Thank you for downloading CoreView’s Entra Security Scanner for App Registrations

Access your PowerShell scripts below:
Get my free tool

Step-by-step instructions

Notes: This tool uses a PowerShell script, AppRegistrationScanner.ps1, to scan all Entra Apps in your tenant. It can identify various apps, including those you've developed, PowerApps, and third-party applications.

How to use: You can customize the script with two options:

  • SkipExcelOutput: Outputs results as CSV and HTML
  •  ExcessiveIntervalInDays: Set to 180 days by default, this filters for apps with long periods of inactivity or those with extended validities

Scoring system: Each app starts with a 10-point score. Points are deducted for issues detected:

  • Critical issues (Minus 2 points each):
  • Apps lacking an assigned owner
  • Apps granted risky permissions
  • Apps using insecure or development stage URIs (e.g., local host, http://)
  • Medium issues (Minus 1 point):

View the grading system table here.

This system helps you quickly identify and address potential security risks within your apps.

Get my free tool

1. Pre-requisites

To run the script, ensure you meet the following requirements:

2. Permissions needed

Execute the .ps1 file with the following permissions:

  • Required: Application.Read.All
  • Optional: AuditLog.Read.All (For Sign-in stats)

3. Installing modules

If you haven't installed the required modules yet, use the following commands:

  • Update-Module -Name Microsoft.Graph.Beta
  • Update-Module -Name ImportExcel

4. Checking installed modules

To verify your installed module versions, execute:

  • Get-InstalledModule Microsoft.Graph.Beta
  • Get-InstalledModule ImportExcel

5. Updating modules

For the latest versions, run:

  • Update-Module -Name Microsoft.Graph.Beta
  • Update-Module -Name ImportExcel

6. Troubleshooting

If you encounter a RequestDenied error, follow these steps:

  • Open PowerShell: Launch a new PowerShell window
  • Disconnect Graph Session: Disconnect-MgGraph
    Note: Seeing "No application to sign out from" is expected
  • Connect with Required Scopes: Connect-MgGraph-Scopes "Application.Read.All", "AuditLog.Read.All"
    Grant the necessary permissions when prompted
  • Run your script: Now, you can execute your script without the RequestDenied