-
Notifications
You must be signed in to change notification settings - Fork 0
/
Finding SPAs with Passwords.ps1
36 lines (27 loc) · 1.37 KB
/
Finding SPAs with Passwords.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
#Requires -Modules @{ ModuleName="Microsoft.Graph.Authentication"; ModuleVersion="2.3.0" }
#Requires -Modules @{ ModuleName="Microsoft.Graph.Applications"; ModuleVersion="2.3.0" }
$ErrorActionPreference = 'stop'
<#
.SYNOPSIS
Using Microsoft Graph to find Single Page Applications (SPAs) with defined credentials.
.DESCRIPTION
It is discouraged to associate SPA applications with Passwords or
Certificate credentials. SPA's are readable in the web browser.
Exposed secrets can allow malicious actors to sign in and act as your
application, granting all of the application permissions that are
assigned.
.NOTES
AUTHOR: https://github.com/dwarfered/msgraph-sdk-powershell-examples
UPDATED: 16-09-2023
#>
$requiredScopes = @('Application.Read.All')
$currentScopes = (Get-MgContext).Scopes
if ($null -eq $currentScopes) {
Connect-MgGraph -Scopes $requiredScopes | Out-Null
} elseif (($currentScopes -match ([string]::Join('|', $requiredScopes))).Count -ne $requiredScopes.Count) {
Connect-MgGraph -Scopes $requiredScopes | Out-Null
}
$allApplications = Get-MgApplication -All -PageSize 999
$allApplicationsWithPasswords = $allApplications | Where-Object { $_.PasswordCredentials -ne $null }
$allSpaApplicationsWithPasswords = $allApplicationsWithPasswords `
| Where-Object { $_.Spa.RedirectUris.Count -ne 0 }