TenLens
Back to script library
Entra / Microsoft 365 · Applications

Find app consent grants

Find consent grants for app permissions from records captured in the Microsoft 365 unified audit log.

Connect & set up

Run these once per session. All scopes are read-only unless the script makes changes.

Connect-ExchangeOnline -SkipLoadingCmdletHelp
Connect-MgGraph -Scopes Application.Read.All -NoWelcome

Run it

The main script. Copy it, or download the .ps1 and run it from your console.

param(
    [string] $AppId = "$Auditdata.ObjectId.Split(";")[0]",
    [int] $LookbackDays = 90
)
 
$Status = Get-ConnectionInformation -ErrorAction SilentlyContinue
If (!($Status)) {
  Connect-ExchangeOnline -SkipLoadingCmdletHelp
}
# Connect to Graph SDK to get application information
Connect-MgGraph -Scopes Application.Read.All -NoWelcome
 
[array]$Apps = Get-MgApplication -All
[array]$Sps = Get-MgServicePrincipal -All
$SPHash = @{}
ForEach ($SP in $SPs) {
  $SPHash.Add($SP.AppId,$SP.DisplayName)
}
$AppHash = @{}
ForEach ($App in $Apps) {
  $AppHash.Add($App.AppId,$App.DisplayName)
}
 
Write-Host "Searching for audit records..."
[array]$Records = Search-UnifiedAuditLog -StartDate ((Get-Date).AddDays(-$LookbackDays)) -EndDate ((Get-Date).AddDays(1)) `
  -ResultSize 5000 -Operations "Consent to application." -SessionCommand ReturnLargeSet
 
If ($Records) {
   $Report = [System.Collections.Generic.List[Object]]::new() # Create output file for report
   ForEach ($Rec in $Records) {
      $AppName = $Null
      $Auditdata = $Rec.Auditdata | ConvertFrom-Json
      $AppName = $SpHash[$AppId]
      If (!($AppName)) {
          $AppName = $AppHash[$AppId]
      }
      $Tag =  $Auditdata.ModifiedProperties | Where-Object {$_.Name -eq "ConsentContext.Tags"} | Select-Object -ExpandProperty NewValue
      If ($Tag -eq "WindowsAzureActiveDirectoryIntegratedApp") {
          $AppType = "Enterprise app"
      } Else {
          $AppType = "Registered app"
      }
      $ReportLine = [PSCustomObject]@{
         User            = $Auditdata.UserId
         Date            = Get-Date ($Auditdata.CreationTime) -format g
         ObjectId        = $Auditdata.ObjectId
         AppId           = $AppId
         AppName         = $AppName
         AdminConsent    = $Auditdata.ModifiedProperties | Where-Object {$_.Name -eq "ConsentContext.IsAdminConsent"} | Select-Object -ExpandProperty NewValue
         ForAllUsers     = $Auditdata.ModifiedProperties | Where-Object {$_.Name -eq "ConsentContext.OnBehalfOfAll"} | Select-Object -ExpandProperty NewValue
         AppType            = $AppType
         Details        =  $Auditdata.ExtendedProperties | Where-Object {$_.Name -eq "additionalDetails"} | Select-Object -ExpandProperty Value }
      $Report.Add($ReportLine)
    }
}
 
$Report = $Report | Sort-Object {$_.Date -as [datetime]}
$Report | Out-GridView

Parameters

ParameterDefaultNotes
-AppId$Auditdata.ObjectId.Split(";")[0]Application (client) ID extracted from the consent grant audit record.
-LookbackDays90Number of days back to search consent grant audit records.
Attribution
Author
Office365itpros
Related scripts
Entra / Microsoft 365 · Exchange Online

Add contacts to mailboxes

Copies organizational contacts from a SharePoint list into Exchange user mailboxes for newly licensed users, using app-only Microsoft Graph permissions.

Entra / Microsoft 365 · Applications

Add owners to apps

Finds Entra ID app registrations without owners and assigns the last modifier or creator as owner, using unified audit log records to identify who last managed each app.

Entra / Microsoft 365 · Teams

Add Teams to group expiration policy

Adds Microsoft Teams whose backing groups are not yet covered by the Microsoft 365 group expiration policy.