Added macos support

merill · merill · commit d32cf4ca216a · 2024-01-31T23:18:41.000+11:00
diff --git a/assets/aadconsentgrantpermissiontable.csv b/assets/aadconsentgrantpermissiontable.csv
@@ -5,7 +5,10 @@ Delegated,Contacts,High,Phishing
 Delegated,MailboxSettings,High,Phishing
 Delegated,People,High,Phishing
 Delegated,Files,High,Phishing
+Delegated,AllSites,High,Phishing
 Delegated,Notes,High,Phishing
+Delegated,Policy,High,Phishing
+Delegated,AppRoleAssignment.ReadWrite.All,High,Phishing
 Delegated,Directory.AccessAsUser.All,High,Phishing
 Delegated,user_impersonation,High,Phishing
 Delegated,Application.ReadWrite.All,High,BroadImpact
@@ -15,14 +18,24 @@ Delegated,EduRoster.ReadWrite.All,High,BroadImpact
 Delegated,Group.ReadWrite.All,High,BroadImpact
 Delegated,Member.Read.Hidden,High,BroadImpact
 Delegated,RoleManagement.ReadWrite.Directory,High,BroadImpact
+Delegated,RoleAssignmentSchedule.ReadWrite.Directory,High,BroadImpact
+Delegated,RoleEligibilitySchedule.ReadWrite.Directory,High,BroadImpact
 Delegated,User.ReadWrite.All,High,BroadImpact
 Delegated,User.ManageCreds.All,High,BroadImpact
+Delegated,User.Export.All,High,BroadImpact
 Application,Mail,High,Phishing
 Application,Contacts,High,Phishing
 Application,MailboxSettings,High,Phishing
 Application,People,High,Phishing
 Application,Files,High,Phishing
+Application,Sites,High,Phishing
+Application,AllSites,High,Phishing
 Application,Notes,High,Phishing
+Application,Policy,High,BroadImpact
+Application,PrivilegedAccess,High,BroadImpact
+Application,PrivilegedAssignmentSchedule,High,BroadImpact
+Application,PrivilegedEligibilitySchedule,High,BroadImpact
+Application,AppRoleAssignment.ReadWrite.All,High,Phishing
 Application,Directory.AccessAsUser.All,High,Phishing
 Application,user_impersonation,High,Phishing
 Application,Application.ReadWrite.All,High,BroadImpact
@@ -31,12 +44,14 @@ Application,Domain.ReadWrite.All,High,BroadImpact
 Application,EduRoster.ReadWrite.All,High,BroadImpact
 Application,Group.ReadWrite.All,High,BroadImpact
 Application,Member.Read.Hidden,High,BroadImpact
+Application,UserAuthenticationMethod.ReadWrite.All,High,BroadImpact
 Application,RoleManagement.ReadWrite.Directory,High,BroadImpact
 Application,User.ReadWrite.All,High,BroadImpact
 Application,User.ManageCreds.All,High,BroadImpact
+Application,CallRecords.Read.All,High,SensitiveData
 Delegated,User.Read,Low,Common pattern
 Delegated,User.ReadBasic.All,Low,Common pattern
-Delegated,open_id,Low,Common pattern
+Delegated,openid,Low,Common pattern
 Delegated,email,Low,Common pattern
 Delegated,profile,Low,Common pattern
 Delegated,offline_access,Low,Common pattern when used with other low permissions
diff --git a/src/Export-MsIdAppConsentGrantReport.ps1 b/src/Export-MsIdAppConsentGrantReport.ps1
@@ -27,7 +27,6 @@ function Export-MsIdAppConsentGrantReport {
     [CmdletBinding(DefaultParameterSetName = 'Download Permissions Table Data',
         SupportsShouldProcess = $true,
         PositionalBinding = $false,
-        HelpUri = 'http://www.microsoft.com/',
         ConfirmImpact = 'Medium')]
     [Alias()]
     [OutputType([String])]
@@ -60,6 +59,8 @@ function Export-MsIdAppConsentGrantReport {
                 $Path
             )
 
+            $autoSize = $IsWindows # AutoSize of columns only works on Windows
+
             # Delete the existing output file if it already exists
             $OutputFileExists = Test-Path $Path
             if ($OutputFileExists -eq $true) {
@@ -134,23 +135,23 @@ function Export-MsIdAppConsentGrantReport {
 
             $excel = $data | Export-Excel -Path $Path -WorksheetName ConsentGrantData `
                 -PivotTableDefinition $pt `
-                -AutoSize `
+                -AutoSize:$autoSize `
                 -Activate `
                 -HideSheet "None" `
                 -UnHideSheet "PermissionsByPrivilegeRating" `
                 -PassThru
 
-            # Create temporary Excel file and add High Privilege Users sheet
-            $xlTempFile = "$env:TEMP\ImportExcelTempFile.xlsx"
-            Remove-Item $xlTempFile -ErrorAction Ignore
-            $exceltemp = $highprivilegeusers | Export-Excel $xlTempFile -PassThru
-            Add-Worksheet -ExcelPackage $excel -WorksheetName HighPrivilegeUsers -CopySource $exceltemp.Workbook.Worksheets["Sheet1"]
 
-            # Create temporary Excel file and add High Privilege Apps sheet
-            $xlTempFile = "$env:TEMP\ImportExcelTempFile.xlsx"
+            $xlTempFile = [system.io.path]::GetTempFileName()
+            $exceltemp = $highprivilegeusers | Export-Excel $xlTempFile -PassThru
+            Add-Worksheet -ExcelPackage $excel -WorksheetName HighPrivilegeUsers -CopySource $exceltemp.Workbook.Worksheets["Sheet1"] | Out-Null
             Remove-Item $xlTempFile -ErrorAction Ignore
+
+            Write-Verbose "Create temporary Excel file and add High Privilege Apps sheet"
+            $xlTempFile = [system.io.path]::GetTempFileName()
             $exceltemp = $highprivilegeapps | Export-Excel $xlTempFile -PassThru
-            Add-Worksheet -ExcelPackage $excel -WorksheetName HighPrivilegeApps -CopySource $exceltemp.Workbook.Worksheets["Sheet1"] -Activate
+            Add-Worksheet -ExcelPackage $excel -WorksheetName HighPrivilegeApps -CopySource $exceltemp.Workbook.Worksheets["Sheet1"] -Activate | Out-Null
+            Remove-Item $xlTempFile -ErrorAction Ignore
 
             $sheet = $excel.Workbook.Worksheets["ConsentGrantData"]
             Add-ConditionalFormatting -Worksheet $sheet -Range "A1:N1048576" -RuleType Equal -ConditionValue "High" -ForeGroundColor White -BackgroundColor Red -Bold -Underline
@@ -159,11 +160,11 @@ function Export-MsIdAppConsentGrantReport {
 
             $sheet = $excel.Workbook.Worksheets["HighPrivilegeUsers"]
             Add-ConditionalFormatting -Worksheet $sheet -Range "B1:B1048576" -RuleType Equal -ConditionValue "High" -ForeGroundColor White -BackgroundColor Red -Bold -Underline
-            Set-ExcelRange -Worksheet $sheet -Range A1:C1048576 -AutoSize
+            Set-ExcelRange -Worksheet $sheet -Range A1:C1048576 -AutoSize:$autoSize
 
             $sheet = $excel.Workbook.Worksheets["HighPrivilegeApps"]
             Add-ConditionalFormatting -Worksheet $sheet -Range "B1:B1048576" -RuleType Equal -ConditionValue "High" -ForeGroundColor White -BackgroundColor Red -Bold -Underline
-            Set-ExcelRange -Worksheet $sheet -Range A1:C1048576 -AutoSize
+            Set-ExcelRange -Worksheet $sheet -Range A1:C1048576 -AutoSize:$autoSize
 
             Export-Excel -ExcelPackage $excel | Out-Null
             Write-Verbose ("Excel workbook {0}" -f $ExcelWorkbookPath)
@@ -207,6 +208,7 @@ function Export-MsIdAppConsentGrantReport {
 
             # Get all ServicePrincipal objects and add to the cache
             Write-Verbose "Retrieving ServicePrincipal objects..."
+            Write-Progress -Activity "Retrieving ServicePrincipal objects..."
             $servicePrincipals = Get-MgServicePrincipal -ExpandProperty "appRoleAssignedTo"  -All:$true
             $Oauth2PermGrants = @()
 
@@ -216,7 +218,7 @@ function Export-MsIdAppConsentGrantReport {
                 $spPermGrants = Get-MgServicePrincipalOauth2PermissionGrant -ServicePrincipalId $sp.Id -All:$true
                 $Oauth2PermGrants += $spPermGrants
                 $count++
-                Write-Progress -Activity "Retrieving Delegate Permissions..." -Status "Cached: $count of $($servicePrincipals.Count)" -PercentComplete (($count / $servicePrincipals.Count) * 100)
+                Write-Progress -Activity "Retrieving Delegate Permissions..." -Status "$count of $($servicePrincipals.Count)" -PercentComplete (($count / $servicePrincipals.Count) * 100)
             }
 
             # Get one page of User objects and add to the cache
@@ -275,7 +277,7 @@ function Export-MsIdAppConsentGrantReport {
             }
 
             # Iterate over all ServicePrincipal objects and get app permissions
-            Write-Progress -Activity "Processing Application Permission Grants..."
+            Write-Progress -Activity "Retrieving Application Permissions..."
             $servicePrincipals | ForEach-Object {
                 $sp = $_
 
@@ -402,16 +404,14 @@ function Export-MsIdAppConsentGrantReport {
 
             if ($null -like $PermissionsTableCsvPath) {
                 # Create hash table of permissions and permissions privilege
-                Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/AzureAD/MSIdentityTools/main/assets/aadconsentgrantpermissiontable.csv' -OutFile .\aadconsentgrantpermissiontable.csv
-                $permstable = Import-Csv .\aadconsentgrantpermissiontable.csv -Delimiter ','
+                $permstable = Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/AzureAD/MSIdentityTools/main/assets/aadconsentgrantpermissiontable.csv' | ConvertFrom-Csv -Delimiter ','
             }
             else {
 
                 $permstable = Import-Csv $PermissionsTableCsvPath -Delimiter ','
             }
 
             Write-Output $permstable
-
         }
 
         if ("ExcelWorkbook" -eq $ReportOutputType) {
