entra-powershell icon indicating copy to clipboard operation
entra-powershell copied to clipboard
verified publisher icon microsoftgraph

Add "Find-EntraCommand"

Open weyCC81 opened this issue 1 year ago • 3 comments

Describe the feature

It should work the same way as in MgGraph: (Find-MgGraphCommand -Command 'Get-MgUser').Permissions

Example: (Find-EntraCommand -Command 'Get-EntraUser').Permissions

How will this feature enhance your project and further the project’s overall goals? Who will benefit from this feature (i.e. all users; the project team)?

It would simplify adoption for users which are not yet keen with the new Permission Model transitioning from Azure AD

Describe alternatives you've considered

See the Option in Point 1 with Mg Graph and I think there is not yet a documentation page available like MgGraph has.

Additional context

Find-EntraPermission does not satisfy enough with Cmdlets

May there is a first draft here: https://github.com/microsoftgraph/entra-powershell/pull/808

weyCC81 avatar Jul 30 '24 21:07 weyCC81

@weyCC81 Thanks for raising the issue we are looking into it.

snehalkotwal avatar Jul 31 '24 06:07 snehalkotwal

May exists now (not validated): https://learn.microsoft.com/en-us/powershell/module/microsoft.entra/find-entrapermission?view=entra-powershell

weyCC81 avatar Sep 10 '25 13:09 weyCC81

May exists now (not validated): https://learn.microsoft.com/en-us/powershell/module/microsoft.entra/find-entrapermission?view=entra-powershell

That's a very useful function, but it doesn't map permissions to specific commands, as far as I can tell. Example:

>> Find-EntraPermission -SearchString 'Directory' -PermissionType Application | FL *

Id             : 7ab1d382-f21e-4acd-a863-ba3e13f7da61
PermissionType : Application
Consent        : Admin
Name           : Directory.Read.All
Description    : Allows the app to read data in your organization's directory, such as users, groups and apps,
                 without a signed-in user.

Id             : 19dbc75e-c2e2-444c-a770-ec69d8559fc7
PermissionType : Application
Consent        : Admin
Name           : Directory.ReadWrite.All
Description    : Allows the app to read and write data in your organization's directory, such as users, and groups,
                 without a signed-in user.  Does not allow user or group deletion.

Id             : 483bed4a-2ad3-4361-a73b-c83ccdbdc53c
PermissionType : Application
Consent        : Admin
Name           : RoleManagement.Read.Directory
Description    : Allows the app to read the role-based access control (RBAC) settings for your company's directory,
                 without a signed-in user.  This includes reading directory role templates, directory roles and
                 memberships.

Id             : 9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8
PermissionType : Application
Consent        : Admin
Name           : RoleManagement.ReadWrite.Directory
Description    : Allows the app to read and manage the role-based access control (RBAC) settings for your company's
                 directory, without a signed-in user. This includes instantiating directory roles and managing
                 directory role membership, and reading directory role templates, directory roles and memberships.

SamErde avatar Sep 10 '25 19:09 SamErde