How to Find Non-Privileged Applications Owners in Microsoft Entra

By /

Listen to this Post

Managing application permissions in Microsoft Entra ID (formerly Azure AD) is critical for reducing security risks. Identifying non-privileged application owners helps ensure proper access control and minimizes potential vulnerabilities.

You Should Know:

1. Prerequisites

Before running the script, ensure you have:

  • Microsoft Graph PowerShell Module installed.
  • Global Administrator or Privileged Role Administrator permissions.

Install the module with:

Install-Module Microsoft.Graph -Force

2. Connect to Microsoft Graph

Authenticate with the required permissions:

Connect-MgGraph -Scopes "Application.Read.All", "Directory.Read.All", "User.Read.All"

3. Retrieve All Applications and Their Owners

Use Microsoft Graph to fetch applications and their owners: 

$apps = Get-MgApplication -All 
$results = @()

foreach ($app in $apps) { 
$owners = Get-MgApplicationOwner -ApplicationId $app.Id 
foreach ($owner in $owners) { 
$user = Get-MgUser -UserId $owner.Id 
$roleAssignments = Get-MgUserRoleAssignment -UserId $user.Id 
$isPrivileged = $roleAssignments.Count -gt 0

$results += [bash]@{ 
AppName = $app.DisplayName 
AppId = $app.AppId 
OwnerName = $user.DisplayName 
OwnerUPN = $user.UserPrincipalName 
IsPrivileged = $isPrivileged 
} 
} 
}

$results | Export-Csv -Path "EntraAppOwners.csv" -NoTypeInformation

4. Filter Non-Privileged Owners

To extract only non-privileged owners:

$nonPrivilegedOwners = $results | Where-Object { $_.IsPrivileged -eq $false } 
$nonPrivilegedOwners | Format-Table -AutoSize

5. Remediation Steps

  • Reassign Ownership: Move app ownership to privileged accounts.
  • Review Permissions: Check if the app has excessive API permissions.
  • Audit Regularly: Schedule periodic reviews of app ownership.

What Undercode Say

Managing application ownership in Entra ID is crucial for security hygiene. Non-privileged owners can introduce risks if left unchecked. Automate this process with PowerShell and integrate it into your security audits.

For deeper insights, check the original guide:

🔗 How to Find Non-Privileged Applications Owners in Microsoft Entra

Expected Output:

A CSV file (EntraAppOwners.csv) containing app names, IDs, owner details, and privilege status. Filter and remediate as needed.

References:

Reported By: Beingageek Entraid – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: