New features
Bsure are continously developing new functionalities
Upcoming features in near future:
Devices from Entra ID(Launched)Extended device information for Intune managed devices, requires DeviceManagementManagedDevices.Read.All permissions
All applications with certificate/secret expiry.
Eligible Entra ID role assignments will need RoleManagement.Read.All permissions
Bsure Insights will need more permissions to provide this information.
To prepare your environment you can give Bsure Insights managed identity all permissions now to support upcoming features.
How to add permissions
Start cloud shell with a user having Global administrator privileges - https://portal.azure.com/#cloudshell/
Copy script below and paste as plain text to run it in cloud shell.
There is no need to edit script. Script will search for all installations (managed identities) used by Bsure Insights and add this new permission
$BSureSpnName = 'Bsure-Umi-'
$BsurePermissions = @(
"Directory.Read.All"
"AuditLog.Read.All"
"Domain.Read.All"
"Reports.Read.All"
"Policy.Read.All"
"MailboxSettings.Read"
"DeviceManagementManagedDevices.Read.All"
"RoleManagement.Read.All"
)
$GraphAppId = "00000003-0000-0000-c000-000000000000"
$msGraphSpn = Get-AzADServicePrincipal -Filter "appId eq '$GraphAppId'"
$RolesToAdd = $msGraphSpn.AppRole | Where-Object {($_.Value -in $BsurePermissions) -and ($_.AllowedMemberType -contains "Application")}
(Get-AzADServicePrincipal -DisplayNameBeginsWith $BSureSpnName) | ForEach-Object{
$script:graphAPIReqHeader = @{
Authorization = "Bearer $($(Get-AzAccessToken -ResourceTypeName MSGraph).token)"
Host = "graph.microsoft.com"
}
$currentSPN = $_
$currentSPN
$assignedPermissionsUri = "https://graph.microsoft.com/v1.0/servicePrincipals/$($currentSPN.Id)/appRoleAssignments"
$currentAssignments = Invoke-RestMethod -Method Get -Uri $assignedPermissionsUri -Headers $script:graphAPIReqHeader | Select-Object -ExpandProperty value
$RolesToAddClean = $RolesToAdd | Where-Object {($_.id -notin $($currentAssignments.appRoleId))}
foreach($AppRole in $RolesToAddClean)
{
$body = @{
principalId = $currentSPN.Id
resourceId = $msGraphSpn.id
appRoleId = $AppRole.id
} | ConvertTo-Json -Depth 99 -Compress -EscapeHandling EscapeNonAscii
Invoke-RestMethod -Method Post -Uri $assignedPermissionsUri -Headers $script:graphAPIReqHeader -Body $body -ContentType "application/json"
}
$RolesToRemoveClean = $currentAssignments.appRoleId | Where-Object {($_ -notin $($RolesToAdd.id))}
foreach($AppRole in $RolesToRemoveClean)
{
$toRemoveId = $currentAssignments | Where-Object -Property appRoleId -eq $AppRole | Select-Object -ExpandProperty id
Invoke-RestMethod -Method Delete -Uri "$assignedPermissionsUri/$toRemoveId" -Headers $script:graphAPIReqHeader
}
}
Write-Host "Done setting permissions for $($spnBsure.DisplayName) ($($spnBsure.Id))"
Last updated
Was this helpful?