I thought it will be a quick Google search to find a PowerShell script that will give a report on applications published via Entra application proxy, but I found only scripts (link1, link2, link3) using the AzureAD PowerShell module – so I decided to write a new version using Graph PowerShell.
The script:
#Requires Microsoft.Graph.Beta.Applications
Connect-MgGraph
$AppProxyConnectorGroups = Get-MgBetaOnPremisePublishingProfileConnectorGroup -OnPremisesPublishingProfileId applicationproxy
$AppProxyPublishedApps = foreach ($connector in $AppProxyConnectorGroups){
Get-MgBetaOnPremisePublishingProfileConnectorGroupApplication -connectorgroupid $connector.id -OnPremisesPublishingProfileId applicationproxy | % {
$onpremisesPublishingInfo = (Get-MgBetaApplication -applicationID $_.id -Property onpremisespublishing).onpremisespublishing
[pscustomobject]@{
DisplayName = $_.DisplayName
Id = $_.id
AppId = $_.appid
ExternalURL = $onpremisesPublishingInfo.ExternalURL
InternalURL = $onpremisesPublishingInfo.InternalURL
ConnectorGroupName = $connector.name
ConnectorGroupId = $connector.id
}
}
}
$AppProxyPublishedApps
Some story
Entra portal is still using the https://main.iam.ad.ext.azure.com/api/ApplicationProxy/ConnectorGroups endpoint to display the connector groups:
So the next step was to figure out if there are some Graph API equivalents. Google search: graph connectorgroups site:microsoft.com led me to this page: https://learn.microsoft.com/en-us/graph/api/connectorgroup-list?view=graph-rest-beta&preserve-view=true&tabs=http
From this point it was “easy” to follow the logic of previously linked scripts and “translate” AzureAD PowerShell commands to Graph PS.
Note: as per the documentation, Directory.ReadWrite.All permission is required and only delegated permissions work.
As an alternative, I share the original script that did not use these commands from Microsoft.Graph.Beta.Applications
Connect-MgGraph
$AppProxyConnectorGroups = Invoke-MgGraphRequest -Uri 'https://graph.microsoft.com/beta/onPremisesPublishingProfiles/applicationproxy/connectorgroups' -Method GET
$AppProxyPublishedApps = foreach ($connector in $AppProxyConnectorGroups.value){
$publishedApps = Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/beta/onPremisesPublishingProfiles/applicationproxy/connectorgroups/$($connector.id)/applications" -Method GET
foreach ($app in $publishedApps.value){
[PSCustomObject]@{
DisplayName = $app.DisplayName
id = $app.id
appId = $app.appId
ConnectorGroupName = $connector.name
ConnectorGroupID = $connector.id
}
}
}
$AppProxyReport = foreach ($publishedApp in $AppProxyPublishedApps){
$onpremisesPublishingInfo = Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/beta/applications/$($publishedApp.id)?`$select=onpremisespublishing" -Method GET
[PSCustomObject]@{
DisplayName = $publishedApp.DisplayName
id = $publishedApp.id
appid = $publishedApp.appId
ConnectorGroupName = $publishedApp.ConnectorGroupName
ConnectorGroupID = $publishedApp.ConnectorGroupID
ExternalURL = $onpremisesPublishingInfo.onPremisesPublishing.externalUrl
InternalURL = $onpremisesPublishingInfo.onPremisesPublishing.internalUrl
externalAuthenticationType = $onpremisesPublishingInfo.onPremisesPublishing.externalAuthenticationType
}
}