Merge pull request #730 from HenrikPiecha/Update-HighRiskAppPermissions-v2.1.0

merill · web-flow · commit 7cd71e763d1d · 2025-03-06T18:47:54.000+11:00
Updated HighRisk Apps Test to be in sync with release v2.1.0 published by Emilien Socchi.
diff --git a/powershell/public/maester/entra/Test-MtHighRiskAppPermissions.md b/powershell/public/maester/entra/Test-MtHighRiskAppPermissions.md
@@ -1,27 +1,32 @@
-Ensure no graph application has permissions with a risk of having a direct or indirect path to Global Admin and full tenant takeover.
+Ensure no Microsoft Entra ID applications or service principals have Graph permissions with a risk of having a direct or indirect path to a Global Admin or a full tenant takeover.
 
-This test checks if any application has tier-0 graph permissions with a risk of having a direct or indirect path to Global Admin and full tenant takeover.
+The tested permissions are based on the research published at [Microsoft Application permissions tiering](https://github.com/emiliensocchi/azure-tiering/tree/main/Microsoft%20Graph%20application%20permissions) by [Emilien Socchi](https://github.com/emiliensocchi).
+
+This test checks if any application has tier-0 graph permissions with a risk of having a direct or indirect path to a Global Admin or a full tenant takeover.
 
 Note:\
-There are several use cases where Tier-0 permissions with an indirect attack path are required. For example, Maester itself requires the permission 'RoleEligibilitySchedule.ReadWrite.Directory' to properly validate the PIM assignments. Nevertheless, an administrator should question the use of these permissions and check whether less critical permissions are also sufficient. Applications that are provided by third-party vendors that do have Tier-0 permissions with direct or indirect attack paths should strictly be questioned and monitored.
+There are several use cases where Tier-0 permissions with an indirect attack path are required. For example, Maester itself requires the permission 'RoleEligibilitySchedule.ReadWrite.Directory' to properly validate the PIM assignments. Nevertheless, an administrator should question the use of these permissions and check whether less critical permissions are also sufficient. Applications provided by third-party vendors that do have Tier-0 permissions with direct or indirect attack paths should strictly be questioned and monitored.
 
-Following is a shortened copy from [Application permissions - Tier 0: Family of Global Admins](https://github.com/emiliensocchi/azure-tiering/tree/main/Microsoft%20Graph%20application%20permissions#tier-0), Date: 20.01.2025:
+Following table is a shortened copy from [Application permissions - Tier 0: Family of Global Admins](https://github.com/emiliensocchi/azure-tiering/tree/main/Microsoft%20Graph%20application%20permissions#tier-0), Date: 05.03.2025, Release v2.1.0
 
 | Application permission | Path type | Known shortest path |
-| --- | --- | --- |
+|---|---|---|
 | [AdministrativeUnit.ReadWrite.All](https://learn.microsoft.com/en-us/graph/permissions-reference#administrativeunitreadwriteall) | Indirect | When combined with other types of access allowing to reset user passwords, can remove a Global Admin from a [Restricted Management Administrative Unit (RMAU)](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/admin-units-restricted-management) and take it over. |
 | [Application.ReadWrite.All](https://learn.microsoft.com/en-us/graph/permissions-reference#applicationreadwriteall) | Indirect | Can impersonate any SP with more privileged application permissions granted for MS Graph, and impersonate it to escalate to Global Admin. |
 | [Application.ReadWrite.OwnedBy](https://learn.microsoft.com/en-us/graph/permissions-reference#applicationreadwriteownedby) | Indirect | Same as [Application.ReadWrite.All](#application-readwrite-all), but the impersonation is limited to the SP(s) for which the compromised SP is an owner. |
 | [AppRoleAssignment.ReadWrite.All](https://learn.microsoft.com/en-us/graph/permissions-reference#approleassignmentreadwriteall) | Indirect | Can assign the [RoleManagement.ReadWrite.Directory](#rolemanagement-readwrite-directory) permission to the compromised SP *without* requiring admin consent, and escalate to Global Admin. |
 | [DeviceManagementConfiguration.ReadWrite.All](https://learn.microsoft.com/en-us/graph/permissions-reference#devicemanagementconfigurationreadwriteall) | Indirect | Can run arbitrary commands on the InTune-managed endpoint of a Global Administrator and steal their tokens to impersonate them. |
 | [DeviceManagementRBAC.ReadWrite.All](https://learn.microsoft.com/en-us/graph/permissions-reference#devicemanagementrbacreadwriteall) | Indirect | Can assign InTune roles to a controlled user account, which allows running arbitrary commands on the InTune-managed endpoint of a Global Administrator and steal their tokens to impersonate them. |
 | [Directory.ReadWrite.All](https://learn.microsoft.com/en-us/graph/permissions-reference#directoryreadwriteall) | Indirect | Can become member of a non-role-assignable user group with assigned privileged Azure permissions, and leverage Azure resources to escalate to Global Admin. <br>**Note**: can also acquire access to external solutions integrated with Entra ID via SSO, and providing access based on non-role-assignable group memberships. |
+| [Domain.ReadWrite.All](https://learn.microsoft.com/en-us/graph/permissions-reference#domainreadwriteall) | Indirect | Can add a federated domain to Entra ID and authenticate as an existing Global Admin without password or MFA requirements. |
 | [EntitlementManagement.ReadWrite.All](https://learn.microsoft.com/en-us/graph/permissions-reference#entitlementmanagementreadwriteall) | Indirect | Can update the assignment policy of an access package provisioning access to Global Admin, so that requesting the package without approval is possible from a controlled user account. |
 | [Group.ReadWrite.All](https://learn.microsoft.com/en-us/graph/permissions-reference#groupreadwriteall) | Indirect | Same as [Directory.ReadWrite.All](#directory-readwrite-all). |
 | [GroupMember.ReadWrite.All](https://learn.microsoft.com/en-us/graph/permissions-reference#groupmemberreadwriteall) | Indirect | Same as [Directory.ReadWrite.All](#directory-readwrite-all). |
+| [Organization.ReadWrite.All](https://learn.microsoft.com/en-us/graph/permissions-reference#organizationreadwriteall) | Indirect | If Certificate Based Authentication (CBA) is enabled in the tenant, can upload a trusted root certificate to Entra ID and impersonate a Global Admin. |
 | [Policy.ReadWrite.AuthenticationMethod](https://learn.microsoft.com/en-us/graph/permissions-reference#policyreadwriteauthenticationmethod) | Indirect | When combined with [UserAuthenticationMethod.ReadWrite.All](#userauthenticationmethod-readwrite-all), can enable the [Temporary Access Pass (TAP)](https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-temporary-access-pass) authentication method to help leveraging and follow the same path as that permission. |
+| [Policy.ReadWrite.ConditionalAccess](https://learn.microsoft.com/en-us/graph/permissions-reference#policyreadwriteconditionalaccess) | Direct | Can create a CAP blocking all users (including break-glass accounts) for all applications (making the tenant unavailable), and ask for a ransomware to remove the malicious CAP. <br>Note: this role is "Global-Admin-like", as it affects the availability of the tenant in the same way as a Global Admin. |
 | [Policy.ReadWrite.PermissionGrant](https://learn.microsoft.com/en-us/graph/permissions-reference#policyreadwritepermissiongrant) | Indirect | Can create a [permission grant policy](https://learn.microsoft.com/en-us/graph/api/permissiongrantpolicy-post-includes?view=graph-rest-1.0&tabs=http) for the compromised SP with the [RoleManagement.ReadWrite.Directory](https://learn.microsoft.com/en-us/graph/permissions-reference#rolemanagementreadwritedirectory) permission, and leverage that policy to follow the same path as that permission and escalate to Global Admin. |
-| [PrivilegedAccess.ReadWrite.AzureADGroup](https://learn.microsoft.com/en-us/graph/permissions-reference#privilegedaccessreadwriteazureadgroup) | Direct | Can add a controlled user account as owner or member of a group with an active Global Admin assignment (i.e. can update the membership of role-assignable groups). |
+| [PrivilegedAssignmentSchedule.ReadWrite.AzureADGroup](https://learn.microsoft.com/en-us/graph/permissions-reference#privilegedassignmentschedulereadwriteazureadgroup) | Direct | Same as [PrivilegedAccess.ReadWrite.AzureADGroup](#privilegedaccess-readwrite-azureadgroup). |
 | [PrivilegedEligibilitySchedule.ReadWrite.AzureADGroup](https://learn.microsoft.com/en-us/graph/permissions-reference#privilegedeligibilityschedulereadwriteazureadgroup) | Indirect | Can make a controlled user account eligible to a group with an active Global Admin assignment, and activate the group membership to escalate to Global Admin. |
 | [RoleAssignmentSchedule.ReadWrite.Directory](https://learn.microsoft.com/en-us/graph/permissions-reference#roleassignmentschedulereadwritedirectory) | Direct | Can assign the Global Admin role to a controlled user account, by creating an active PIM role assignment. |
 | [RoleEligibilitySchedule.ReadWrite.Directory](https://learn.microsoft.com/en-us/graph/permissions-reference#roleeligibilityschedulereadwritedirectory) | Indirect | Can make a controlled user account eligible to the Global Admin role, and activate it to escalate to Global Admin. |
@@ -53,4 +58,4 @@ To check the applications permissions:
 * [Microsoft Learn - Graph permissions](https://learn.microsoft.com/en-us/graph/permissions-reference)
 
 <!--- Results --->
-%TestResult%
+%TestResult%
diff --git a/powershell/public/maester/entra/Test-MtHighRiskAppPermissions.ps1 b/powershell/public/maester/entra/Test-MtHighRiskAppPermissions.ps1
@@ -324,7 +324,67 @@ function Test-MtHighRiskAppPermissions {
             Type='Delegated'
             Path='Indirect'
         }
-   )
+        [pscustomobject]@{
+            Id='9241abd9-d0e6-425a-bd4f-47ba86e767a4';
+            Name='DeviceManagementConfiguration.ReadWrite.All';
+            Type='Application'
+            Path='Indirect'
+        }
+        [pscustomobject]@{
+            Id='0883f392-0a7a-443d-8c76-16a6d39c7b63';
+            Name='DeviceManagementConfiguration.ReadWrite.All';
+            Type='Delegated'
+            Path='Indirect'
+        }
+        [pscustomobject]@{
+            Id='e330c4f0-4170-414e-a55a-2f022ec2b57b';
+            Name='DeviceManagementRBAC.ReadWrite.All';
+            Type='Application'
+            Path='Indirect'
+        }
+        [pscustomobject]@{
+            Id='0c5e8a55-87a6-4556-93ab-adc52c4d862d';
+            Name='DeviceManagementRBAC.ReadWrite.All';
+            Type='Delegated'
+            Path='Indirect'
+        }
+        [pscustomobject]@{
+            Id='7e05723c-0bb0-42da-be95-ae9f08a6e53c';
+            Name='Domain.ReadWrite.All';
+            Type='Application'
+            Path='Indirect'
+        }
+        [pscustomobject]@{
+            Id='0b5d694c-a244-4bde-86e6-eb5cd07730fe';
+            Name='Domain.ReadWrite.All';
+            Type='Delegated'
+            Path='Indirect'
+        }
+        [pscustomobject]@{
+            Id='292d869f-3427-49a8-9dab-8c70152b74e9';
+            Name='Organization.ReadWrite.All';
+            Type='Application'
+            Path='Indirect'
+        }
+        [pscustomobject]@{
+            Id='46ca0847-7e6b-426e-9775-ea810a948356';
+            Name='Organization.ReadWrite.All';
+            Type='Delegated'
+            Path='Indirect'
+        }
+        [pscustomobject]@{
+            Id='01c0a623-fc9b-48e9-b794-0756f8e8f067';
+            Name='Policy.ReadWrite.ConditionalAccess';
+            Type='Application'
+            Path='Direct'
+        }
+        [pscustomobject]@{
+            Id='ad902697-1014-4ef5-81ef-2b4301988e8c';
+            Name='Policy.ReadWrite.ConditionalAccess';
+            Type='Delegated'
+            Path='Direct'
+        }
+    )
 
     $return = $true
 
