Application consent for M365 is a pretty cool feature – users can’t add their own applications but they are able to request an administrator to approve applications they need. That means the risk of OAuth applications gaining access to mailboxes is a lot lower.
We’re going to cover two things; number one is to setup the OAuth consent workflow so that application requests can be sent, then we’re also going to setup a monitoring script for whenever an application is requested by one of your users.
For both scripts, you’ll need the secure application model.
Setup of consent
So first we’ll need to setup the actual processing of consent requests. Consent request workflow is pretty simple for users; after setup they’ll get a little pop-up whenever they have an app that wants access to resources. For more info about that check the Microsoft documentation here.
When you execute this script, the script will enable consent requests and select the current global admins as the reviewers. The script requires some extra permissions on your secure application model;
- Go to the Azure Portal.
- Click on Azure Active Directory, now click on “App Registrations”.
- Find your Secure App Model application. You can search based on the ApplicationID.
- Go to “API Permissions” and click Add a permission.
- Choose “Microsoft Graph” and “Delegated permission”.
- Add the “Policy.ReadWrite.ConsentRequest,” and “ConsentRequest.Read.All,” permission.
- Finally, click on “Grant Admin Consent for Company Name.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
#
$ApplicationId = 'AppID'
$ApplicationSecret = 'AppSecret'
$RefreshToken = 'RefreshTokens'
#
$credential = New-Object System.Management.Automation.PSCredential($ApplicationId, ($ApplicationSecret | Convertto-SecureString -AsPlainText -Force))
$graphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.microsoft.com/.default' -ServicePrincipal
write-host "Connecting to the Graph API to get all tenants." -ForegroundColor Green
$Contractheaders = @{ "Authorization" = "Bearer $($graphToken.accesstoken)" }
$Customers = (Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/contracts?`$top=999" -Method GET -Headers $Contractheaders).value
foreach ($Customer in $Customers) {
$ClientToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.microsoft.com/.default' -ServicePrincipal -Tenant $Customer.customerId
$headers = @{ "Authorization" = "Bearer $($ClientToken.accesstoken)" }
write-host "Processing $($customer.DefaultDomainName)"
$Admin = (Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/directoryRoles/roleTemplateId=62e90394-69f5-4237-9190-012177145e10/members" -Method Get -Headers $headers).value.id | Select-Object -Last 1
$ConsentBody = @"
{
"isEnabled": true,
"notifyReviewers": true,
"remindersEnabled": true,
"requestDurationInDays": 5,
"reviewers": [{
"query": "/users/$($admin)",
"queryType": "MicrosoftGraph"
}]
}
"@
(Invoke-RestMethod -Uri "https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy" -ContentType "application/json" -Body $ConsentBody -Method PUT -Headers $headers)
}
|
And that’s the consent part, let’s move on to monitoring the actual requests
Monitoring consent requests
So monitoring the requests is very similar to the script above, but we’re getting a list of all requests instead, if we find that a tenant is waiting approval, we alert on that.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
#
$ApplicationId = 'AppID'
$ApplicationSecret = 'AppSecret'
$RefreshToken = 'RefreshTokens'
#
$credential = New-Object System.Management.Automation.PSCredential($ApplicationId, ($ApplicationSecret | Convertto-SecureString -AsPlainText -Force))
$graphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.microsoft.com/.default' -ServicePrincipal
write-host "Connecting to the Graph API to get all tenants." -ForegroundColor Green
$Contractheaders = @{ "Authorization" = "Bearer $($graphToken.accesstoken)" }
$Customers = (Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/contracts?`$top=999" -Method GET -Headers $Contractheaders).value
$Requests = foreach ($Customer in $Customers) {
$ClientToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.microsoft.com/.default' -ServicePrincipal -Tenant $Customer.customerId
$headers = @{ "Authorization" = "Bearer $($ClientToken.accesstoken)" }
write-host "Processing $($customer.DefaultDomainName)"
$TenantRequest = (Invoke-RestMethod -Uri "https://graph.microsoft.com/beta/identityGovernance/appConsent/appConsentRequests" -ContentType "application/json" -Method GET -Headers $headers).value
$RequestWaiting = if ($TenantRequest) { $true } else { $false }
[PSCustomObject]@{
TenantName = $Customer.defaultDomainName
RequestWaiting = $RequestWaiting
Request = $TenantRequest
}
}
if ($TenantRequest | Where-Object -Property RequestWaiting -eq $true) {
write-host "There is one or more applications awaiting approval:"
$TenantRequest | Where-Object -Property RequestWaiting -eq $true
}
|
And that’s it! as always, Happy PowerShelling. 🙂