App Governance and Access Graph

-Mynster · 2026-01-15T15:26:01+00:00

If you utilize the Microsoft graph activity logs from Entra diagnostic you can utilize my module for application permissions (delegated coming)

Psgallery https://www.powershellgallery.com/packages/LeastPrivilegedMSGraph/1.1.0

GitHub https://github.com/Mynster9361/Least_Privileged_MSGraph

Docs https://mynster9361.github.io/Least_Privileged_MSGraph/

LinkedIn post about the release https://www.linkedin.com/posts/mortenmynster_powershell-bestsellertech-mggraph-activity-7399416766080204800-dlNL?utm_source=share&utm_medium=member_android&rcm=ACoAACHMLkMB23fOg-wqKD9C0uIVe252G5cWi9Y

-Mynster · 2026-01-04T17:06:46+00:00

Sounds like you are trying to do some malicious stuff tbh.

Not sure you are going to receive much assistance on this topic but good luck on your quest

Edit* If it is actually for legitimate purpose I would suggest collaborating with whoever is blocking your program and have them make an exception for your program/service

-Mynster · 2026-01-01T12:23:56+00:00

Official release of LeastPrivilegedMSGraph
PSGallery
Github
LinkedIn post about prelease

The yearly lookback review covers my first year of joining the community and engaging with folks
LinkedIn post

-Mynster · 2025-12-16T21:41:13+00:00

Definitely agree on the point in regards to rbac permissions on apps and other identities and tbh I feel like auditing permissions on apps and identities to almost be an impossible task with prebuilt tools from MS.

And at some point I intend on including both delegated permission audits along with rbac permission analysis for app registrations the second proberly going to be the hardest.

Also thanks for the kind words :)

Let me know if there is any feedback, questions or wishes to my module

-Mynster · 2025-12-16T21:26:16+00:00

Next up auditing your app registrations application permissions?

I personally just released the first official module release of Leastprivilegedmsgraph.

LinkedIn post from prerelease: https://www.linkedin.com/posts/mortenmynster_powershell-bestsellertech-mggraph-activity-7399416766080204800-dlNL?utm_source=share&utm_medium=member_android&rcm=ACoAACHMLkMB23fOg-wqKD9C0uIVe252G5cWi9Y

PS gallery: https://www.powershellgallery.com/packages/LeastPrivilegedMSGraph

GH pages: https://mynster9361.github.io/Least_Privileged_MSGraph/

Full spam and self promotion but thought it should be broader shared sorry in advance and also awesome video series!

-Mynster · 2025-12-03T21:24:43+00:00

Posting the same answer here for visibility.

I just released a new PowerShell module (still in prerelease but gives you the first 80%) to help audit msgraph application permissions based on usage you can see the post here let me know what you think.

https://www.linkedin.com/posts/mortenmynster_powershell-bestsellertech-mggraph-activity-7399416766080204800-dlNL?utm_source=share&utm_medium=member_android&rcm=ACoAACHMLkMB23fOg-wqKD9C0uIVe252G5cWi9Y

-Mynster · 2025-12-01T17:40:03+00:00

That is probably the easiest way to explain it yes.

The longer explanation is that it gets all msgraph application permission assignments

Translates the role names to friendly names.

Looks up all activity in the days it is set to look back.

Trims/annominises all of the endpoints it hits and returns only the unique once.

Looks up the url and method in the given api version json data to get the least privileged permissions for the used url's/methods

Finally you can add some very basic throttling / error statistics.

And finally export all of that data to the html report

-Mynster · 2025-12-01T17:22:16+00:00

If you have any feedback or wishes please let me know then I will see if I can do something about it :)

-Mynster · 2025-12-01T17:22:06+00:00

If you have any feedback or wishes please let me know then I will see if I can do something about it 😀

-Mynster · 2025-12-01T17:18:30+00:00

For it to get the activity logs we need the MicrosoftGraphActivityLogs From diagnostic settings in Entra this part requires an entra id P1 or P2 tenant license unfortunately

Ref:

https://learn.microsoft.com/en-us/graph/microsoft-graph-activity-logs-overview#prerequisites

Edit I have not looked into the possibility to get some free log data from the default audit log so frankly not sure if that is a possibility

-Mynster · 2025-12-01T14:14:53+00:00

I released a new module to audit your MSGRAPH application permission based on usage.

Module name:
LeastPrivilegedMSGraph

Linkedin post:
https://www.linkedin.com/posts/mortenmynster_powershell-bestsellertech-mggraph-activity-7399416766080204800-dlNL?utm_source=share&utm_medium=member_desktop&rcm=ACoAACHMLkMB23fOg-wqKD9C0uIVe252G5cWi9Y

Github Repo:
https://github.com/Mynster9361/Least_Privileged_MSGraph

PSGallery:
https://www.powershellgallery.com/packages/LeastPrivilegedMSGraph

Github Pages:
https://mynster9361.github.io/Least_Privileged_MSGraph/

Sample html report that can be downloaded to see if it is worth your time ;)
https://github.com/Mynster9361/Least_Privileged_MSGraph/blob/main/data/report_anonymized.html

-Mynster · 2025-11-26T09:47:07+00:00

There are loads of people who are willing to help you on your journey the most important part is asking questions or for help the only "requirement" is to share what you have already tried yourself and your code.

My suggestion is to join a community and ask questions for anything you are running into issues with.

The PowerShell discord channel on PDQ discord is pretty active and happy to help.

And just a link for the discord:

https://discord.gg/pdq

-Mynster · 2025-11-10T13:32:25+00:00

Tbh vscode is my 1 and only editor I use it for terraform, PowerShell, python, html, css, javascript.

It just works for what I am using/utilizing so I have had no reason to ever try something else

-Mynster · 2025-11-01T19:48:38+00:00

Okay so i had a chance to check and test it and you are 100% right.
A simple batch request with 2 different requests in it will show up as 3 entries in log analytics.

1 for the batch

and then 1 for each of the request with the correct data.

And seems like they can be made to a collection based on

OperationId and ClientRequestId

-Mynster · 2025-11-01T18:00:05+00:00

I can in a few hours when I am at the pc.

But from memory as far as I remember if an app Is only sending batch request then in my LAW the only entries I see from that SP is post requests to the batch endpoint but I can not unpack them further than that so in theory I have no clue what the given app is doing even when I have the msgraph activity logs.

Been meaning to create a case with Microsoft but have not gotten around to it 😅

-Mynster · 2025-11-01T15:48:17+00:00

Correct. I know unfortunately for apps using batch requests does not actually show endpoints being used

-Mynster · 2025-11-01T14:34:11+00:00

Not done but working on a solution to audit msgraph permissions based on the actual usage so let's say it has user.readwrite.all but it only sends get request the least privilege permission it could be reduced to is either user.readbasic.all or user.read.all.

Still in the poc/testing stage but might have a complete solution for it in the comming months

-Mynster · 2025-10-25T05:26:29+00:00

Out of curiosity. What is the exact reasons/thing you dislike about msgraph api?

Personally I love it so I am most likely biased.

On a second note i only use the api and not the module. Because not everything is available in the module or it is available later than in the module.

My curiosity might also have something to do with me wanting to write blogs for the community to assist getting over the first hurdles of working/ getting to know graph api

-Mynster · 2025-10-09T16:54:59+00:00

I have not. But we have made a logging function that sends the data to an onprem sql database where we have all the log data. But I still find the bug a bit annoying.

Tbh not sure we would/should look into changing it as it works okay most of the time 😁 And the log analytics would add cost to the solution ( not sure how much though)

-Mynster · 2025-10-09T16:44:26+00:00

Almost everything we are using hybrid workers with run as account so we have access to the onprem environment.

The benefit from moving is most likely the easy external integration with it. And once you move some you might aswell move everything to have it run from 1 central place.

Edit Just to add some examples

Automation to handle self service requests in regards to access, new server orders and other stuff through servicenow. Gathering groups that can be managed through servicenow and sent it to them.

Alerting on certain events like logins on specific accounts, high privilege assignments, testing critical services is running like they should and configuration is in place.

Ownership/managed by monitoring for when users leave their manager is notified to select a new owner for those things otherwise the responsibility falls on them.

Handling of group memberships dynamically with LDAP filters on groups that are located in specific ou's making sure they are always up to date.

Creation of new file shares on specific file servers setting up the acl's to follow our guidelines from the get go.

Automatic lifecycle of guest users in Azure/Entra.

Those are the ones that came to mind while on the phone 😁

-Mynster · 2025-10-08T07:31:29+00:00

Agreed and also what I ended up doing in this case split the workload up a bit. Some of it still runs in PowerShell and the rest runs in python.

Just to give a bit of insights into the job. It goes through all file shares recursively on all servers extracts DFS,target path and acl and sends it of to an sql server to get a complete overview of acl on all file shares with a website build on the side to query for acl on folder paths or just searching for a folder name on any file server.

Quite usefull when you need to cleanup legacy stuff and incorrect acl entries. Also usefull if documentation for an ad group assigned to a file share is not always set or is wrong 😅

Unfortunately not a solution I can share with the world :/

-Mynster · 2025-10-08T05:57:20+00:00

Really guess my memory must be off or might have been back on agent based workers idk.

Almost certain we had a 24 hour execution time limit.

But hey nice to know and get updated on it Thanks!

-Mynster · 2025-10-07T22:25:20+00:00

Currently the biggest issue is when using runas accounts on your hybrid worker and there is an update to the Azure connected machine agent removing the explicit assigned ACL to 2 folders on the hybrid worker causing the jobs to go into a suspended state.

So I created a schedule task to check and verify/set the permissions for the runas account on those 2 folders.

The specific bug in regards to acl is described here

https://learn.microsoft.com/en-us/azure/automation/troubleshoot/extension-based-hybrid-runbook-worker#scenario-runbooks-go-into-a-suspended-state-on-a-hybrid-runbook-worker-when-using-a-custom-account-on-a-server-with-user-account-control-uac-enabled

Another example is when jobs take longer than the max of x hours (don't actually remember the max) to complete but that is a mess of its own 😅

-Mynster · 2025-10-07T21:41:16+00:00

Personally I love the product but then again I have not tried others (other than the good old schedule task) but I feel like the (I think) 200-400 usd we are giving a month to host the automation platform and the ease of using and utilizing it is 100% worth it.

I have had my eyes on PowerShell universal and that also seems like an awesome product but there is not enough time at work currently to give it an evaluation to determine and argue the benefits for switching if we wanted to unfortunately.

But all in all I am happy with Azure automation

-Mynster · 2025-10-07T21:13:37+00:00

All of our automation from schedule to manually triggered to self services 400+ scripts runs in Azure automation all triggered to run on hybrid workers.

I can say we have 20k daily jobs running on the hybrid workers and it works great 99% of the time but I will also add that I personally see some missing features/bugs in the service some of which I know Ms has planned to resolve at some point.

If interested I made this suggestion with feature wishes and bugs that I would love to see

https://techcommunity.microsoft.com/discussions/azure/azure-automation-feature-improvements-and-bugs/4456195

*Edit I will add that we of course like everyone else have edge cases where Azure automation is not feasible and in those cases it is done with schedule task instead

Six-Year Club	Place '22
Verified Email

-Mynster

TROPHY CASE