maester icon indicating copy to clipboard operation
maester copied to clipboard
verified publisher icon maester365

🙏 Add tests for Exchange Online RBAC for Applications

Open fflaten opened this issue 6 months ago • 2 comments

Describe the feature

Suggestions for new tests:

  • Check for service principals with tenant-wide application Graph permissions that could be converted to RBAC for Applications for improved security. Recommendation/tip.

  • Check for service principals with relevant permission (see below) both configured using RBAC and tenant-wide Graph permission. Likely misconfigured and high risk.

List of relevant permissions

Related to #961

This will help promote the latest recommendations for assigning least-privilege permissions in Exchange Online.

Additional context

#945 introduced tests to verify use of Application Access Policy to restrict the tenant-wide Graph permissions. This method is being replaced by RBAC for Applications going forward.

We should either update/replace them to only recommend using the latest solution (RBAC), or make sure the tests don't conflict. E.g. exclude instances in the first test where the app is properly configured with a Application Access Policy.

fflaten avatar Jun 07 '25 15:06 fflaten

@fflaten sound good!

When I find time, I can write the code to detect this. But first, I need to access the RBAC for Applications.

If there is a gap between the Entra Application Permission and the Exchange Online Application Permission, I think two separate tests would be better. The test itself is not the issue I foresee. However, combining both into one result would make the remediation actions and description excessively long.

If there is no gap, I will modify the test and recommendation to focus on the RBAC for Applications.

If this is a topic you're familiar with, could you help by writing the content for the test output and the documentation?

l-gosling avatar Aug 20 '25 22:08 l-gosling

I looked at this. I think i modify the existing check to say "use rbac for application" and list the apps and permissions for the apps. Then the people know wiche service principals are affected. Additionally i will create a second test that check if the rbac for application permission assigments have a scope. If no scope is set the permissions are not restricted and return a failure.

@fflaten @SamErde @merill What do you think about this?

l-gosling avatar Aug 29 '25 23:08 l-gosling