Add service principals to the evaluation scope of AAD ScubaGear policy checks 7.1 through 7.5

[tkol2022]

💡 Summary

The scope of this task is to enhance ScubaGear AAD policy checks 7.1 through 7.5 to include service principal identities. The existing code only processes regular user accounts and groups. It makes sense to add service principals to the assessment because they are frequently assigned to highly privileged roles and therefore carry a lot of risk just like regular users.

Implementation notes

• Examine the current code to determine where the gaps are (i.e. which parts are missing the processing of service principals)
• Determine which MS Graph modules and cmdlets we need to add to support the new capability
• Perform hands-on prototyping of the new cmdlets to understand their parameters and outputs

[tkol2022]

Hands on Code Review and AAD Functional Analysis

I performed a review of the ScubaGear AAD Get-PrivilegedUser function because this is the code that creates a list of privileged_users that the Rego uses for AAD policies 7.1 through 7.5. Via the code review and hands-on testing in AAD by assigning service principals to various privileged roles, I determined:

1. You can only assign a service principal to a role as an Active assignment so we don't need to check for service principals in Eligible assignments. The same applies in PIM for Groups. In PIM for Groups you can only assign a service principal to a PIM group as Active. Below is an example of a service principal assigned to the Exchange Administrator role.
   

2. The Get-MgBetaDirectoryRoleMember cmdlet we are using to get a list of items Active assigned to a role returns a list which can include the type #microsoft.graph.servicePrincipal. We can add code for this case and then grab the metadata about the service principal and add it to the privileged_users JSON object that gets sent to the Rego.

[tkol2022]

MS Graph Powershell cmdlet Analysis

To get the metadata about the service principal (including Displayname), we need the Cmdlet below. Since it is in a Graph module that we don't currently have in ScubaGear (microsoft.graph.beta.applications), we'd need to add the module to the setup script. The cmdlet can work with the existing permission in ScubaGear Directory.Read.All so we don't need a new permission.

install-module microsoft.graph.beta.applications

Get-MgBetaServicePrincipal -ServicePrincipalId 4e56eea2-2307-4f1a-8c4e-3eaec5c21a3c

[tkol2022]

ScubaGear AAD Policy Impact Analysis

This section describes how the addition of service principals to the code will enhance or impact each of the policies in section 7 of the Azure AD baseline. It is important to understand that organizations that previously used ScubaGear may receive different assessment outputs from the tool after we include the service principal functionality.

• Policy 7.1 - The policy check will have the ability to include service principals in the count of Global Administrators.
• Policy 7.2 - If any service principals are assigned to highly privileged roles, they will be counted in the least privileged calculation.
• Policy 7.3 - This policy should not be impacted because we do not expect service principals to have an OnPremisesImmutableId value.
• Policy 7.4 - If any service principals are assigned to highly privileged roles, the organization will Fail this policy if the assignments are permanent. Since we expect service principals to have permanent active assignments in common cases, the user of ScubaGear will need to create an exception for this policy by adding the service principal identifier to the config file exclusions.
• Policy 7.5 - If any service principals are assigned to highly privileged roles outside of Azure AD PIM, they will be included in this policy check and Fail the policy. If the user assigns the service principals to roles using AAD PIM, then they will Pass the policy. No surprises with this policy - it will behave the same as with regular users but include service principals as well.

[tkol2022]

Changed the issue status to Blocked at the request from CISA to have a discussion about how to integrate service principals into our baseline. It may require new baseline statements that are specific to service principals.

[tkol2022]

After discussing with CISA, the plan is to augment ScubaGear to grab the list of service principals and their respective highly privileged roles and display them in the report. Once this is implemented, CISA will work with agencies to examine the data for a period of time, and then we will determine if new Scuba policies are necessary and design what they should be. #934 was created for the coding enhancement.