To run Purple Knight in your Azure AD environment, you need to create and update the app registration in Azure AD with a defined and consented set of application permissions for the Microsoft Graph. Jorge de Almeida Pinto, Semperis Senior Solutions Architect and Product Manager, created a PowerShell script that automates this step.
To use the script, you’ll need two PowerShell modules—AzureAD and Az.Accounts—and the account creating the application registration must be a Global Admin. The script supports the following tasks:
- Creates and updates the app registration in Azure AD for Purple Knight 1.5 to be able to scan for vulnerabilities in Azure AD
- Deletes the app registration in Azure AD
- Assigns the required Microsoft Graph application permissions and provides consent when creating or updating the app
- Creates a client secret that by default is valid for one hour when creating or updating the app (if needed, you can provide a customer lifetime in days for the client secret)
- Deletes all client secrets from the app registration in Azure AD
- Displays the tenant ID, the application ID, the assigned and consented permissions, and the client secret to be used in the Purple Knight executable file
See the full list of functions and examples and download the Purple Knight 1.5 PowerShell script at the Semperis GitHub account.