diff --git a/README.md b/README.md index 5cd7cec..2cc0d97 100644 --- a/README.md +++ b/README.md @@ -1,14 +1,36 @@ # Project -> This repo has been populated by an initial template to help get you started. Please -> make sure to update the content to build a great experience for community-building. +This PowerShell script lists applications in your tenant that use permissions for Azure AD Graph, [which will be retired](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/update-your-applications-to-use-microsoft-authentication-library/ba-p/1257363) on 30 June 2022. -As the maintainer of this project, please make a few updates: +If you have applications that use Azure AD Graph permissions and actively call Azure AD Graph, please follow our [Migration Guide](https://docs.microsoft.com/en-us/graph/migrate-azure-ad-graph-planning-checklist) to migrate your applications using Azure AD Graph to Microsoft Graph. -- Improving this README.MD file to provide a great experience -- Updating SUPPORT.MD with content about this project's support experience -- Understanding the security reporting process in SECURITY.MD -- Remove this section from the README +## Prerequisites +You need to be an administrator in your tenant with **at least Global Reader permissions**. + +## Usage + +```powershell +.\Create-AppConsentGrantReport.ps1 -AdminUPN globalreader@contoso.onmicrosoft.com -Path .\output.xlsx +``` +#### Parameters: +`AdminUPN`: The user principal name of an administrator in your tenant with **at least Global Reader permissions**. + +`Path`: The path to output results to (in Excel format). + + +## FAQs + +**Q: How do I find out if I have Global Reader access?** + +**A:** Log in to the Azure Portal, and navigate the [Azure AD Users blade](https://portal.azure.com/#blade/Microsoft_AAD_IAM/UsersManagementMenuBlade/MsGraphUsers). Select your user and go to the Assigned Roles blade. In order to have sufficient permissions to run this script, you should have either a Global Reader or a Global Administrator role assigned to you. + +**Q: Can I use Azure AD Graph permissions to call Microsoft Graph?** + +**A:** No, you should use the corresponding permissions on Microsoft Graph. For more information, please refer to this [article](https://docs.microsoft.com/en-us/graph/migrate-azure-ad-graph-app-registration) + +**Q: Does this script automatically remove my Azure AD Graph permissions in favor of MS Graph permissions?** + +**A:** No, this script gives you a list of applications that have Azure AD Graph permissions. You should review these applications, grant them the corresponding Microsoft Graph permissions, migrate their Azure AD Graph API calls to Microsoft Graph, and then remove these Azure AD Graph permissions. Our [Migration Guide](https://docs.microsoft.com/en-us/graph/migrate-azure-ad-graph-planning-checklist) will help you with this process. ## Contributing