PowerShell script for Microsoft Teams messages Scanning
search cancel

PowerShell script for Microsoft Teams messages Scanning

book

Article ID: 387939

calendar_today

Updated On: 02-11-2025

Products

CASB Security Premium CASB Security Standard CASB Securlet SAAS CASB Security Advanced

Issue/Introduction

The scanning of Microsoft Teams messages requires registering a Custom OAuth model application in the Azure account. This KB provides the PS script that is going to be used in Step 1–Enable OAuth of the Microsoft Teams Remediation Options tech doc. 

Resolution

Please download the azure_ad_app_creation.ps1 script or copy the following code and save it as a .ps1 file.

param (
    [Parameter(Mandatory=$true)]
    [string]$CertPemPath,
    [Parameter(Mandatory=$true)]
    [string]$CertThumbprint,
    [string]$AppName = "CSOC - Office 365 Teams Application"
)

# Connect to Microsoft Graph if not already connected
if (!(Get-MgContext)) {
    Connect-MgGraph -Scopes "Application.ReadWrite.All", "AppRoleAssignment.ReadWrite.All"
}

try {
    if (-not (Test-Path -Path $CertPemPath)) {
        throw "File at path '$CertPemPath' does not exist."
    }
} catch {
        Write-Output "Error: $_"
        Exit 1
}

# Check if an application with the specified name already exists
$app = Get-MgApplication -Filter "displayName eq '$AppName'" -ConsistencyLevel eventual -CountVariable count

if ($count -gt 0) {
    Write-Output "An application with the name '$AppName' already exists. Skipping app creation."
    return
}


# Function to convert PEM file to DER format
function ConvertPemToBase64Der {
    param (
        [string]$pemFilePath
    )
    # Read the PEM file and remove header/footer lines
    $pemContent = Get-Content -Path $pemFilePath | Where-Object { $_ -notmatch "-----.*-----" }
    $pemBinary = [Convert]::FromBase64String(($pemContent -join "`n"))
    # Return Base64-encoded DER format
    return [Convert]::ToBase64String($pemBinary)
}

# Convert the certificate in PEM format to Base64-encoded DER
$CertBase64 = ConvertPemToBase64Der -pemFilePath $CertPemPath

# Define required permissions (delegated and application)
$requiredPermissions = @(
    # Graph permissions
    @{
        ResourceAppId = "00000003-0000-0000-c000-000000000000";
        ResourceAccess = @(
                # Chat.UpdatePolicyViolation.All
                @{
                    Id = "7e847308-e030-4183-9899-5235d7270f58"
                    Type = "Role"
                },
                # ChannelMessage.UpdatePolicyViolation.All
                @{
                    Id = "4d02b0cc-d90b-441f-8d82-4fb55c34d6bb"
                    Type = "Role"
                },
                # Chat.Read.All
                @{
                    Id = "6b7d71aa-70aa-4810-a8d9-5d9fb2830017"
                    Type = "Role"
                },
                # ChannelMessage.Read.All
                @{
                    Id = "7b2449af-6ccd-4f4d-9f78-e550c193f0d1"
                    Type = "Role"
                },
                # InformationProtectionPolicy.Read
                @{
                    Id = "19da66cb-0fb0-4390-b071-ebc76a349482"
				    Type = "Role"
                }
            )
    }
)

$keyCredentials = @(
    @{
        CustomKeyIdentifier = [System.Convert]::FromBase64String($CertThumbprint)
        KeyId = [Guid]::NewGuid().ToString()
        Type = "AsymmetricX509Cert"
        Usage = "Verify"
        Key = [Convert]::FromBase64String($CertBase64)
        DisplayName = "AppCertificate"
    }
)

# Create the Azure AD application with specified permissions
$app = New-MgApplication -DisplayName $appName -RequiredResourceAccess $requiredPermissions -KeyCredentials $keyCredentials
if ($null -eq $app) {
    Write-Output "Could not able to create Azure AD app '$appName'"
    Exit 1
}

# Create a Service Principal for the application
$sp = New-MgServicePrincipal -AppId $app.AppId

# Output app details
Write-Output "Azure AD Application created successfully!"
Write-Output "----------------------------------------"
Write-Output "Application ID     : $($app.AppId)"
Write-Output "Display Name       : $($app.DisplayName)"
Write-Output "Redirect URIs      : $($app.Web.RedirectUris -join ', ')"
Write-Output "Permissions        :"
foreach ($perm in $requiredPermissions) {
    $resourceName = (Get-MgServicePrincipal -Filter "appId eq '$($perm.ResourceAppId)'").DisplayName
    Write-Output "  Resource: $resourceName"
    foreach ($access in $perm.ResourceAccess) {
        $permType = $access.Type
        Write-Output "    - Type: $permType, ID: $($access.Id)"
    }
}
Write-Output "----------------------------------------"
Write-Output "Admin consent is required to enable permissions."

Additional Information

For additional information, please refer to the Activate the O365 Securlet tech doc.

Attachments

azure_ad_app_creation.ps1 get_app