Home - LeastPrivilegedMSGraph

🚀 Quick Start

Install-Module -Name LeastPrivilegedMSGraph -Repository PSGallery
Import-Module LeastPrivilegedMSGraph

# Initialize and connect
Initialize-LogAnalyticsApi
Connect-EntraService -ClientID $clientId -TenantID $tenantId -ClientSecret $secret -Service "LogAnalytics", "GraphBeta"

# Analyze permissions
$apps = Get-AppRoleAssignment |
    Get-AppActivityData -WorkspaceId $workspaceId -Days 30 |
    Get-AppThrottlingData -WorkspaceId $workspaceId -Days 30 |
    Get-PermissionAnalysis

# Generate report
Export-PermissionAnalysisReport -AppData $apps -OutputPath ".\report.html"

✨ Key Features

🔍 Permission Analysis

Analyzes Microsoft Graph permissions against actual API usage from Log Analytics to determine the minimal permission set required based on real activity patterns.

📊 Activity Monitoring

Tracks application API usage patterns over configurable time periods, identifying which endpoints are accessed and with what HTTP methods.

🚦 Throttling Detection

Monitors API throttling statistics including 429 errors, success rates, and automatic severity classification to identify performance issues.

📈 Interactive Reports

Generates beautiful, self-contained HTML reports with filtering, sorting, and detailed visualizations of permission usage and recommendations.

🔐 Security First

Identifies over-privileged applications with unused permissions and provides actionable recommendations for implementing least privilege access.

⚡ Pipeline-Friendly

Designed for PowerShell pipeline operations with efficient batch processing for analyzing hundreds of applications at once.

📖 Documentation

🚀 Getting Started Guide 📚 Command Reference 💻 GitHub Repository 📦 PowerShell Gallery

🎯 Why LeastPrivilegedMSGraph?

Evidence-Based Analysis: Recommendations based on actual API usage from Azure Log Analytics, not guesswork or assumptions
Comprehensive Coverage: Analyzes permissions, activity, and throttling in a single unified workflow
Interactive Reporting: Beautiful HTML reports with real-time filtering, sorting, and detailed permission breakdowns
Batch Processing: Efficiently analyze multiple applications with automatic pagination and progress tracking
Health Monitoring: Track throttling and performance issues alongside permission analysis
Best Practices: Follows Microsoft security recommendations and implements greedy set cover algorithm for optimal permission sets
Production Ready: Enterprise-tested with comprehensive error handling and verbose logging

🛠️ What It Does

LeastPrivilegedMSGraph helps you implement the principle of least privilege for Microsoft Graph API permissions by:

Retrieving Current Permissions: Gets all app role assignments for Microsoft Graph across your tenant
Analyzing Activity: Queries Log Analytics for actual API calls made by each application
Monitoring Health: Collects throttling statistics to identify performance issues
Calculating Optimal Permissions: Uses permission mapping and set cover algorithm to determine minimal required permissions
Identifying Gaps: Highlights excess permissions that can be removed and missing permissions that should be added
Generating Reports: Creates interactive HTML reports for review, compliance, and change requests

📋 Use Cases

🔒 Security Hardening

Identify and remove unnecessary permissions to reduce attack surface and improve security posture across all Graph API applications.

✅ Compliance Audits

Generate evidence-based reports demonstrating least privilege implementation for SOC 2, ISO 27001, and other compliance frameworks.

🔄 Permission Right-Sizing

Optimize permission grants based on actual usage patterns, removing over-privileging while ensuring applications have what they need.

📊 Governance Monitoring

Regularly review permission usage to detect drift, unused apps, and potential security issues before they become problems.

🎫 Change Requests

Generate detailed reports with specific permission recommendations to attach to change requests and approval workflows.

🚨 Incident Response

Quickly identify which applications have access to sensitive data during security incidents or breach investigations.

🏗️ Module Architecture

The module follows a pipeline-based architecture with six main cmdlets:

Initialize-LogAnalyticsApi - Registers Log Analytics service for authentication
Get-AppRoleAssignment - Retrieves current Microsoft Graph permissions for all applications
Get-AppActivityData - Enriches applications with API activity from Log Analytics
Get-AppThrottlingData - Adds throttling statistics and health metrics
Get-PermissionAnalysis - Analyzes permissions against activity to determine optimal set
Export-PermissionAnalysisReport - Generates interactive HTML reports

🎓 Learn More

📚 Getting Started Tutorial - Step-by-step guide with examples
🔧 Complete Command Reference - Detailed documentation for all cmdlets
📖 Full README - Comprehensive overview and architecture
🐛 Report Issues - Bug reports and feature requests

⚙️ Prerequisites

PowerShell 5.1 or later
Azure Log Analytics workspace with Microsoft Graph activity logs enabled Learn more (MS DOCS)
Azure AD App Registration with required permissions:
- Application.Read.All - To read service principals
- AppRoleAssignment.Read.All - To read permission assignments
- Log Analytics Reader role on the workspace

🤝 Contributing

Contributions are welcome! This is an open-source project under the MIT License.

Fork the repository and create feature branches
Follow the existing code style and documentation standards
Add Pester tests for new functionality
Update documentation and examples
Submit pull requests with detailed descriptions

Contributing Guidelines