Ever since Office 365 Groups were launched with support for connectors, the problem of reporting just what data sources a given Group or Team is connecting to has been lurking in the minds of IT admins and security folks. Microsoft hasn’t made it easy on us to obtain and report on such data, but thanks to the Graph API /installedApps and /tabs endpoints we can create programmatic solutions for this task. So here’s a sample script I prepared as a “proof of concept”.
As I mentioned above, the script will run some queries against the Microsoft Graph, and in order to do so we need a valid token. Tokens in turn are obtained for a specific application, so as a prerequisite for running the script you will need to input the details of an application registered in your Azure AD tenant that has the necessary permissions. In this case, I’ve opted out to use the application permissions model, as we want to include all Teams and potentially run the script as a background task. Permission-wise, the Group.Read.All scope should be sufficient.
Once you have entered the application ID, client secret and tenant ID, you should be able to obtain the needed token. Of course you can just replace this part of the script with your preferred method to get a token. Just store it in the $token variable and the script should run fine.
The first query the script will execute against the Graph is to fetch a list of all Team-enabled Groups in the tenant. For that, we will use the /beta endpoint and the “resourceProvisioningOptions/Any(x:x eq ‘Team’)” filter. And when I say all, I don’t actually mean all, as the script doesn’t handle pagination and stuff (remember, it’s a proof of concept). Next, we will go over the list of Teams, and for each we will query the /installedApps endpoint. This will return any and all applications added to a given Team, and the result might surprise you – there are over 20 such integrations for each Team, even a newly created one!
Some details will be gathered for each application and presented in the output. Next, the script will iterate over each channel in the Team, and enumerate the Tabs configured, if any. For each Tab, an information about the corresponding application will be returned. And yes, this will include Private channels as well. As the last step, the output will be exported to two CSV files, one for applications and another one for tabs. You can easily filter those out for a specific Team, channel or app as needed. Sample below:
If you plan to use this script in a production environment, make sure to add some error handling, add support for pagination, handle token expiration, throttling and so on. None of this is currently covered, so don’t expect miracles. Lastly, here’s the download link: https://github.com/michevnew/PowerShell/blob/master/Report_Teams_Apps.ps1
Hello,
we’ve been trying this for the longest time.
I get this error when I use your script-
Unable to obtain access token, aborting…
This could be several reasons, I am also new to Graph. I got my application ID from-
https://graph.microsoft.com/v1.0/appCatalogs/teamsApps?$filter=distributionMethod eq ‘organization’
Let me know in case I missed something.
Thanks for help
In order to obtain a token, you need an Azure AD application, not Teams one. Read here: https://docs.microsoft.com/en-us/graph/auth-v2-service
This script is fantastic, thank you so much!
Very nice script. Vasil. Thanks for sharing! FYI: I needed to add -UseBasicParsing for tne web-requests.
To be able to handle pagination and retrieve all teams you could add a check for the odata.nextLink where the teams are retrieved:
$url = “https://graph.microsoft.com/beta/groups?`$filter=resourceProvisioningOptions/Any(x:x eq ‘Team’)”
$Teams = @()
while ($url){
Write-Output “Fetching teams..”
$webrequest = Invoke-WebRequest -Headers $AuthHeader1 -Uri $url -UseBasicParsing -ErrorAction Stop
$result = $webrequest.Content | ConvertFrom-Json
if($result.value)
{
$Teams += $result.value
}
if($result.’@odata.nextLink’)
{
$url = $result.’@odata.nextLink’
}
else
{
$url = $null
}
}
Thanks Sondre. As with most of my other stuff, it’s a basic proof of concept script, not something designed to handle every scenario 🙂
Script works great, thank you so much. One Question: How can I get to report on more than 100 Teams?
You will have to add pagination, see the previous comments above.
Thank Vasil, I tried to add that code to the script, but it seems to be failing.
At P:\ListAllApps.ps1:37 char:13
+ if($result.’@odata.nextLink’)
+ ~~~~~~~~~~~~~~~~~~~~
Unexpected token ‘€™@odata.nextLink’’ in expression or statement.
At P:\ListAllApps.ps1:37 char:13
+ if($result.’@odata.nextLink’)
+ ~~~~~~~~~~~~~~~~~~~~
Missing closing ‘)’ after expression in ‘if’ statement.
At P:\ListAllApps.ps1:26 char:13
+ while ($url){
+ ~
Missing closing ‘}’ in statement block or type definition.
At P:\ListAllApps.ps1:37 char:33
+ if($result.’@odata.nextLink’)
+ ~
Unexpected token ‘)’ in expression or statement.
At P:\ListAllApps.ps1:39 char:17
+ $url = $result.’@odata.nextLink’
+ ~~~~~~~~~~~~~~~~~~~~
Unexpected token ‘€™@odata.nextLink’’ in expression or statement.
At P:\ListAllApps.ps1:45 char:1
+ }
+ ~
Unexpected token ‘}’ in expression or statement.
+ CategoryInfo : ParserError: (:) [], ParseException
+ FullyQualifiedErrorId : UnexpectedToken
Do you know where I would add it within your script?
I’ve updated the script to handle larger set of Teams.
Thanks Vasil.