See The File 'Create-Update-Delete-AAD-PK-Vulnerability-Scanning-App.ps1' Above.
This PoSH Script Creates The App Registration In AAD For PK To Be Able To Scan For Vulnerabilities In AAD
This PoSH script provides the following functions:
- Create and update the app registration in AAD for PK To Be Able To Scan For Vulnerabilities In AAD;
- Delete the app registration in AAD;
- Assign the following MSFT Graph Application Permissions and consent those, when either creating or updating the app;
- AdministrativeUnit.Read.All;
- Application.Read.All;
- AuditLog.Read.All;
- Device.Read.All;
- Directory.Read.All;
- Group.Read.All;
- Policy.Read.All;
- PrivilegedAccess.Read.AzureAD;
- Reports.Read.All;
- RoleManagement.Read.All;
- RoleManagement.Read.Directory;
- User.Read.All;
- UserAuthenticationMethod.Read.All;
- Create an client secret that by default is valid for an hour, when either creating or updating the app. If needed it is possible to provide a customer lifetime in days for the client secret. This is not recommended as it may be a security issue;
- Deleting all client secrets from the app registration in AAD;
- Display the tenant ID, the application ID, the assigned and consented permissions, and the client secret to be used in the Purple Knight executable.
- aadTenantFQDN => With his Parameter, You Can Specify The Tenant FQDN To Target The AAD Tenant To create The App Registration In;
- appRegDisplayName => With his Parameter, You Can Specify The Name For The Application Registration;
- customLifetimeSecretInDays => With his Parameter, You Can Specify The Custom Lifetime Of The Client Secret In Days;
REMARK: At Least ONE Of The Parameters Below Must Be Used. The Number Behind The Parameter Tells You Which Parameters Can Be Used Together
- (1) createOrUpdateApp (CAN Be Used With BOTH/EITHER '3' AND/OR '4' AND/OR '5') => With This Parameter, You Can Specify To Either Create A New App Registration Or Update An Existing App Registration;
- (2) deleteApp (Must Be Used Individually Only) => With his Parameter, You Can Specify To Delete An Existing App Registration;
- (3) updateAPIPerms (MUST Be Used With '1', CAN Be Used With '4') => With his Parameter, You Can Specify To Update The API Permissions When Either Creating A New App Registration Or Updating An Existing App Registration;
- (4) createClientSecret (MUST Be Used With '1', CAN Be Used With '3') => With his Parameter, You Can Specify To Create A New Client Secret When Either Creating A New App Registration Or Updating An Existing App Registration;
- (5) deleteAllClientSecrets (MUST Be Used With '1') => With his Parameter, You Can Specify To Delete All Existing Secrets Whether Those Are Expired Or Not (Only When App Already Exists!)
- (6) listAllClientSecrets (Must Be Used Individually Only) => With This Parameter, You Can Specify To List All Existing Client Secrets (Only When App Already Exists!)
Create A Purple Knight Vulnerability Scanning App In AAD OR Update The Purple Knight Vulnerability Scanning App In AAD With Updated API Permissions And A New Client Secret (Existing Client Secrets WILL NOT Be Deleted!)
.\Create-Update-Delete-AAD-PK-Vulnerability-Scanning-App.ps1 -aadTenantFQDN XXX.ONMICROSOFT.COM -appRegDisplayName "Semperis Purple Knight Vulnerability Scanning App" -createOrUpdateApp -updateAPIPerms -createClientSecretUpdate An Existing Purple Knight Vulnerability Scanning App In AAD With Updated API Permissions
.\Create-Update-Delete-AAD-PK-Vulnerability-Scanning-App.ps1 -aadTenantFQDN XXX.ONMICROSOFT.COM -appRegDisplayName "Semperis Purple Knight Vulnerability Scanning App" -createOrUpdateApp -updateAPIPermsUpdate An Existing Purple Knight Vulnerability Scanning App In AAD With A New Client Secret (Existing Client Secrets WILL NOT Be Deleted!)
.\Create-Update-Delete-AAD-PK-Vulnerability-Scanning-App.ps1 -aadTenantFQDN XXX.ONMICROSOFT.COM -appRegDisplayName "Semperis Purple Knight Vulnerability Scanning App" -createOrUpdateApp -createClientSecretList All Existing Client Secrets On The Existing Purple Knight Vulnerability Scanning App In AAD
.\Create-Update-Delete-AAD-PK-Vulnerability-Scanning-App.ps1 -aadTenantFQDN XXX.ONMICROSOFT.COM -appRegDisplayName "Semperis Purple Knight Vulnerability Scanning App" -listAllClientSecretsDelete All Existing Client Secrets On The Existing Purple Knight Vulnerability Scanning App In AAD
.\Create-Update-Delete-AAD-PK-Vulnerability-Scanning-App.ps1 -aadTenantFQDN XXX.ONMICROSOFT.COM -appRegDisplayName "Semperis Purple Knight Vulnerability Scanning App" -createOrUpdateApp -deleteAllClientSecretsDelete An Existing Purple Knight Vulnerability Scanning App In AAD
.\Create-Update-Delete-AAD-PK-Vulnerability-Scanning-App.ps1 -aadTenantFQDN XXX.ONMICROSOFT.COM -appRegDisplayName "Semperis Purple Knight Vulnerability Scanning App" -deleteApp- Requires Microsoft Graph PoSH Module to connect to Azure AD and perform all actions, except consenting API permissions;
- Requires Az.Accounts PoSH Module to be able to consent the API permissions;
- To create, configure AND consent application permissions for the Microsoft Graph, at least membership of the "Global Administrator" built-in role is required;
- To create and configure (without assigning and consenting application permissions for the Microsoft Graph), at least membership of the "Application Administrator" or "Cloud Application Administrator" built-in role is required;
- To create a new client secret, at least application ownership is required of the existing application.
.\Create-Update-Delete-AAD-PK-Vulnerability-Scanning-App.ps1 -aadTenantFQDN XXX.ONMICROSOFT.COM -appRegDisplayName "Semperis Purple Knight Vulnerability Scanning App" -createOrUpdateApp -updateAPIPerms -createClientSecret- Purple Knight Vulnerability Scanning App In AAD DOES NOT Yet Exist
- Purple Knight Vulnerability Scanning App Will Be Created
- API Permissions Are Being Configured, And Consented
- New Short Lived Client Secret Is Being Created In AAD For The App And Displayed On Screen
.\Create-Update-Delete-AAD-PK-Vulnerability-Scanning-App.ps1 -aadTenantFQDN XXX.ONMICROSOFT.COM -appRegDisplayName "Semperis Purple Knight Vulnerability Scanning App" -createOrUpdateApp -updateAPIPerms -createClientSecret- Purple Knight Vulnerability Scanning App In AAD ALREADY Exists
- API Permissions Are Being Updated If Needed, And Consented
- New Short Lived Client Secret Is Being Created In AAD For The App And Displayed On Screen
.\Create-Update-Delete-AAD-PK-Vulnerability-Scanning-App.ps1 -aadTenantFQDN XXX.ONMICROSOFT.COM -appRegDisplayName "Semperis Purple Knight Vulnerability Scanning App" -createOrUpdateApp -createClientSecret- Purple Knight Vulnerability Scanning App In AAD ALREADY Exists
- New Short Lived Client Secret Is Being Created In AAD For The App And Displayed On Screen
.\Create-Update-Delete-AAD-PK-Vulnerability-Scanning-App.ps1 -aadTenantFQDN XXX.ONMICROSOFT.COM -appRegDisplayName "Semperis Purple Knight Vulnerability Scanning App" -listAllClientSecrets- Purple Knight Vulnerability Scanning App In AAD ALREADY Exists
- List The Metadata Of All Existing Client Secrets In AAD For The App And Displayed On Screen
.\Create-Update-Delete-AAD-PK-Vulnerability-Scanning-App.ps1 -aadTenantFQDN XXX.ONMICROSOFT.COM -appRegDisplayName "Semperis Purple Knight Vulnerability Scanning App" -createOrUpdateApp -deleteAllClientSecrets- Purple Knight Vulnerability Scanning App In AAD ALREADY Exists
- Delete All Existing Client Secrets In AAD For The App And Displayed On Screen
.\Create-Update-Delete-AAD-PK-Vulnerability-Scanning-App.ps1 -aadTenantFQDN XXX.ONMICROSOFT.COM -appRegDisplayName "Semperis Purple Knight Vulnerability Scanning App" -deleteApp- Deleting The Existing Purple Knight Vulnerability Scanning App From AAD
- Purple Knight Main Screen Sample Output
