skip to Main Content

I am trying to filter out EntraID applications which has at least one owner assigned.

As per the Microsoft documentation, Owners supports filter based on count.

Directory objects that are owners of the application. Read-only. Nullable. Supports $expand, $filter (/$count eq 0, /$count ne 0, /$count eq 1, /$count ne 1), and $select nested in $expand.

Here is the query I am trying. Appreciate any help on this.

Cheers !

2

Answers


  1. It seems that this cannot be achieved with one request, two requests are required

    ## step 1: get graph token
    
    $tenantId           = ""
    $clientId           = ""
    $clientSecret       = ""
    
    $headers = @{
        "Content-Type" = "application/x-www-form-urlencoded"
    }
    
    $uri = "https://login.microsoftonline.com/{0}/oauth2/v2.0/token" -f $tenantId
    
    $body = @{
        grant_type    = "client_credentials"
        scope         = "https://graph.microsoft.com/.default"
        client_id     = $clientId
        client_secret = $clientSecret
    }
    
    $token = $(Invoke-RestMethod -Method Post -Uri $uri -Body $body -Headers $headers).access_token
    
    ## step 2:  list all applications
    
    $headers2 = @{
        "Content-Type" = "application/json"
        "Authorization" = "Bearer " + $token
    }
    
    $allAppIdUri = "https://graph.microsoft.com/v1.0/applications"
    
    $allAppId = Invoke-RestMethod -Method Get -Uri $allAppIdUri -Headers $headers2
    
    ## step 3: foreach all the applications and find out the owner details
    
    $owners = @()
    
    foreach($item in $allAppId.value){
    
        $ownerUri = "https://graph.microsoft.com/v1.0/applications/{0}/owners" -f $item.id
        $res = Invoke-RestMethod -Method Get -Uri $ownerUri -Headers $headers2
        
        if($($null -ne $res.value) -and $($res.value.Count -gt 1)){
            $tmp = @{
                id          = $item.id
                name        = $item.displayName
                owners      = $res.value
                onwersCount = $res.value.Count
            }
            $owners += $tmp
        }
    }
    $owners | Format-Table
    

    enter image description here

    Login or Signup to reply.
  2. Filtering will work, but you need to add the request header ConsistencyLevel with the value eventual and the query must contain $count=true parameter.

    Applications with at least one owner

    GET https://graph.microsoft.com/v1.0/applications?$filter=owners/$count ne 0&$count=true&$select=id,displayName
    ConsistencyLevel:eventual
    

    When filtering applications by the number of owners, you can’t expand owners (expand and filter on owners is not supported in one query)

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search