-
Notifications
You must be signed in to change notification settings - Fork 238
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add high risk application/service principal permissions into ScubaResults.json #1462
base: main
Are you sure you want to change the base?
Add high risk application/service principal permissions into ScubaResults.json #1462
Conversation
a4e91ca
to
b208a3a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I noticed code at the top of the AADRiskyPermissionsHelper that is not part of an obvious code block. It is just floating there. I would prefer if we move it into a block of code. Is there somewhere where we load up global variables or something like that?
Addam's input
I asked @schrolla for his opinion and he said:
Either repeat or turn it into a function of it's own and call it within the others.
So maybe a GetPermissionsJson private function and then just call it where needed in each function to do $PermissionsJson = Get-PermissionsJson() and retrieve the needed object.
Might even think about putting that function in the Utility module in case other parts of the code eventually want to access that file. But I don't think that's strictly necessary here.
BugGet-ApplicationsWithRiskyPermissions does not handle API permissions that belong to apps not listed in the "resources" section of RiskyPermissions.json. I tested in Test Tenant 3 (E5) and it failed on this line: I tracked down what was happening and the application being audited had an API permission assigned which belongs to an app that you don't have in the RiskyPermissions.json. Potential fixCheck if the app id that the permission belongs to is in the "resources" section of RiskyPermissions.json and if not, you can skip it. |
Variable name change recommendationI recommend to rename the variable "Resource" in Get-ApplicationsWithRiskyPermissions. It is not clear which resource we are referring to. Maybe "ResourceAppDisplayName" or something like that because the variable indicates the name of the application that a specific permission belongs to. If you use the same name elsewhere to mean the same thing, then I would change that too. |
BugIn ExportAADProvider where the Get-FirstPartyRiskyApplications and Get-ThirdPartyRiskyServicePrincipals functions are called, I recommend adding parameter validation to ensure that the input parameters RiskyApps and RiskySPs are not $null. The reason I noticed this is because during testing, Get-ApplicationsWithRiskyPermissions failed due to error but the code proceeded to call the subsequent functions noted above which then generated more errors and error messages. |
TermsFrom what I have seen in multiple web sites, "first party" can refer to applications developed by Microsoft so we might need to use another term to describe apps that the organization running ScubaGear created and owns. https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/governance/verify-first-party-apps-sign-in |
Permissions to addMitchel, I recommend adding the permissions below to RiskyPermissions.json. Please review them and if you agree, go ahead and add them. For any additional permissions we can create a future issue to analyze all the Graph permissions and see if we want to augment or make any further changes.
More types of risksIn the future we might want to look at permissions prefixed with DeviceManagement*. There could be some risks that we want to flag there related to exposing user devices. |
Function namingI am wondering if we should rename the functions Get-FirstPartyRiskyApplications and Get-ThirdPartyRiskyServicePrincipals to more closely align with what they actually do and distinguish them from Get-ApplicationsWithRiskyPermissions and Get-ServicePrincipalsWithRiskyPermissions? Also the term "Get" can imply that a function is retrieving data from somewhere (database, graph, M365, etc.) Here is what each seems to do:
|
Test Results - Test Tenant 1 (G5)
The code flagged the following numbers of objects as being associated with risk in the tenant: Missing test dataWe need some test data for the KeyCredentials, PasswordCredentials and FederatedCredentials fields for objects in the third_party_risky_service_principals node of ScubaResults because right now, the service principals that were flagged have empty data in those fields. |
Test Results - Test Tenant 6 (GCC high) & Test Tenant 2 (G3)The code fails with what appears to be the same problem as reported in an earlier comment. Identical error against both tenants. |
#1471 has been added for future improvements to RiskyPermissions.json |
Performance ProfilingI noticed that the addition of the new code appears to add significant time to the execution of the AAD provider so I did some performance profiling. I tried out a couple of potential solutions and will follow-up by email with sample code and specifics. The cmdlet Get-MgBetaServicePrincipalAppRoleAssignment is invoked 720 times when running against the G5 test tenant and that is the root cause of the execution time because each one of those is a REST API call to Graph. *execution times in screenshots below are in seconds. Current code performancePotential solution 1Potential solution 2 |
…e to map risky SP perms; doing the same for applications
…eds assigned to applications
… with imported json files
8f214c2
to
f3d89d8
Compare
🗣 Description
Adds a new module AADRiskyPermissionsHelper.psm1 which has the following functions:
These functions serve the purpose of parsing application and service principal objects for risky permissions. The result can be found in ScubaResults.json with the following keys:
first_party_risky_applications
andthird_party_risky_service_principals
.First-party applications refer to applications created within a local tenant, while third-party service principals refer to service principals owned by an external tenant.
New Microsoft commandlets added:
💭 Motivation and context
Closes #1327
Part of ongoing work for epic #1073
Created #1463 as a follow-up issue
🧪 Testing
How to run Pester tests
Checkout this PR's feature branch locally, then from the the root directory run the following commands:
Export-AADProvider.Tests.ps1 was modified since we call the above functions in Export-AADProvider.psm1. Run all AAD provider tests to ensure they pass:
Create a new report, verify
first_party_risky_applications
andthird_party_risky_service_principals
are added in ScubaResults.json.✅ Pre-approval checklist
✅ Pre-merge checklist
PR passed smoke test check.
Feature branch has been rebased against changes from parent branch, as needed
Use
Rebase branch
button below or use this reference to rebase from the command line.Resolved all merge conflicts on branch
Notified merge coordinator that PR is ready for merge via comment mention
Demonstrate changes to the team for questions and comments.
(Note: Only required for issues of size
Medium
or larger)✅ Post-merge checklist