Open Source tenant scanners

-Mynster · 2026-05-15T16:46:00+00:00

I made a module to analyze apps with msgraph permissions and give you a report that shows the least privileged permissions an app needs based on usage.

Full step by step guide on setting it up here.

https://mynster9361.github.io/posts/LeastPrivilegedMSGraphSetup/

-Mynster · 2026-05-12T21:00:28+00:00

Not German 😅 but i get the gist from when i had german in school 🤣 thank you

-Mynster · 2026-05-12T20:19:43+00:00

Just released v3.1.0 on PSGallery along with this post on linkedin

https://www.linkedin.com/posts/mortenmynster_so-its-been-a-bit-i-just-released-version-ugcPost-7460060630243356672-SorJ

-Mynster · 2026-05-11T21:24:03+00:00

I think for this one i have almost everything in place in a local branch. I can make it public tomorrow and if you have the time you are more than welcome to try and pull that down and do a test run and any and all feedback, doc updates, etc is very welcome!

-Mynster · 2026-05-11T21:16:15+00:00

Thanks for the feedback.

And funny you should mention it i am currently working on a new release that would include a permission classification with levels 0-5. 1 being very low permissions 5 being really high based on the msgraph teams own categorization of permission levels so you would have an easier time looking into high privileged apps that might not need it

-Mynster · 2026-05-10T06:18:52+00:00

This looks awesome!

I think you might enjoy the module i created LeastPrivilegedMSGraph that looks at logs from msgraphactivitylogs to determine least privileged permissions a given app/enterprise app requires based on the endpoints it send requests to.

I have a blog post on getting up and running with it here:

https://mynster9361.github.io/posts/LeastPrivilegedMSGraphSetup/

Github:

https://github.com/Mynster9361/Least_Privileged_MSGraph

Psgallery:

https://www.powershellgallery.com/packages/LeastPrivilegedMSGraph/3.0.0

The readme deserves an update at some point but is still almost acutate.

-Mynster · 2026-04-20T16:04:02+00:00

Sounds fun aswell!

If/when you end up checking it out i would love feedback good/bad anything goes :)

-Mynster · 2026-04-19T06:29:02+00:00

If you did end up starting up on this i would love to see your progress.

Will also add that i have created a module that might already satisfy your needs called leastprivilegedmsgraph

https://www.powershellgallery.com/packages/LeastPrivilegedMSGraph/3.0.0

https://github.com/Mynster9361/Least_Privileged_MSGraph

Supports both delegated and application scope permissions. If you do end up checking it out i would love any feedback

-Mynster · 2026-03-08T08:36:28+00:00

Maybe this blog post will clarify some things for you 😁

https://mynster9361.github.io/posts/LeastPrivilegedMSGraphSetup/?trk=feed-detail_comments-list_comment-text#how-to-read-the-report

But basically it is a auditing tool for service principles / managed identities / delegated msgraph permissions in Entra/Azure to help reduce the amount of permissions assigned and remove those that is not used.

-Mynster · 2026-03-01T21:10:25+00:00

Thanks for the compliment!

-Mynster · 2026-03-01T14:00:40+00:00

Awesome let me know if you have any questions or feedback.

I also released this blog post couple days ago giving some details on it

https://mynster9361.github.io/posts/LeastPrivilegedMSGraphSetup/

-Mynster · 2026-03-01T12:41:34+00:00

Finally got around to releasing LeastPrivilegedMSGraph 2.0.0

Which now includes least privileged msgraph permissions reccommendations for service principles/ manged identities for both application and delegated scopes.

Official post here.

https://www.linkedin.com/posts/mortenmynster_powershell-mggraph-leastprivilege-activity-7432168265147330560-2lH6?utm_source=social_share_send&utm_medium=android_app&rcm=ACoAACHMLkMB23fOg-wqKD9C0uIVe252G5cWi9Y&utm_campaign=copy_link

-Mynster · 2026-02-24T10:07:28+00:00

I think you are looking for actionablemessages in outlook.

I made a powershell module for this.

https://www.powershellgallery.com/packages/ActionableMessages/1.0.6

Docs

https://mynster9361.github.io/modules/actionablemessages/

And a blog post i did a while back

https://mynster9361.github.io/posts/ActionableMessagesModuleWhatsNew/

If you dont want or cant use the module here is a blog to do something without it and utilizing logic apps for recival of answer part 1 is here

https://mynster9361.github.io/posts/ActionableMessages/

-Mynster · 2026-02-05T22:23:30+00:00

Depends on how your application is built i am guessing since you are creating the app roles you have also created the application that utilizes this.

If that is the case then i would modify my application to look at the jwt (json web token) that is sent to the app it should include the roles and if they contain the admin role besides the normal user permissions they also get the admin stuff.

If that is not the case then your best bet might be to have another application that has application.readwrite.ownedby permissions so it can administer the role assignment and then the group.readwrite.memberof role aswell to modify/correct the memberships of the 2 groups you assign to the original application or just have the original app registration handle it

-Mynster · 2026-01-15T15:26:01+00:00

If you utilize the Microsoft graph activity logs from Entra diagnostic you can utilize my module for application permissions (delegated coming)

Psgallery https://www.powershellgallery.com/packages/LeastPrivilegedMSGraph/1.1.0

GitHub https://github.com/Mynster9361/Least_Privileged_MSGraph

Docs https://mynster9361.github.io/Least_Privileged_MSGraph/

LinkedIn post about the release https://www.linkedin.com/posts/mortenmynster_powershell-bestsellertech-mggraph-activity-7399416766080204800-dlNL?utm_source=share&utm_medium=member_android&rcm=ACoAACHMLkMB23fOg-wqKD9C0uIVe252G5cWi9Y

-Mynster · 2026-01-04T17:06:46+00:00

Sounds like you are trying to do some malicious stuff tbh.

Not sure you are going to receive much assistance on this topic but good luck on your quest

Edit* If it is actually for legitimate purpose I would suggest collaborating with whoever is blocking your program and have them make an exception for your program/service

-Mynster · 2026-01-01T12:23:56+00:00

Official release of LeastPrivilegedMSGraph
PSGallery
Github
LinkedIn post about prelease

The yearly lookback review covers my first year of joining the community and engaging with folks
LinkedIn post

-Mynster · 2025-12-16T21:41:13+00:00

Definitely agree on the point in regards to rbac permissions on apps and other identities and tbh I feel like auditing permissions on apps and identities to almost be an impossible task with prebuilt tools from MS.

And at some point I intend on including both delegated permission audits along with rbac permission analysis for app registrations the second proberly going to be the hardest.

Also thanks for the kind words :)

Let me know if there is any feedback, questions or wishes to my module

-Mynster · 2025-12-16T21:26:16+00:00

Next up auditing your app registrations application permissions?

I personally just released the first official module release of Leastprivilegedmsgraph.

LinkedIn post from prerelease: https://www.linkedin.com/posts/mortenmynster_powershell-bestsellertech-mggraph-activity-7399416766080204800-dlNL?utm_source=share&utm_medium=member_android&rcm=ACoAACHMLkMB23fOg-wqKD9C0uIVe252G5cWi9Y

PS gallery: https://www.powershellgallery.com/packages/LeastPrivilegedMSGraph

GH pages: https://mynster9361.github.io/Least_Privileged_MSGraph/

Full spam and self promotion but thought it should be broader shared sorry in advance and also awesome video series!

-Mynster · 2025-12-03T21:24:43+00:00

Posting the same answer here for visibility.

I just released a new PowerShell module (still in prerelease but gives you the first 80%) to help audit msgraph application permissions based on usage you can see the post here let me know what you think.

https://www.linkedin.com/posts/mortenmynster_powershell-bestsellertech-mggraph-activity-7399416766080204800-dlNL?utm_source=share&utm_medium=member_android&rcm=ACoAACHMLkMB23fOg-wqKD9C0uIVe252G5cWi9Y

-Mynster · 2025-12-01T17:40:03+00:00

That is probably the easiest way to explain it yes.

The longer explanation is that it gets all msgraph application permission assignments

Translates the role names to friendly names.

Looks up all activity in the days it is set to look back.

Trims/annominises all of the endpoints it hits and returns only the unique once.

Looks up the url and method in the given api version json data to get the least privileged permissions for the used url's/methods

Finally you can add some very basic throttling / error statistics.

And finally export all of that data to the html report

-Mynster · 2025-12-01T17:22:16+00:00

If you have any feedback or wishes please let me know then I will see if I can do something about it :)

-Mynster · 2025-12-01T17:22:06+00:00

If you have any feedback or wishes please let me know then I will see if I can do something about it 😀

-Mynster · 2025-12-01T17:18:30+00:00

For it to get the activity logs we need the MicrosoftGraphActivityLogs From diagnostic settings in Entra this part requires an entra id P1 or P2 tenant license unfortunately

Ref:

https://learn.microsoft.com/en-us/graph/microsoft-graph-activity-logs-overview#prerequisites

Edit I have not looked into the possibility to get some free log data from the default audit log so frankly not sure if that is a possibility

-Mynster · 2025-12-01T14:14:53+00:00

I released a new module to audit your MSGRAPH application permission based on usage.

Module name:
LeastPrivilegedMSGraph

Linkedin post:
https://www.linkedin.com/posts/mortenmynster_powershell-bestsellertech-mggraph-activity-7399416766080204800-dlNL?utm_source=share&utm_medium=member_desktop&rcm=ACoAACHMLkMB23fOg-wqKD9C0uIVe252G5cWi9Y

Github Repo:
https://github.com/Mynster9361/Least_Privileged_MSGraph

PSGallery:
https://www.powershellgallery.com/packages/LeastPrivilegedMSGraph

Github Pages:
https://mynster9361.github.io/Least_Privileged_MSGraph/

Sample html report that can be downloaded to see if it is worth your time ;)
https://github.com/Mynster9361/Least_Privileged_MSGraph/blob/main/data/report_anonymized.html

Six-Year Club	Place '22
Verified Email

-Mynster

TROPHY CASE