Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add service principal assigned roles to the AAD report #934

Open
5 tasks
tkol2022 opened this issue Feb 23, 2024 · 2 comments · May be fixed by #1467
Open
5 tasks

Add service principal assigned roles to the AAD report #934

tkol2022 opened this issue Feb 23, 2024 · 2 comments · May be fixed by #1467
Assignees
@dagarwal-mitre
Labels
enhancement This issue or pull request will add new or improve existing functionality
Milestone
Lionfish

Comments

@tkol2022
Copy link
Collaborator

tkol2022 commented Feb 23, 2024
edited
Loading

💡 Summary

Based on issue #887 we are going to add a list of service principals and their assigned highly privileged roles to the AAD report.

Motivation and context

The purpose of this information is to inform CISA about the current state of service principals in agency tenants and specifically which highly privileged roles they possess. Based on the information gathered, the Scuba AAD baseline may be augmented in the future with new policies targeting service principals.

Implementation notes

  • Create a new hashtable in the provider JSON named privileged_service_principals. This is very similar to the existing privileged_users table. It will contain a list of the service principals and their respective highly privileged roles. Only service principals with highly privileged roles are to be included. Reference Add service principals to the evaluation scope of AAD ScubaGear policy checks 7.1 through 7.5 #887 for coding guidance since it contains the APIs needed.
  • Display this new hashtable in the AAD HTML report at the bottom after the conditional access table
  • Test against all tenant types
  • Update the unit tests
  • Update the functional tests
@tkol2022 tkol2022 added the enhancement This issue or pull request will add new or improve existing functionality label Feb 23, 2024
@tkol2022 tkol2022 mentioned this issue Feb 23, 2024
Closed
3 tasks
@schrolla schrolla added this to the Halibut milestone Mar 11, 2024
@schrolla schrolla modified the milestones: Halibut, Jellyfish Jul 10, 2024
@tkol2022
Copy link
Collaborator Author

tkol2022 commented Aug 8, 2024

I believe the scope of changes for this issue are going to be to add new code to the Get-PrivilegedUser function to get the list of service principals assigned to privileged roles. We only need be concerned about Active assignments because AAD does not allow service principals to be Eligible assigned. I tested this and when I tried to create an eligible assignment I received an error message.

image

image

@tkol2022
Copy link
Collaborator Author

tkol2022 commented Aug 8, 2024

This is the part of the AAD provider code we would need to augment. The Get-MgBetaDirectoryRoleMember returns a list of items and for service principals the type returned would be #microsoft.graph.servicePrincipal so we can probably just augment the if statement with another "elseif ($Objecttype -eq "servicePrincipal"). See screenshot.

image

Then we could use this code which returns an item that has a DisplayName.

Get-MgBetaServicePrincipal -serviceprincipalid 3e56ffa2-1707-4f1a-8c4e-3eaec5c21d3f

@schrolla schrolla mentioned this issue Jul 10, 2024
Open
5 tasks
@tkol2022 tkol2022 modified the milestones: Jellyfish, Kraken Sep 24, 2024
@dagarwal-mitre dagarwal-mitre self-assigned this Oct 22, 2024
@dagarwal-mitre dagarwal-mitre linked a pull request Dec 10, 2024 that will close this issue
Open
21 tasks
@dagarwal-mitre dagarwal-mitre linked a pull request Dec 10, 2024 that will close this issue
Add privileged service principals table to AAD report #1467
Open
21 tasks
@schrolla schrolla modified the milestones: Kraken, Lionfish Dec 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dagarwal-mitre dagarwal-mitre

Labels
enhancement This issue or pull request will add new or improve existing functionality
Projects
None yet
Milestone
Lionfish
Development

Successfully merging a pull request may close this issue.

Add privileged service principals table to AAD report cisagov/ScubaGear
4 participants
@tkol2022 @schrolla @dagarwal-mitre and others