microsoftgraph
MS Graph PS SDK app should have a verified publisher
Currently during consent the app shows a slightly alarming unverified publisher -- this is misleading, as we know the publisher is Microsoft! The application should securely make that assertion so users and admins don't have to second-guess whether it is safe to use the tool.
AB#6852
I agree that the publisher should be verified just found the issue in 1.3 milestones..thanks
Duplicate https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/449
I'm confused about the status of this issue. I am still seeing Unverified using 1.9.3. When will this be fixed?
Almost 18 months later and this is still unresolved. What is the problem that Microsoft can't/won't address this?
Out of all the "bugs" in this issues list, this is one that cannot cause any regressions and shouldn't need any sort of buy-in, sign-off, or approval. None of my customers will trust this as the replacement for AzureAD and MSOnline until this is resolved.
Related internal work item: https://microsoftgraph.visualstudio.com/Graph%20Developer%20Experiences/_workitems/edit/13822/
Hello folks.
To add visibility here, Microsoft Graph PowerShell SDK uses a third-party appId as part of our security concerns on having incremental consent for permissions. Unfortunately, we have limitations on getting a 3rd party app publish verified under Microsoft Tenant (even though it's a Microsoft application). The Microsoft security team has not allowed us to do this as the Microsoft Graph PowerShell appID is public and could be used in ways to break security and get access to Microsoft data. And we can't use first-party appId as incremental consent has not been implemented yet.
So, being a published verified application in our case is something with no precedent, and even looking as an 'easy' thing to address and something that couldn't cause a regression, we do need yes, dig in and analyze the situation from every possible angle as well as have an agreement with Microsoft Security team.
With that said, I would like to let you know that we have been working on it, yes, for quite some time, to figure out the path and finally become a publish verified application.
I will update this thread once we get things done.
Thanks for your patience.
Word salad and no actual update.
Sent from my iPhone
On May 10, 2022, at 1:40 PM, Maísa Rissi @.***> wrote:
Hello folks.
To add visibility here, Microsoft Graph PowerShell SDK uses a third-party appId as part of our security concerns on having incremental consent for permissions. Unfortunately, we have limitations on getting a 3rd party app publish verified under Microsoft Tenant (even being a MS application). The Microsoft security team has not allowed us to do this as the Microsoft Graph PowerShell appID is public and could be used in ways to break security and get access to Microsoft data. And we can't use first-party appId as incremental consent has not been implemented yet.
So, being a published verified application in our case is something with no precedent, and even looking as an 'easy' thing to address and something that couldn't cause a regression, we do need yes, dig in and analyze the situation from every possible angle as well as have an agreement with Microsoft Security team.
With that said, I would like to let you know that we have been working on it, yes, for quite some time, to figure out the path and finally become a publish verified application.
I will update this thread once we get things done.
Thanks for your patience.
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.
maisarissi's update means that another app could spoof itself as a "trusted" publisher and potentially steal a user's credentials. The AADInternals module has cmdlets that show a proof-of-concept attack for nearly all popular MSFT first party apps.
Any news regarding this? Is there any work in progress targeting this issue?
Hi @peterboba . Yes, there is internal work in progress targeting this. We are trying to find the right path to follow, and we are working closely with the Microsoft Identity folks for it. This requires a lot of internal effort and it's not trivial, as anyone could write a script using the "publish verified" Microsoft Graph PS SDK to do anything, giving the user a fake sense of trust.
In the meantime, if the “unverified” note is concerning, an alternative option to consider is to use an app registration of your own, on which you can set yourselves as the verified publisher. You’d need to go through the publisher verification process, and use it with the Microsoft Graph PowerShell SDK:
Connect-MgGraph -AppId "{your-own-app-id}" -Scopes "scope"
It has been more dan 2.5 years now and still no resolution. Azure AD Powershell will be deprecated soon. Microsoft urges us to switch to Microsoft Graph ( "to become future proof/ready" ) https://learn.microsoft.com/en-us/powershell/module/azuread/?view=azureadps-2.0#azuread
But my customers are now confronted with a " Unverified Publisher " warning. WHILE SIGNING IN AS A ADMINISTRATOR GIVING PERMISSIONS
How can I explain this to my customers? What can expect from microsoft here?
BTW this is not only annoying for our customers. In Azure Portal I have sufficient rights to create an application definition. I do not need admin consent to perform those tasks. However, this is not possible from MS-Graph Powershell since I always first need admin consent to use the module... argg
Last I recall, the explanation from Microsoft was, “It’s complicated”💩Sent from my iPhoneOn Aug 27, 2023, at 5:14 AM, PeterBizz @.***> wrote: It has been more dan 2.5 years now and still no resolution. Azure AD Powershell will be deprecated soon. Microsoft urges us to switch to Microsoft Graph ( "to become future proof/ready" ) https://learn.microsoft.com/en-us/powershell/module/azuread/?view=azureadps-2.0#azuread But my customers are now confronted with a " Unverified Publisher " warning. WHILE SIGNING IN AS A ADMINISTRATOR GIVING PERMISSIONS How can I explain this to my customers? What can expect from microsoft here?
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you commented.Message ID: @.***>
I... just... have no words to describe this. Ready to jump out the window.
Just ran into this situation with 'Microsoft Graph Command Line Tools'
This situation is crazy. Here's me thinking I've downloaded a fake/malware version of the Graph PS tools... but then I find this thread.
And then the realisation that I still have no idea whether I have a legit copy of the tools or not...
Just ran into this situation with 'Microsoft Graph Command Line Tools'
same, after running: Connect-MgGraph -Scopes "User.ReadWrite.All"
It's unbelievable that this is still an open issue over 3 years after it was first logged.
Initially, I don't know about this thread. I thought, there is an issue with Microsoft Graph and raised a Support request with them.
MSFT Support Engineer shared this thread and informed this is an open issue.
Today, I got another response from MSFT to register app in my tenant and get publisher verification done for my app in my tenant to fix this issue.
I don't understand, it's been over three years, and it's disheartening to see that Microsoft still hasn't addressed this issue. Instead, their suggested solution seems unreasonable – asking users to register their own app within the tenant and become Microsoft Partners just to get a verified app. Why should we have to go through such lengths, including potentially paying for a partner program, to rectify an issue that should be Microsoft's responsibility to fix?
https://developer.microsoft.com/en-us/graph/known-issues/?search=18030
This issue should be priority number one. This issue lingering for so long is extra ironic because Graph is perhaps the most powerful and therefore dangerous API in the Microsoft ecosystem. For example: how can I justify using this repo to automate Entra ID?
hmm... I was surprised to find this as an issue. I do not like consenting to unverified apps :(
