Prototype detection of service principals with risky permissions or credentials

[tkol2022]

💡 Summary

As part of the epic related to improving the security of M365 service principals, the scope of this issue is to perform hands-on prototyping to develop a method and code that ScubaGear could use to report on service principals that have risky MS Graph and other permissions. A secondary feature is to report on service principals that have credentials assigned to them.

Literature for reference

Example code:
https://github.com/12Knocksinna/Office365itpros/blob/master/ReportPermissionsApps.PS1
https://github.com/mandiant/Mandiant-Azure-AD-Investigator/blob/master/MandiantAzureADInvestigator.psm1#L430
Example permissions list:
https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/aad/apps/risky-aad-app-perms/
https://www.tenable.com/indicators/ioe/entra/DANGEROUS-API-PERMISSIONS-AFFECTING-THE-TENANT

Implementation notes

• Develop an initial list of Graph permissions that could be considered high risk if abused. For example the RoleManagement.ReadWrite.Directory permission allows attackers to elevate themselves to the Global Administrator role.
• Write some code or document a set of cmdlets to report on a list of service principals with these permissions
• Write code or document a set of cmdlets to report on a list of service principals with credentials (certificate or secret) assigned to them
• Read the articles below and see if they describe a different security problem that would require a different audit strategy or if what they describe is already covered with the reporting features covered in this issue.
  https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/
  https://www.semperis.com/blog/unoauthorized-privilege-elevation-through-microsoft-applications/
• Determine how this functionality could be incorporated into ScubaGear
• Create separate issue to update ScubaGear if needed.