ScubaGear icon indicating copy to clipboard operation
ScubaGear copied to clipboard

Published 20 hours ago verified publisher icon cisagov

Add service principal assigned roles to the AAD report

Open tkol2022 opened this issue 1 year ago • 2 comments

💡 Summary

Based on issue #887 we are going to add a list of service principals and their assigned highly privileged roles to the AAD report.

Motivation and context

The purpose of this information is to inform CISA about the current state of service principals in agency tenants and specifically which highly privileged roles they possess. Based on the information gathered, the Scuba AAD baseline may be augmented in the future with new policies targeting service principals.

Implementation notes

  • [ ] Create a new hashtable in the provider JSON named privileged_service_principals. This is very similar to the existing privileged_users table. It will contain a list of the service principals and their respective highly privileged roles. Only service principals with highly privileged roles are to be included. Reference #887 for coding guidance since it contains the APIs needed.
  • [ ] Display this new hashtable in the AAD HTML report at the bottom after the conditional access table
  • [ ] Test against all tenant types
  • [ ] Update the unit tests
  • [ ] Update the functional tests

tkol2022 avatar Feb 23 '24 18:02 tkol2022

I believe the scope of changes for this issue are going to be to add new code to the Get-PrivilegedUser function to get the list of service principals assigned to privileged roles. We only need be concerned about Active assignments because AAD does not allow service principals to be Eligible assigned. I tested this and when I tried to create an eligible assignment I received an error message.

image

image

tkol2022 avatar Aug 08 '24 20:08 tkol2022

This is the part of the AAD provider code we would need to augment. The Get-MgBetaDirectoryRoleMember returns a list of items and for service principals the type returned would be #microsoft.graph.servicePrincipal so we can probably just augment the if statement with another "elseif ($Objecttype -eq "servicePrincipal"). See screenshot.

image

Then we could use this code which returns an item that has a DisplayName.

Get-MgBetaServicePrincipal -serviceprincipalid 3e56ffa2-1707-4f1a-8c4e-3eaec5c21d3f

tkol2022 avatar Aug 08 '24 20:08 tkol2022