAction SilentlyContinue
    if (-not $context) {
        throw 'Not connected to Microsoft Graph. Run Connect-KritTcm or Connect-MgGraph first.'
    }

    $tcmAppId = Get-KritTcmConstant -Name TcmServicePrincipalAppId
    $adminAppId = Get-KritTcmConstant -Name M365AdminServicesAppId
    $graphAppId = Get-KritTcmConstant -Name MsGraphAppId

    $tcmSp = Get-MgServicePrincipal -Filter "appId eq '$tcmAppId'" -ErrorAction SilentlyContinue
    $adminSp = Get-MgServicePrincipal -Filter "appId eq '$adminAppId'" -ErrorAction SilentlyContinue
    $graphSp = Get-MgServicePrincipal -Filter "appId eq '$graphAppId'" -ErrorAction SilentlyContinue
    $assignments = if ($tcmSp) {
        @(Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $tcmSp.Id -All -ErrorAction SilentlyContinue)
    } else {
        @()
    }

    $permissionRows = @(
        foreach ($assignment in $assignments) {
            $role = $graphSp.AppRoles | Where-Object Id -eq $assignment.AppRoleId | Select-Object -First 1
            [pscustomobject]@{
                Permission = if ($role) { $role.Value } else { [string]$assignment.AppRoleId }
                AppRoleId = $assignment.AppRoleId
                ResourceId = $assignment.ResourceId
                PrincipalId = $assignment.PrincipalId
            }
        }
    )

    [pscustomobject]@{
        Action = 'Get-KritTcmServicePrincipalState'
        TenantId = $context.TenantId
        Account = $context.Account
        TcmServicePrincipal = $tcmSp
        M365AdminServicesServicePrincipal = $adminSp
        MicrosoftGraphServicePrincipal = $graphSp
        TcmConfigured = [bool]$tcmSp
        M365AdminServicesConfigured = [bool]$adminSp
        GrantedGraphPermissions = @($permissionRows | Sort-Object Permission)
        GrantedGraphPermissionCount = $permissionRows.Count
    }
}