Skip to content

Commit

Permalink
Updated permission file to include new cmdlets from risky service pri…
Browse files Browse the repository at this point in the history 
…ncipal PR. Updated interactive and noninteractive markdowns to account for new permissions.
  • Loading branch information
Michael Hicks committed Feb 6, 2025
1 parent 7ecb51b commit 956d235
Show file tree
Hide file tree
Showing 3 changed files with 117 additions and 12 deletions.
105 changes: 100 additions & 5 deletions PowerShell/ScubaGear/Modules/Permissions/ScubaGearPermissions.json
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
[
{
"moduleCmdlet": "Get-MgRoleManagementDirectoryRoleDefinition",
"apiResource": "/roleManagement/directory/roleDefinitions/{unifiedRoleDefinition-id}",
"apiResource": "/roleManagement/directory/roleDefinitions/{id}",
"poshModule": [
"Microsoft.Graph.Identity.Governance"
],
Expand Down Expand Up @@ -33,7 +33,7 @@

{
"moduleCmdlet": "Get-MgServicePrincipal",
"apiResource": "/servicePrincipals/{servicePrincipal-id}",
"apiResource": "/servicePrincipals/{id}",
"poshModule": [
"Microsoft.Graph.Applications"
],
Expand Down Expand Up @@ -63,6 +63,38 @@
"notes": ""
},

{
"moduleCmdlet": "Get-MgBetaServicePrincipal",
"apiResource": "/servicePrincipals/{id}",
"poshModule": [
"Microsoft.Graph.Beta.Applications"
],
"leastPermissions": [
"Application.Read.All"
],
"higherPermissions": [
"Directory.ReadWrite.All",
"Directory.Read.All",
"Application.ReadWrite.OwnedBy",
"Application.ReadWrite.All"
],
"spRolePermissions": [],
"scubaGearProduct": [
"aad"
],
"supportedEnv": [
"commercial",
"gcc",
"gcchigh",
"dod"
],
"resourceAPIAppId": "00000003-0000-0000-c000-000000000000",
"supportLinks": [
"https://learn.microsoft.com/graph/api/serviceprincipal-get?view=graph-rest-beta"
],
"notes": ""
},

{
"moduleCmdlet": "New-MgRoleManagementDirectoryRoleAssignment",
"apiResource": "/roleManagement/directory/roleAssignments",
Expand Down Expand Up @@ -90,9 +122,73 @@
"notes": ""
},

{
"moduleCmdlet": "Get-MgBetaApplicationFederatedIdentityCredential",
"apiResource": "/applications/{id}/federatedIdentityCredentials",
"poshModule": [
"Microsoft.Graph.Beta.Applications"
],
"leastPermissions": [
"Application.Read.All"
],
"higherPermissions": [
"Application.ReadWrite.OwnedBy",
"Application.ReadWrite.All"
],
"spRolePermissions": [],
"scubaGearProduct": [
"aad"
],
"supportedEnv": [
"commercial",
"gcc",
"gcchigh",
"dod"
],
"resourceAPIAppId": "00000003-0000-0000-c000-000000000000",
"supportLinks": [
"https://learn.microsoft.com/en-us/graph/api/application-list-federatedidentitycredentials?view=graph-rest-beta&tabs=http",
"https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.beta.applications/get-mgbetaapplicationfederatedidentitycredential?view=graph-powershell-beta"
],
"notes": ""
},

{
"moduleCmdlet": "Get-MgBetaApplication",
"apiResource": "/applications",
"poshModule": [
"Microsoft.Graph.Beta.Applications"
],
"leastPermissions": [
"Application.Read.All"
],
"higherPermissions": [
"Directory.ReadWrite.All",
"Directory.Read.All",
"Application.ReadWrite.OwnedBy",
"Application.ReadWrite.All"
],
"spRolePermissions": [],
"scubaGearProduct": [
"aad"
],
"supportedEnv": [
"commercial",
"gcc",
"gcchigh",
"dod"
],
"resourceAPIAppId": "00000003-0000-0000-c000-000000000000",
"supportLinks": [
"https://learn.microsoft.com/en-us/powershell/module/Microsoft.Graph.Beta.Applications/Get-MgBetaApplication?view=graph-powershell-beta",
"https://learn.microsoft.com/en-us/graph/api/application-get?view=graph-rest-beta&tabs=http"
],
"notes": ""
},

{
"moduleCmdlet": "New-MgServicePrincipalAppRoleAssignment",
"apiResource": "/servicePrincipals/{servicePrincipal-id}/appRoleAssignments",
"apiResource": "/servicePrincipals/{id}/appRoleAssignments",
"poshModule": [
"Microsoft.Graph.Applications"
],
Expand All @@ -118,7 +214,6 @@
"notes": ""
},


{
"moduleCmdlet": "Invoke-MgGraphRequest",
"apiResource": "/v1.0/me",
Expand Down Expand Up @@ -148,7 +243,7 @@

{
"moduleCmdlet": "Get-MgBetaPolicyRoleManagementPolicyRule",
"apiResource": "/beta/policies/roleManagementPolicies/{unifiedRoleManagementPolicy-id}/rules",
"apiResource": "/beta/policies/roleManagementPolicies/{id}/rules",
"poshModule": [
"Microsoft.Graph.Beta.Identity.SignIns"
],
Expand Down
7 changes: 6 additions & 1 deletion docs/prerequisites/interactive.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,14 +29,19 @@ This workflow-like process is sometimes referred to as the _application consent

The following API permissions are required for Microsoft Graph Powershell:

- Application.Read.All
- Directory.Read.All
- Domain.Read.All
- GroupMember.Read.All
- Organization.Read.All
- Policy.Read.All
- PrivilegedEligibilitySchedule.Read.AzureADGroup
- PrivilegedAccess.Read.AzureADGroup
- PrivilegedEligibilitySchedule.Read.AzureADGroup
- RoleAssignmentSchedule.Read.Directory
- RoleEligibilitySchedule.Read.Directory
- RoleManagement.Read.Directory
- RoleManagementPolicy.Read.AzureADGroup
- RoleManagementPolicy.Read.Directory
- User.Read.All

> **Note**: Microsoft Graph PowerShell SDK appears as "unverified" on the AAD application consent screen. This is a long-standing [known issue](https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/482).
Expand Down
17 changes: 11 additions & 6 deletions docs/prerequisites/noninteractive.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ These are the following steps that must be completed:

Configuring a service principal is beyond the scope of these instructions, but Microsoft has documentation that may help:

* [Create a service principal](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal) in the Azure console.
* [Create a service principal](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal) in the Azure console.
* Associate a [certificate with a service principal](https://learn.microsoft.com/en-us/cli/azure/azure-cli-sp-tutorial-3)

> **Note**: Take note of the AppId and the name of your tenant, as these values will be required to execute ScubaGear in non-interactive mode.
Expand All @@ -26,15 +26,20 @@ The minimum permissions and roles that must be assigned to the service principal

| ScubaGear Product | API Permissions | Role | API Name | API APPID |
| ----------------------- | ----------------------------------------------- | ------------- | ------------------------------------- | ------------------------------------- |
| Entra ID (aad) | User.Read.All | | Microsoft.Graph | 00000003-0000-0000-c000-000000000000 |
| Entra ID (aad) | Application.Read.All | | Microsoft.Graph | 00000003-0000-0000-c000-000000000000 |
| | Directory.Read.All | | | |
| | Domain.Read.All | | | |
| | GroupMember.Read.All | | | |
| | Organization.Read.All | | | |
| | Policy.Read.All | | | |
| | PrivilegedEligibilitySchedule.Read.AzureADGroup | | | |
| | PrivilegedAccess.Read.AzureADGroup | | | |
| | PrivilegedEligibilitySchedule.Read.AzureADGroup | | | |
| | RoleAssignmentSchedule.Read.Directory | | | |
| | RoleEligibilitySchedule.Read.Directory | | | |
| | RoleManagementPolicy.Read.Directory | | | |
| | RoleManagement.Read.Directory | | | |
| | RoleManagementPolicy.Read.AzureADGroup | | | |
| | RoleManagementPolicy.Read.Directory | | | |
| | User.Read.All | | | |
| Defender | | Global Reader | | |
| Exchange (exo) | Exchange.ManageAsApp | Global Reader | Office 365 Exchange Online | 00000002-0000-0ff1-ce00-000000000000 |
| | Exchange.ManageAsApp | | **Microsoft Exchange Online Protection**<sup>1</sup>| **00000007-0000-0ff1-ce00-000000000000**<sup>1</sup> |
Expand Down Expand Up @@ -72,9 +77,9 @@ Add-PowerAppsAccount `
> **Note**: When testing [GCC tenants](https://learn.microsoft.com/en-us/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/gcc), use `-Endpoint usgov`.
```powershell
# Register the service principal, giving it the
# Register the service principal, giving it the
# same permissions as a tenant admin
New-PowerAppManagementApp -ApplicationId abcdef0123456789abcde01234566789
New-PowerAppManagementApp -ApplicationId abcdef0123456789abcde01234566789
```

> **Note**: These commands must be run from an account with the Power Platform Administrator or Global Administrator roles.
Expand Down

0 comments on commit 956d235

Please sign in to comment.