Automating with PowerShell: Setting up application consent

Application consent for M365 is a pretty cool feature – users can’t add their own applications but they are able to request an administrator to approve applications they need. That means the risk of OAuth applications gaining access to mailboxes is a lot lower.

We’re going to cover two things; number one is to setup the OAuth consent workflow so that application requests can be sent, then we’re also going to setup a monitoring script for whenever an application is requested by one of your users.

For both scripts, you’ll need the secure application model.

Setup of consent

So first we’ll need to setup the actual processing of consent requests. Consent request workflow is pretty simple for users; after setup they’ll get a little pop-up whenever they have an app that wants access to resources. For more info about that check the Microsoft documentation here.

When you execute this script, the script will enable consent requests and select the current global admins as the reviewers. The script requires some extra permissions on your secure application model;

  • Go to the Azure Portal.
  • Click on Azure Active Directory, now click on “App Registrations”.
  • Find your Secure App Model application. You can search based on the ApplicationID.
  • Go to “API Permissions” and click Add a permission.
  • Choose “Microsoft Graph” and “Delegated permission”.
  • Add the “Policy.ReadWrite.ConsentRequest,” and “ConsentRequest.Read.All,” permission.
  • Finally, click on “Grant Admin Consent for Company Name.
#
$ApplicationId = 'AppID'
$ApplicationSecret = 'AppSecret'
$RefreshToken = 'RefreshTokens'
#
$credential = New-Object System.Management.Automation.PSCredential($ApplicationId, ($ApplicationSecret | Convertto-SecureString -AsPlainText -Force))
$graphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.microsoft.com/.default' -ServicePrincipal
   
write-host "Connecting to the Graph API to get all tenants." -ForegroundColor Green
$Contractheaders = @{ "Authorization" = "Bearer $($graphToken.accesstoken)" }  
$Customers = (Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/contracts?`$top=999" -Method GET -Headers $Contractheaders).value
foreach ($Customer in $Customers) {
    $ClientToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.microsoft.com/.default' -ServicePrincipal -Tenant $Customer.customerId
    $headers = @{ "Authorization" = "Bearer $($ClientToken.accesstoken)" }
    write-host "Processing $($customer.DefaultDomainName)"
    $Admin = (Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/directoryRoles/roleTemplateId=62e90394-69f5-4237-9190-012177145e10/members" -Method Get -Headers $headers).value.id | Select-Object -Last 1
    $ConsentBody = @"
    {
        "isEnabled": true,
        "notifyReviewers": true,
        "remindersEnabled": true,
        "requestDurationInDays": 5,
        "reviewers": [{
            "query": "/users/$($admin)",
            "queryType": "MicrosoftGraph"
        }]
    }
"@

    (Invoke-RestMethod -Uri "https://graph.microsoft.com/beta/policies/adminConsentRequestPolicy" -ContentType "application/json" -Body $ConsentBody -Method PUT -Headers $headers)
}
 

And that’s the consent part, let’s move on to monitoring the actual requests

Monitoring consent requests

So monitoring the requests is very similar to the script above, but we’re getting a list of all requests instead, if we find that a tenant is waiting approval, we alert on that.

#
$ApplicationId = 'AppID'
$ApplicationSecret = 'AppSecret'
$RefreshToken = 'RefreshTokens'
#
$credential = New-Object System.Management.Automation.PSCredential($ApplicationId, ($ApplicationSecret | Convertto-SecureString -AsPlainText -Force))
$graphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.microsoft.com/.default' -ServicePrincipal
   
write-host "Connecting to the Graph API to get all tenants." -ForegroundColor Green
$Contractheaders = @{ "Authorization" = "Bearer $($graphToken.accesstoken)" }  
$Customers = (Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/contracts?`$top=999" -Method GET -Headers $Contractheaders).value
$Requests = foreach ($Customer in $Customers) {
    $ClientToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.microsoft.com/.default' -ServicePrincipal -Tenant $Customer.customerId
    $headers = @{ "Authorization" = "Bearer $($ClientToken.accesstoken)" }
    write-host "Processing $($customer.DefaultDomainName)"
    $TenantRequest = (Invoke-RestMethod -Uri "https://graph.microsoft.com/beta/identityGovernance/appConsent/appConsentRequests" -ContentType "application/json" -Method GET -Headers $headers).value
    $RequestWaiting = if ($TenantRequest) { $true } else { $false }
    [PSCustomObject]@{
        TenantName     = $Customer.defaultDomainName
        RequestWaiting = $RequestWaiting 
        Request        = $TenantRequest
    }
}

if ($TenantRequest | Where-Object -Property RequestWaiting -eq $true) {
    write-host "There is one or more applications awaiting approval:"
    $TenantRequest | Where-Object -Property RequestWaiting -eq $true
}

And that’s it! as always, Happy PowerShelling. 🙂

2 Comments

  1. Darren September 7, 2021 at 2:40 am

    Hey Kelvin, Just wondering the script does not disable the following two settings:

    Users can consent to apps accessing company data on their behalf
    Users can consent to apps accessing company data for the groups they own

    Wouldn’t that be also required to force the users to request admin consent or are we assuming that we have already disabled it as per this?

    https://docs.microsoft.com/en-us/microsoft-365/admin/misc/user-consent?view=o365-worldwide

  2. Darren September 7, 2021 at 2:54 am

    And one more: Should the if statement at the end of the second script be:

    if ($Requests | Where-Object -Property RequestWaiting -eq $true) {
    write-host “There is one or more applications awaiting approval:”
    $Requests | Where-Object -Property RequestWaiting -eq $true
    }

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.