WPanda/Scripts/python/get_app_permissions.py

import os
import requests
import msal
import json

# ==============================================================================
# KONFIGURATION
# ==============================================================================
TENANT_ID = "caee3499-03f8-4175-9fa8-a935248d0ece"
CLIENT_ID = "3a08b279-1fc3-419f-a77e-31f12a0f65f7"
CLIENT_SECRET = "Rk-8Q~nJ.sZ-xUiNxtEDdzVgoFFosODLVHX~jdrh"

GRAPH_API_ENDPOINT = "https://graph.microsoft.com/v1.0"
AUTHORITY_URL = f"https://login.microsoftonline.com/{TENANT_ID}"
SCOPES = ["https://graph.microsoft.com/.default"]

def get_access_token():
    """Acquires an access token using client credentials flow."""
    app = msal.ConfidentialClientApplication(
        CLIENT_ID,
        authority=AUTHORITY_URL,
        client_credential=CLIENT_SECRET
    )
    result = app.acquire_token_for_client(scopes=SCOPES)
    if "access_token" in result:
        return result["access_token"]
    else:
        raise Exception(f"Could not acquire access token: {result.get('error_description')}")

def get_application_permissions(access_token, app_id):
    """
    Retrieves the appRoles (permissions) for a given application (service principal).
    """
    headers = {
        'Authorization': 'Bearer ' + access_token,
        'Content-Type': 'application/json'
    }
    # Construct the URL to query the service principal by appId and select appRoles
    url = (f"{GRAPH_API_ENDPOINT}/servicePrincipals?"
           f"$filter=appId+eq+'{app_id}'&"
           f"$select=displayName,appId,appRoles")

    response = requests.get(url, headers=headers)
    response.raise_for_status() # Raise an exception for HTTP errors
    return response.json()

if __name__ == "__main__":
    try:
        print("Acquiring access token...")
        token = get_access_token()
        print("Access token acquired.")

        print(f"Retrieving permissions for application (Client ID: {CLIENT_ID})...")
        service_principal_data = get_application_permissions(token, CLIENT_ID)

        if service_principal_data and service_principal_data.get('value'):
            for sp in service_principal_data['value']:
                print(f"\nApplication Display Name: {sp.get('displayName')}")
                print(f"Application ID: {sp.get('appId')}")
                app_roles = sp.get('appRoles', [])
                if app_roles:
                    print("Application Permissions (appRoles):")
                    for role in app_roles:
                        print(f"  - Display Name: {role.get('displayName')}")
                        print(f"    Description: {role.get('description')}")
                        print(f"    Value: {role.get('value')}")
                        print(f"    ID: {role.get('id')}")
                        print(f"    IsEnabled: {role.get('isEnabled')}")
                else:
                    print("No application permissions (appRoles) found for this service principal.")
        else:
            print("No service principal found with the given Client ID or no data returned.")

    except Exception as e:
        print(f"An error occurred: {e}")