You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As part of the epic related to improving the security of M365 service principals, the scope of this issue is to perform hands-on prototyping to develop a method and code that ScubaGear could use to report on service principals that have risky MS Graph and other permissions. A secondary feature is to report on service principals that have credentials assigned to them.
Develop an initial list of Graph permissions that could be considered high risk if abused. For example the RoleManagement.ReadWrite.Directory permission allows attackers to elevate themselves to the Global Administrator role.
Write some code or document a set of cmdlets to report on a list of service principals with these permissions
Write code or document a set of cmdlets to report on a list of service principals with credentials (certificate or secret) assigned to them
💡 Summary
As part of the epic related to improving the security of M365 service principals, the scope of this issue is to perform hands-on prototyping to develop a method and code that ScubaGear could use to report on service principals that have risky MS Graph and other permissions. A secondary feature is to report on service principals that have credentials assigned to them.
Literature for reference
Example code:
https://github.com/12Knocksinna/Office365itpros/blob/master/ReportPermissionsApps.PS1
https://github.com/mandiant/Mandiant-Azure-AD-Investigator/blob/master/MandiantAzureADInvestigator.psm1#L430
Example permissions list:
https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/aad/apps/risky-aad-app-perms/
https://www.tenable.com/indicators/ioe/entra/DANGEROUS-API-PERMISSIONS-AFFECTING-THE-TENANT
Implementation notes
https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/
https://www.semperis.com/blog/unoauthorized-privilege-elevation-through-microsoft-applications/
The text was updated successfully, but these errors were encountered: