determine if app is multitenant enabled; add flag to determine if cre…

…dential originates from application/sp objects
cisagov · Nov 16, 2024 · 3c9102a · 3c9102a
1 parent f61668c
commit 3c9102a
Showing 1 changed file with 55 additions and 43 deletions.
diff --git a/sp-script.ps1 b/sp-script.ps1
@@ -2,10 +2,10 @@ Connect-MgGraph -Scopes "Application.Read.All", "Directory.Read.All"
 
 function Initialize-RiskyPermissions {
     param (
-        [PSCustomObject]$json,
-        [Object[]]$map,
-        [string]$resource,
-        [string]$id
+        [PSCustomObject]$Json,
+        [Object[]]$Map,
+        [string]$Resource,
+        [string]$Id
     )
 
     $riskyPermissions = $json.permissions.$resource.PSObject.Properties.Name
@@ -18,52 +18,30 @@ function Initialize-RiskyPermissions {
 
 function Get-ValidCredentials {
     param(
-        [Array[]]$credentials
+        [Array[]]$Credentials,
+        [boolean]$IsFromApplication
     )
 
     $validCredentials = @()
     foreach ($credential in $credentials) {
-        if ($credential.EndDateTime -gt (Get-Date)) { $validCredentials += $credential }
+        if ($credential.EndDateTime -gt (Get-Date)) {
+            # $credential is of type PSCredential which is immutable, so create a copy
+            $credentialCopy = $credential | Select-Object *, @{Name = "IsFromApplication"; Expression = { $IsFromApplication }}
+            $validCredentials += $credentialCopy
+        }
     }
     return $validCredentials
 }
 
 $permissionsJson = (Get-Content -Path "./riskyPermissions.json" | ConvertFrom-Json)
-$servicePrincipalResults = @()
-$servicePrincipals = Get-MgBetaServicePrincipal -All
-foreach ($servicePrincipal in $servicePrincipals) {
-    # Exclude Microsoft-published service principals
-    if ($servicePrincipal.AppOwnerOrganizationId -ne "f8cdef31-a31e-4b4a-93e4-5f571e91255a") {
-        $appRoleAssignments = Get-MgBetaServicePrincipalAppRoleAssignment -ServicePrincipalId $servicePrincipal.Id
-        $mappedPermissions = @()
-
-        foreach ($role in $appRoleAssignments) {
-            $resourceDisplayName = $role.ResourceDisplayName
-            $roleId = $role.AppRoleId
-            $mappedPermissions = Initialize-RiskyPermissions -json $permissionsJson -map $mappedPermissions -resource $resourceDisplayName -id $roleId
-        }
-
-        # Disregard entries without risky permissions
-        if ($mappedPermissions.Count -gt 0) {
-            $servicePrincipalResults += [PSCustomObject]@{
-                'Object ID' = $servicePrincipal.Id
-                'App ID' = $servicePrincipal.AppId
-                'Display Name' = $servicePrincipal.DisplayName
-                'Key Credentials' = Get-ValidCredentials -credentials $servicePrincipal.KeyCredentials
-                'Password Credentials' = Get-ValidCredentials -credentials $servicePrincipal.PasswordCredentials
-                'Risky Permissions' = $mappedPermissions
-            }
-        }
-    }
-}
-
-#$servicePrincipalResults = $servicePrincipalResults | Where-Object { $_."Risky Permissions".Count -gt 0 }
-$servicePrincipalResults | ConvertTo-Json -Depth 3 > finalSPResults.json
-
 
 $applications = Get-MgBetaApplication -All
 $applicationResults = @()
 foreach ($app in $applications) {
+    # "AzureADMyOrg" = single tenant
+    # "AzureADMultipleOrgs" = multi tenant
+    $IsMultiTenantEnabled = $false
+    if ($app.signInAudience -eq "AzureADMultipleOrgs") { $IsMultiTenantEnabled = $true }
 
     # Map permissions assigned to application to risky permissions
     $mappedPermissions = @()
@@ -75,15 +53,14 @@ foreach ($app in $applications) {
         foreach($role in $roles) {
             $resourceDisplayName = $permissionsJson.resources.$resourceAppId
             $roleId = $role.Id
-            $mappedPermissions = Initialize-RiskyPermissions -json $permissionsJson -map $mappedPermissions -resource $resourceDisplayName -id $roleId
+            $mappedPermissions = Initialize-RiskyPermissions -Json $permissionsJson -Map $mappedPermissions -Resource $resourceDisplayName -Id $roleId
         }
     }
 
     # Get federated credentials
-    $federatedCredentials = Get-MgBetaApplicationFederatedIdentityCredential -ApplicationId $app.Id -All
+    $federatedCredentials = Get-MgBetaApplicationFederatedIdentityCredential -All -ApplicationId $app.Id
     $federatedCredentialsResults = @()
 
-    # Reformat only if a credential exists
     if ($null -ne $federatedCredentials) {
         foreach ($federatedCredential in $federatedCredentials) {
             $federatedCredentialsResults += [PSCustomObject]@{
@@ -103,12 +80,47 @@ foreach ($app in $applications) {
             'Object ID' = $app.Id
             'App ID' = $app.AppId
             'Display Name' = $app.DisplayName
-            'Key Credentials' = Get-ValidCredentials -credentials $app.KeyCredentials
-            'Password Credentials' = Get-ValidCredentials -credentials $app.PasswordCredentials
+            'IsMultiTenantEnabled' = $IsMultiTenantEnabled
+            'Key Credentials' = Get-ValidCredentials -Credentials $app.KeyCredentials -IsFromApplication $true
+            'Password Credentials' = Get-ValidCredentials -Credentials $app.PasswordCredentials -IsFromApplication $true
             'Federated Credentials' = $federatedCredentials
             'Risky Permissions' = $mappedPermissions
         }
     }
 }
 
-$applicationResults | ConvertTo-Json -Depth 3 > finalAppResults.json
+$applicationResults | ConvertTo-Json -Depth 3 > finalAppResults.json
+
+$servicePrincipalResults = @()
+$servicePrincipals = Get-MgBetaServicePrincipal -All
+Write-Output $servicePrincipals.Count
+foreach ($servicePrincipal in $servicePrincipals) {
+    # Exclude Microsoft-published service principals
+    #if ($servicePrincipal.AppOwnerOrganizationId -ne "f8cdef31-a31e-4b4a-93e4-5f571e91255a") {}
+
+    # Only retrieves permissions an admin has consented to
+    $appRoleAssignments = Get-MgBetaServicePrincipalAppRoleAssignment -All -ServicePrincipalId $servicePrincipal.Id
+    $mappedPermissions = @()
+    if ($appRoleAssignments.Count -gt 0) {
+        foreach ($role in $appRoleAssignments) {
+            $resourceDisplayName = $role.ResourceDisplayName
+            $roleId = $role.AppRoleId
+            $mappedPermissions = Initialize-RiskyPermissions -Json $permissionsJson -Map $mappedPermissions -Resource $resourceDisplayName -Id $roleId
+        }
+    }
+
+    # Disregard entries without risky permissions
+    if ($mappedPermissions.Count -gt 0) {
+        $servicePrincipalResults += [PSCustomObject]@{
+            'Object ID' = $servicePrincipal.Id
+            'App ID' = $servicePrincipal.AppId
+            'Display Name' = $servicePrincipal.DisplayName
+            'Key Credentials' = Get-ValidCredentials -Credentials $servicePrincipal.KeyCredentials -IsFromApplication $false
+            'Password Credentials' = Get-ValidCredentials -Credentials $servicePrincipal.PasswordCredentials -IsFromApplication $false
+            'Risky Permissions' = $mappedPermissions
+        }
+    }
+}
+
+#$servicePrincipalResults = $servicePrincipalResults | Where-Object { $_."Risky Permissions".Count -gt 0 }
+$servicePrincipalResults | ConvertTo-Json -Depth 3 > finalSPResults.json