private/tests/Test-InactiveAppDontHaveHighPrivGraphPerm.21770.ps1
<# .SYNOPSIS #> function Test-InactiveAppDontHaveHighPrivGraphPerm { [CmdletBinding()] param( $Database ) Write-PSFMessage '🟦 Start' -Tag Test -Level VeryVerbose $sql = @" select sp.id, sp.appId, sp.displayName, sp.appOwnerOrganizationId, spsi.lastSignInActivity.lastSignInDateTime from main.ServicePrincipal sp left join main.ServicePrincipalSignIn spsi on spsi.appId = sp.appId where sp.id in ( select sp.id from main.ServicePrincipal sp where sp.oauth2PermissionGrants.scope is not null ) or sp.id in ( select distinct sp.id, from (select sp.id, sp.displayName, unnest(sp.appRoleAssignments).AppRoleId as appRoleId from main.ServicePrincipal sp) sp left join (select unnest(main.ServicePrincipal.appRoles).id as id, unnest(main.ServicePrincipal.appRoles)."value" permissionName from main.ServicePrincipal) spAppRole on sp.appRoleId = spAppRole.id where permissionName is not null ) order by spsi.lastSignInActivity.lastSignInDateTime "@ $results = Invoke-DatabaseQuery -Database $Database -Sql $sql $inactiveRiskyApps = @() $otherApps = @() foreach($item in $results) { $item = Add-DelegatePermissions $item $item = Add-AppPermissions $item $item = Add-GraphRisk $item if([string]::IsNullOrEmpty($item.lastSignInDateTime) -and $item.IsRisky) { $inactiveRiskyApps += $item } else { $otherApps += $item } } $passed = $inactiveRiskyApps.Count -eq 0 if ($passed) { $testResultMarkdown += "No inactive applications with high privileges`n`n%TestResult%" } else { $testResultMarkdown += "Inactive Application(s) with high privileges were found`n`n%TestResult%" } $mdInfo = "`n## Apps with privileged Graph permissions`n`n" $mdInfo += "| | Name | Risk | Delegate Permission | Application Permission | App owner tenant | Last sign in|`n" $mdInfo += "| :--- | :--- | :--- | :--- | :--- | :--- | :--- |`n" $mdInfo += Get-AppList -Apps $inactiveRiskyApps -Icon "❌" $mdInfo += Get-AppList -Apps $otherApps -Icon "✅" $testResultMarkdown = $testResultMarkdown -replace "%TestResult%", $mdInfo Add-ZtTestResultDetail -TestId '21770' -Title 'Inactive applications don''t have highly privileged permissions' ` -UserImpact Low -Risk High -ImplementationCost Low ` -AppliesTo Identity -Tag Application ` -Status $passed -Result $testResultMarkdown } function Add-DelegatePermissions($item) { $sql = @" select sp.id, sp.oauth2PermissionGrants.scope as permissionName, from main.ServicePrincipal sp where sp.oauth2PermissionGrants.scope is not null and sp.id == '{0}' "@ $sql = $sql -f $item.id $results = Invoke-DatabaseQuery -Database $Database -Sql $sql $item.DelegatePermissions = @() if($results.permissionName) { $perms = $results.permissionName.trim() -replace """", "" $item.DelegatePermissions = $perms -split " " | Where-Object { ![string]::IsNullOrEmpty($_)} } return $item } function Add-AppPermissions($item) { $sql = @" select distinct spAppRole.* from (select sp.id, sp.displayName, unnest(sp.appRoleAssignments).AppRoleId as appRoleId from main.ServicePrincipal sp) sp left join (select unnest(main.ServicePrincipal.appRoles).id as id, unnest(main.ServicePrincipal.appRoles)."value" permissionName from main.ServicePrincipal) spAppRole on sp.appRoleId = spAppRole.id where permissionName is not null and sp.id == '{0}' "@ $sql = $sql -f $item.id $results = Invoke-DatabaseQuery -Database $Database -Sql $sql $item.AppPermissions = $results.permissionName return $item } function Add-GraphRisk($item) { $item.Risk = Get-GraphRisk -delegatePermissions $item.DelegatePermissions -applicationPermissions $item.AppPermissions $item.IsRisky = $item.Risk -eq "High" return $item } function Get-AppList($Apps, $Icon) { $mdInfo = "" foreach ($item in $apps) { $tenant = Get-ZtTenant -tenantId $item.appOwnerOrganizationId $portalLink = "https://entra.microsoft.com/#view/Microsoft_AAD_IAM/ManagedAppMenuBlade/~/Overview/objectId/$($item.id)/appId/$($item.appId)" $risk = $item.Risk $delPerm = $item.DelegatePermissions -join ", " $appPerm = $item.AppPermissions -join ", " $mdInfo += "| $($Icon) | [$(Get-SafeMarkdown($item.displayName))]($portalLink) | $risk | $delPerm | $appPerm | $(Get-SafeMarkdown($tenant.displayName)) | $(Get-FormattedDate($item.lastSignInDateTime)) | `n" } return $mdInfo } function Get-GraphRisk($delegatePermissions, $applicationPermissions) { $finalRisk = "Unranked" foreach($permission in $applicationPermissions){ $risk = Get-GraphPermissionRisk -Permission $permission -PermissionType "Application" switch($risk){ "High" { return $risk } "Medium" { $finalRisk = $risk } } } foreach($permission in $delegatePermissions){ $risk = Get-GraphPermissionRisk -Permission $permission -PermissionType "Delegated" switch($risk){ "High" { return $risk } "Medium" { $finalRisk = $risk } } } return $finalRisk } |