This is a collection of examples, scripts, and tips for Entra Entitlement management. There are currently about 35 examples I am working on publishing, so keep an eye on this repository as these will be completed in the coming weeks :)
Securing Custom Extensions(Logic Apps)
Groups, apps, and roles are referenced in commands by their object ID which is very easy to get.
SharePoint sites are actually the web URL, but discovery can be lame due to Graph API only supporting LIST for Application permissions... Instead, we have to search which only works for some site types.
# Get IDs for groups
Get-MgBetaGroup -All
(Get-MgBetaGroup -Filter "DisplayName eq 'Group'").Id
# Get IDs for apps
Get-MgBetaApplication -All
(Get-MgBetaApplication -Filter "DisplayName eq 'App'").AppId
# Get IDs for SP sites
Get-MgBetaSite -Search 'site'
(Get-MgBetaSite -Search 'Site').WebUrl
# Get IDs for Entra roles
Get-MgBetaRoleManagementDirectoryRoleDefinition
(Get-MgBetaRoleManagementDirectoryRoleDefinition -Filter "DisplayName eq 'Role'").Id
For custom extensions (Logic Apps), we usually need to grant Graph API permissions for them to perform functions. Simply set $MIObjectId to the Managede Identity object ID and change $permissions to match the set of permissions you need.
# Modified from @AlexFilipin: https://gist.github.com/AlexFilipin/daace2f2d7989545e8ab0b969de2aaed
$MIObjectId = "c449c80d-0d9c-4e04-b340-00dcf7e2d878"
$permissions = "User.Read.All","Group.Read.All"
Connect-MgGraph -Scopes AppRoleAssignment.ReadWrite.All
$permissions | ForEach-Object {
$PermissionName = $_
$GraphSP = Get-MgServicePrincipal -Filter "startswith(DisplayName,'Microsoft Graph')" | Select-Object -first 1 #Graph App ID: 00000003-0000-0000-c000-000000000000
$AppRole = $GraphSP.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application"}
New-MgServicePrincipalAppRoleAssignment -AppRoleId $AppRole.Id -ServicePrincipalId $MIObjectId -ResourceId $GraphSP.Id -PrincipalId $MIObjectId
}
More details on Managed Identities with Graph API and Logic Apps:
Note
Identity Governance licenses include the ability to put Entra roles in Access Packages. This builds on top of PIM and enables us to use Verified ID with Face Check, multiple approval steps, and multiple policies driven by more granular conditions.
✅ Grant access to licensed applications via app
✅ Grant access to licensed applications via group
✅ Secure risky apps by requiring assignment
🚧 Grant permissions to SSO apps through role assignment
🚧 Provide access to Azure storage
🚧 Provide access to Log Anaytics
🚧 App protection policy exceptions
✅ Change app protection policy
✅ Change configuration profile
🚧 Intune device enrollment restrictions
🚧 Install licensed applications
🚧 Disable PowerShell Constrained Language Mode
Note
These require configuring group writeback through Entra Cloud Sync
🚧 Include/Exclude from Group Policy
🚧 Add to Administrators on Servers