New features

Bsure are continously developing new functionalities

Upcoming features in near future:

~~Devices from Entra ID~~ (Launched)
Extended device information for Intune managed devices, requires DeviceManagementManagedDevices.Read.All permissions
All applications with certificate/secret expiry.
Eligible Entra ID role assignments will need RoleManagement.Read.All permissions

Bsure Insights will need more permissions to provide this information.

To prepare your environment you can give Bsure Insights managed identity all permissions now to support upcoming features.

How to add permissions

Start cloud shell with a user having Global administrator privileges - https://portal.azure.com/#cloudshell/

Copy script below and paste as plain text to run it in cloud shell.

There is no need to edit script. Script will search for all installations (managed identities) used by Bsure Insights and add this new permission

$BSureSpnName = 'Bsure-Umi-'

$BsurePermissions = @(
  "Directory.Read.All"
  "AuditLog.Read.All"
  "Domain.Read.All"
  "Reports.Read.All"
  "Policy.Read.All"
  "MailboxSettings.Read"
  "DeviceManagementManagedDevices.Read.All"
  "RoleManagement.Read.All"
)

$GraphAppId = "00000003-0000-0000-c000-000000000000"

$msGraphSpn = Get-AzADServicePrincipal -Filter "appId eq '$GraphAppId'"

$RolesToAdd = $msGraphSpn.AppRole | Where-Object {($_.Value -in $BsurePermissions) -and ($_.AllowedMemberType -contains "Application")}

(Get-AzADServicePrincipal -DisplayNameBeginsWith $BSureSpnName) | ForEach-Object{

    $script:graphAPIReqHeader = @{
        Authorization = "Bearer $($(Get-AzAccessToken -ResourceTypeName MSGraph).token)"
        Host = "graph.microsoft.com"
    }

    $currentSPN = $_
    $currentSPN
    $assignedPermissionsUri = "https://graph.microsoft.com/v1.0/servicePrincipals/$($currentSPN.Id)/appRoleAssignments"

    $currentAssignments = Invoke-RestMethod -Method Get -Uri $assignedPermissionsUri -Headers $script:graphAPIReqHeader | Select-Object -ExpandProperty value
    
    $RolesToAddClean = $RolesToAdd | Where-Object {($_.id -notin $($currentAssignments.appRoleId))}
    
    foreach($AppRole in $RolesToAddClean)
    {
        $body = @{
            principalId = $currentSPN.Id
            resourceId = $msGraphSpn.id
            appRoleId = $AppRole.id
        } | ConvertTo-Json -Depth 99 -Compress -EscapeHandling EscapeNonAscii
    
        Invoke-RestMethod -Method Post -Uri $assignedPermissionsUri -Headers $script:graphAPIReqHeader -Body $body -ContentType "application/json"
    }
    
    $RolesToRemoveClean = $currentAssignments.appRoleId | Where-Object {($_ -notin $($RolesToAdd.id))}
    
    foreach($AppRole in $RolesToRemoveClean)
    {
        $toRemoveId = $currentAssignments | Where-Object -Property appRoleId -eq $AppRole | Select-Object -ExpandProperty id
        Invoke-RestMethod -Method Delete -Uri "$assignedPermissionsUri/$toRemoveId" -Headers $script:graphAPIReqHeader
    }
}

Write-Host "Done setting permissions for $($spnBsure.DisplayName) ($($spnBsure.Id))"

PreviousRelease Notes NextUser purpose property

Last updated 1 month ago

Was this helpful?

$BSureSpnName = 'Bsure-Umi-' $BsurePermissions = @( "Directory.Read.All" "AuditLog.Read.All" "Domain.Read.All" "Reports.Read.All" "Policy.Read.All" "MailboxSettings.Read" "DeviceManagementManagedDevices.Read.All" "RoleManagement.Read.All" ) $GraphAppId = "00000003-0000-0000-c000-000000000000" $msGraphSpn = Get-AzADServicePrincipal -Filter "appId eq '$GraphAppId'" $RolesToAdd = $msGraphSpn.AppRole | Where-Object {($_.Value -in $BsurePermissions) -and ($_.AllowedMemberType -contains "Application")} (Get-AzADServicePrincipal -DisplayNameBeginsWith $BSureSpnName) | ForEach-Object{ $script:graphAPIReqHeader = @{ Authorization = "Bearer $($(Get-AzAccessToken -ResourceTypeName MSGraph).token)" Host = "graph.microsoft.com" } $currentSPN = $_ $currentSPN $assignedPermissionsUri = "https://graph.microsoft.com/v1.0/servicePrincipals/$($currentSPN.Id)/appRoleAssignments" $currentAssignments = Invoke-RestMethod -Method Get -Uri $assignedPermissionsUri -Headers $script:graphAPIReqHeader | Select-Object -ExpandProperty value $RolesToAddClean = $RolesToAdd | Where-Object {($_.id -notin $($currentAssignments.appRoleId))} foreach($AppRole in $RolesToAddClean) { $body = @{ principalId = $currentSPN.Id resourceId = $msGraphSpn.id appRoleId = $AppRole.id } | ConvertTo-Json -Depth 99 -Compress -EscapeHandling EscapeNonAscii Invoke-RestMethod -Method Post -Uri $assignedPermissionsUri -Headers $script:graphAPIReqHeader -Body $body -ContentType "application/json" } $RolesToRemoveClean = $currentAssignments.appRoleId | Where-Object {($_ -notin $($RolesToAdd.id))} foreach($AppRole in $RolesToRemoveClean) { $toRemoveId = $currentAssignments | Where-Object -Property appRoleId -eq $AppRole | Select-Object -ExpandProperty id Invoke-RestMethod -Method Delete -Uri "$assignedPermissionsUri/$toRemoveId" -Headers $script:graphAPIReqHeader } } Write-Host "Done setting permissions for $($spnBsure.DisplayName) ($($spnBsure.Id))"