msgraph-metadata icon indicating copy to clipboard operation
msgraph-metadata copied to clipboard

Published 20 hours ago verified publisher icon microsoftgraph

Please consider open sourcing the authorization system

Open andyrobbins opened this issue 11 months ago • 1 comments

Thank you for building MS Graph. I appreciate the hard work and wisdom that goes into architecting, building, and maintaining this system.

Please consider making the authorization system open source. Today, administrators and security professionals mostly rely on documentation to understand, for example, which application roles are required to access endpoints. For example, the List users page states that one of the following application roles is required to access that endpoint:

User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All

The documentation for Directory.ReadWrite.All states:

Directory.ReadWrite.All grants access that is broadly equivalent to a global tenant admin.

However, I have performed and documented testing that leads me to believe this isn't actually true.

I believe this becomes a material security issue when admins and security professionals put undue attention on application roles that are not as powerful as others. For example, RoleManagement.ReadWrite.Directory allows the calling principal to promote itself or any other principal to Global Administrator. The documentation for that role states that:

Permissions that allow granting authorization, such as RoleManagement.ReadWrite.Directory, allow an application to grant additional privileges to itself, other applications, or any user. Use caution when granting any of these permissions.

But this application role does not come with the (I believed, warranted) warning about global admin equivalency the way Directory.ReadWrite.All does. The same issue exists for AppRoleAssignment.ReadWrite.Directory.

If you are able to open source the authorization system for MS Graph, I believe admins will be able to make much more well-informed decisions about the application roles they grant to service principals, and I believe security professionals will be able to much more efficiently audit those permissions to identify possible misconfigurations.

Thank you for taking the time to read my comment and thank you again for designing, building, and maintaining this system.

andyrobbins avatar Mar 21 '24 23:03 andyrobbins