Azure Active Directory Assessment | Part V
In the previous posts, we have created an App registration and started the assessment with Identities, Groups, Teams, Devices and Licenses. The last post was about Organization information and Licenses. Now let’s continue to Conditional Access policies and App Registrations.
App registrations and Enterprise Applications
It is most likely that there are App registrations with for example Microsoft Graph API permissions. With the correct permissions you will be able through an app registration to create users and provision these users with for example the Global Administrators role in Azure Active Directory. Normally there are more administrators than only one. There should be a constant monitoring for permissions, but in a day to day job it is hard to keep track on that.
Users are most likely to create an app registration for some applications and use their own credentials. They will not be able to add identities to the Global Administrator role but are able to set permissions that as user an application can send email through M365.
Let’s see if we can get a good list of this so we will be able to keep track on that.
# setting url
$url = "https://graph.microsoft.com/beta/servicePrincipals?`$top=999&`$filter=tags/any(t:t eq 'WindowsAzureActiveDirectoryIntegratedApp')"
# getting the applications
$SPS = RunQueryAndProcess
Now we have the information. Let’s process it.
First we need some functions to process the data like userPrincipalName of the permissions.
function parse-AppPermissions {
Param(
#App role assignment object
[Parameter(Mandatory = $true)]$appRoleAssignments)
foreach ($appRoleAssignment in $appRoleAssignments) {
$resID = $appRoleAssignment.ResourceDisplayName
$roleID = (Get-ServicePrincipalRoleById $appRoleAssignment.resourceId).appRoles | Where-Object { $_.id -eq $appRoleAssignment.appRoleId } | Select-Object -ExpandProperty Value
if (!$roleID) { $roleID = "Orphaned ($($appRoleAssignment.appRoleId))" }
$OAuthperm["[" + $resID + "]"] += $("," + $RoleId)
}
}
function parse-DelegatePermissions {
Param(
#oauth2PermissionGrants object
[Parameter(Mandatory = $true)]$oauth2PermissionGrants)
foreach ($oauth2PermissionGrant in $oauth2PermissionGrants) {
$resID = (Get-ServicePrincipalRoleById $oauth2PermissionGrant.ResourceId).appDisplayName
if ($null -ne $oauth2PermissionGrant.PrincipalId) {
$userId = "(" + (Get-UserUPNById -objectID $oauth2PermissionGrant.principalId) + ")"
}
else { $userId = $null }
$OAuthperm["[" + $resID + $userId + "]"] += ($oauth2PermissionGrant.Scope.Split(" ") -join ",")
}
}
function Get-ServicePrincipalRoleById {
Param(
#Service principal object
[Parameter(Mandatory = $true)][ValidateNotNullOrEmpty()]$spID)
#check if we've already collected this SP data
#do we need anything other than AppRoles? add a $select statement...
if (!$SPPerm[$spID]) {
$res = Invoke-WebRequest -Method Get -Uri "https://graph.microsoft.com/beta/servicePrincipals/$spID" -Headers $Header -Verbose:$VerbosePreference
$SPPerm[$spID] = ($res.Content | ConvertFrom-Json)
}
return $SPPerm[$spID]
}
function Get-UserUPNById {
Param(
#User objectID
[Parameter(Mandatory = $true)][ValidateNotNullOrEmpty()]$objectID)
#check if we've already collected this User's data
#currently we store only UPN, store the entire object if needed
if (!$SPusers[$objectID]) {
$res = Invoke-WebRequest -Method Get -Uri "https://graph.microsoft.com/v1.0/users/$($objectID)?`$select=UserPrincipalName" -Headers $Header -Verbose:$VerbosePreference
$SPusers[$objectID] = ($res.Content | ConvertFrom-Json).UserPrincipalName
}
return $SPusers[$objectID]
}
Now we can start the retrieving
#hash-table to store data for app roles and stuff
$SPperm = @{}
#hash-table to store data for users assigned delegate permissions and stuff
$SPusers = @{}
# output variable
$AppPermissions= [System.Collections.Generic.List[Object]]::new()
foreach ($SP in $SPs) {
#simple anti-throttling control
Start-sleep -Milliseconds 500
#Check for appRoleAssignments (application permissions)
$appRoleAssignments = @()
$res = Invoke-WebRequest -Method Get -Uri "https://graph.microsoft.com/beta/servicePrincipals/$($sp.id)/appRoleAssignments" -Headers $Header -Verbose:$VerbosePreference
$appRoleAssignments = ($res.Content | ConvertFrom-Json).Value
$OAuthperm = @{};
$assignedto = @(); $resID = $null; $userId = $null;
$appuri = $resource + 'beta/applications?$filter=startswith(displayname,' + "'" + $sp.appDisplayName + "'" + ")"
$appinfo = (Invoke-RestMethod -method GET -Headers $header -Uri $appuri).value
#prepare the output object
$objPermissions = [PSCustomObject][ordered]@{
"Number" = $i
"Application Name" = $SP.appDisplayName
"ApplicationId" = $SP.AppId
"Publisher" = (& { if ($SP.PublisherName) { $SP.PublisherName } else { $null } })
"Verified" = (& { if ($SP.verifiedPublisher.verifiedPublisherId) { $SP.verifiedPublisher.displayName } else { "Not verified" } })
"Homepage" = (& { if ($SP.Homepage) { $SP.Homepage } else { $null } })
"SP name" = $SP.displayName
"ObjectId" = $SP.id
"Created on" = (& { if ($SP.createdDateTime) { (Get-Date($SP.createdDateTime) -format g) } else { $null } })
"Enabled" = $SP.AccountEnabled
"signInAudience" = $SP.signInAudience
"replyUrls" = $SP.replyUrls -join ","
"credentials" = if ($appinfo.keycredentials.type -ne $null -and $appinfo.passwordcredentials -eq $null){ "Certificate"} else { if ($appinfo.keycredentials.type -ne $null -and $appinfo.passwordcredentials -ne $null){"Certificate,Client Secret"} "ClientSecret"}
"Cert-DisplayName" = $appinfo.keycredentials.DisplayName
"Cert-KeyId" = $Appinfo.keycredentials.KeyId
"Cert-EndDateTime" = $Appinfo.keycredentials.endDateTime
"ClientSecret-DisplayName" = $appinfo.passwordcredentials.DisplayName
"ClientSecret-KeyId" = $Appinfo.passwordcredentials.keyid
"ClientSecret-EndDateTime" = $Appinfo.passwordcredentials.endDateTime
"Last modified" = $null
"Permissions (application)" = $null
"Authorized By (application)" = $null
"Permissions (delegate)" = $null
"Valid until (delegate)" = $null
"Authorized By (delegate)" = $null
}
#process application permissions entries
if (!$appRoleAssignments) { Write-Verbose "No application permissions to report on for SP $($SP.id), skipping..." }
else {
$objPermissions.'Last modified' = (Get-Date($appRoleAssignments.CreationTimestamp | Select-Object -Unique | Sort-Object -Descending | Select-Object -First 1) -format g)
parse-AppPermissions $appRoleAssignments
$objPermissions.'Permissions (application)' = (($OAuthperm.GetEnumerator() | ForEach-Object { "$($_.Name):$($_.Value.ToString().TrimStart(','))" }) -join ";")
$objPermissions.'Authorized By (application)' = "An administrator (application permissions)"
}
#Check for oauth2PermissionGrants (delegate permissions)
#Use /beta here, as /v1.0 does not return expiryTime
$oauth2PermissionGrants = @()
$res = Invoke-WebRequest -Method Get -Uri "https://graph.microsoft.com/beta/servicePrincipals/$($sp.id)/oauth2PermissionGrants" -Headers $Header -Verbose:$VerbosePreference
$oauth2PermissionGrants = ($res.Content | ConvertFrom-Json).Value
$OAuthperm = @{};
$assignedto = @(); $resID = $null; $userId = $null;
#process delegate permissions entries
if (!$oauth2PermissionGrants) { Write-Verbose "No delegate permissions to report on for SP $($SP.id), skipping..." }
else {
parse-DelegatePermissions $oauth2PermissionGrants
$objPermissions.'Permissions (delegate)' = (($OAuthperm.GetEnumerator() | ForEach-Object { "$($_.Name):$($_.Value.ToString().TrimStart(','))" }) -join ";")
$objPermissions.'Valid until (delegate)' = (Get-Date($oauth2PermissionGrants.ExpiryTime | Select-Object -Unique | Sort-Object -Descending | Select-Object -First 1) -format g)
if (($oauth2PermissionGrants.ConsentType | Select-Object -Unique) -eq "AllPrincipals") { $assignedto += "All users (admin consent)" }
$assignedto += @($OAuthperm.Keys) | ForEach-Object { if ($_ -match "\((.*@.*)\)") { $Matches[1] } }
$objPermissions.'Authorized By (delegate)' = (($assignedto | Select-Object -Unique) -join ",")
}
$AppPermissions.Add($objPermissions)
}
Conditional Access policies
These days an Azure tenant can not function without Conditional Access Policies. They prevent brute attacks to your tenant and contribute to keep your data safe. Knowing every policy is a lot of click work on the portal. Let’s get them and place them side by side in the assessment.
# get all the needed information
$url = "https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies"
[array]$ConditionalAccessPolicies = RunQueryAndProcess
##Get Directory Roles
$url= "https://graph.microsoft.com/beta/directoryRoleTemplates"
[array]$DirectoryRoleTemplates = RunQueryAndProcess
##Get Trusted Locations
$url= "https://graph.microsoft.com/v1.0/identity/conditionalAccess/namedLocations"
[array]$NamedLocations = RunQueryAndProcess
# replacing GUIDS for names
$ConditionalAccessPoliciesJSON = $ConditionalAccessPolicies | ConvertTo-Json -Depth 5
if ($ConditionalAccessPoliciesJSON -ne $null) {
##TidyUsers
foreach ($User in $Users) {
$ConditionalAccessPoliciesJSON = $ConditionalAccessPoliciesJSON.Replace($user.id, ("$($user.displayname) - $($user.userPrincipalName)"))
}
##Tidy Groups
foreach ($Group in $Groups) {
$ConditionalAccessPoliciesJSON = $ConditionalAccessPoliciesJSON.Replace($group.id, ("$($group.displayname) - $($group.id)"))
}
##Tidy Roles
foreach ($DirectoryRoleTemplate in $DirectoryRoleTemplates) {
$ConditionalAccessPoliciesJSON = $ConditionalAccessPoliciesJSON.Replace($DirectoryRoleTemplate.Id, $DirectoryRoleTemplate.displayname)
}
##Tidy Apps
foreach ($AADApp in $AADApps) {
$ConditionalAccessPoliciesJSON = $ConditionalAccessPoliciesJSON.Replace($AADApp.appid, $AADApp.displayname)
$ConditionalAccessPoliciesJSON = $ConditionalAccessPoliciesJSON.Replace($AADApp.id, $AADApp.displayname)
}
##Tidy Locations
foreach ($NamedLocation in $NamedLocations) {
$ConditionalAccessPoliciesJSON = $ConditionalAccessPoliciesJSON.Replace($NamedLocation.id, $NamedLocation.displayname)
}
$ConditionalAccessPolicies = $ConditionalAccessPoliciesJSON | ConvertFrom-Json
$CAOutput = @()
$CAHeadings = @(
"displayName",
"createdDateTime",
"modifiedDateTime",
"state",
"Conditions.users.includeusers",
"Conditions.users.excludeusers",
"Conditions.users.includegroups",
"Conditions.users.excludegroups",
"Conditions.users.includeroles",
"Conditions.users.excluderoles",
"Conditions.clientApplications.includeServicePrincipals",
"Conditions.clientApplications.excludeServicePrincipals",
"Conditions.applications.includeApplications",
"Conditions.applications.excludeApplications",
"Conditions.applications.includeUserActions",
"Conditions.applications.includeAuthenticationContextClassReferences",
"Conditions.userRiskLevels",
"Conditions.signInRiskLevels",
"Conditions.platforms.includePlatforms",
"Conditions.platforms.excludePlatforms",
"Conditions.locations.includLocations",
"Conditions.locations.excludeLocations"
"Conditions.clientAppTypes",
"Conditions.devices.deviceFilter.mode",
"Conditions.devices.deviceFilter.rule",
"GrantControls.operator",
"grantcontrols.builtInControls",
"grantcontrols.customAuthenticationFactors",
"grantcontrols.termsOfUse",
"SessionControls.disableResilienceDefaults",
"SessionControls.applicationEnforcedRestrictions",
"SessionControls.persistentBrowser",
"SessionControls.cloudAppSecurity",
"SessionControls.signInFrequency"
)
Foreach ($Heading in $CAHeadings) {
$Row = $null
$Row = New-Object psobject -Property @{
PolicyName = $Heading
}
foreach ($CAPolicy in $ConditionalAccessPolicies) {
$Nestingcheck = ($Heading.split('.').count)
if ($Nestingcheck -eq 1) {
$Row | Add-Member -MemberType NoteProperty -Name $CAPolicy.displayname -Value $CAPolicy.$Heading -Force
}
elseif ($Nestingcheck -eq 2) {
$SplitHeading = $Heading.split('.')
$Row | Add-Member -MemberType NoteProperty -Name $CAPolicy.displayname -Value ($CAPolicy.($SplitHeading[0].ToString()).($SplitHeading[1].ToString()) -join ';' )-Force
}
elseif ($Nestingcheck -eq 3) {
$SplitHeading = $Heading.split('.')
$Row | Add-Member -MemberType NoteProperty -Name $CAPolicy.displayname -Value ($CAPolicy.($SplitHeading[0].ToString()).($SplitHeading[1].ToString()).($SplitHeading[2].ToString()) -join ';' )-Force
}
elseif ($Nestingcheck -eq 4) {
$SplitHeading = $Heading.split('.')
$Row | Add-Member -MemberType NoteProperty -Name $CAPolicy.displayname -Value ($CAPolicy.($SplitHeading[0].ToString()).($SplitHeading[1].ToString()).($SplitHeading[2].ToString()).($SplitHeading[3].ToString()) -join ';' )-Force
}
}
$CAOutput += $Row
}
}