Apps mit EWS-Nutzung finden

<#
.SYNOPSIS
   Find Enterprise Apps that use EWS permissions
 
.DESCRIPTION
   Running this script outputs an overview over all Enterprise Apps in a tenant
   that are using either EWS.AccessAsUser.All or full_access_as_app permissions
   through the "Office 365 Exchange Online" or "Microsoft Graph" endpoint
.NOTES
  Version:        1.0
  Author:         Thomas Thaler
  Creation Date:  2025-03-05
  Purpose/Change: Creation
#>

# Ensure the Microsoft.Graph module is installed.
if (-not (Get-Module -ListAvailable -Name Microsoft.Graph)) {
    Write-Output "Installing Microsoft.Graph module..."
    Install-Module Microsoft.Graph -Scope CurrentUser -Force
}

# Connect to Microsoft Graph with the necessary scopes.
Connect-MgGraph -Scopes "Application.Read.All","Directory.Read.All"

# Define resource AppIds for Office 365 Exchange Online and Microsoft Graph.
$exchangeAppId = "00000002-0000-0ff1-ce00-000000000000"
$graphAppId    = "00000003-0000-0000-c000-000000000000"

# Retrieve the service principals for both resources.
$exchangeSP = Get-MgServicePrincipal -Filter "AppId eq '$exchangeAppId'"
$graphSP    = Get-MgServicePrincipal -Filter "AppId eq '$graphAppId'"

# Build a combined mapping of target permission IDs to friendly names.
# For clarity, we label permissions with the resource from which they come.
$permissionMap = @{}

# --- Office 365 Exchange Online ---
if ($exchangeSP) {
    $ewsDelegatedExchange = $exchangeSP.Oauth2PermissionScopes | Where-Object { $_.Value -eq "EWS.AccessAsUser.All" }
    if ($ewsDelegatedExchange) {
        $permissionMap[$ewsDelegatedExchange.Id] = "EWS.AccessAsUser.All (Exchange)"
    }
    $ewsAppPermissionExchange = $exchangeSP.AppRoles | Where-Object { $_.Value -eq "full_access_as_app" }
    if ($ewsAppPermissionExchange) {
        $permissionMap[$ewsAppPermissionExchange.Id] = "full_access_as_app (Exchange)"
    }
}

# --- Microsoft Graph ---
if ($graphSP) {
    $ewsDelegatedGraph = $graphSP.Oauth2PermissionScopes | Where-Object { $_.Value -eq "EWS.AccessAsUser.All" }
    if ($ewsDelegatedGraph) {
        $permissionMap[$ewsDelegatedGraph.Id] = "EWS.AccessAsUser.All (Graph)"
    }
    $ewsAppPermissionGraph = $graphSP.AppRoles | Where-Object { $_.Value -eq "full_access_as_app" }
    if ($ewsAppPermissionGraph) {
        $permissionMap[$ewsAppPermissionGraph.Id] = "full_access_as_app (Graph)"
    }
}

if ($permissionMap.Count -eq 0) {
    Write-Output "Target permissions were not found on either service principal."
    exit
}

# Define the list of resource AppIds we care about.
$targetResourceAppIds = @($exchangeAppId, $graphAppId)

# Retrieve all application registrations in the tenant.
$applications = Get-MgApplication -All

# Process applications to extract those with matching permissions.
$results = $applications | ForEach-Object {
    if ($_.RequiredResourceAccess) {
        $matchingPermissions = $_.RequiredResourceAccess |
            Where-Object { $targetResourceAppIds -contains $_.ResourceAppId } |
            ForEach-Object {
                $_.ResourceAccess | Where-Object { $permissionMap.ContainsKey($_.Id) } |
                ForEach-Object { $permissionMap[$_.Id] }
            } | Select-Object -Unique

        if ($matchingPermissions) {
            [PSCustomObject]@{
                DisplayName = $_.DisplayName
                AppId       = $_.AppId
                ObjectId    = $_.Id
                Permissions = ($matchingPermissions -join ", ")
            }
        }
    }
}

# Sort the results by DisplayName and display the output.
if ($results) {
    Write-Output "Applications requesting EWS permissions (from Exchange Online and/or Microsoft Graph):"
    $results | Sort-Object DisplayName | Format-Table -AutoSize
} else {
    Write-Output "No applications with the target EWS permissions were found."
}