Updated HighRisk Apps Test to be in sync with release v2.1.0 published by Emilien Socchi.

[HenrikPiecha]

Updated HighRisk Apps Test to be in sync with Release v2.1.0 published by Emilien Socchi.

Following Graph Permissions have been added:

• DeviceManagementConfiguration.ReadWrite.All
• DeviceManagementRBAC.ReadWrite.All
• Domain.ReadWrite.All
• Organization.ReadWrite.All
• Policy.ReadWrite.ConditionalAccess

[gemini-code-assist]

Hello @HenrikPiecha, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

Summary of Changes

This pull request updates the Test-MtHighRiskAppPermissions.md and Test-MtHighRiskAppPermissions.ps1 files to align with the changes introduced in release v2.1.0 of Emilien Socchi's azure-tiering project. The primary goal is to ensure the Maester tool accurately identifies applications and service principals with potentially dangerous Graph permissions that could lead to Global Admin or full tenant takeover. The update incorporates new Graph permissions and reflects the latest research on Microsoft Graph application permissions tiering.

Highlights

• Permissions Update: Adds several new Graph permissions to the list of high-risk permissions, including DeviceManagementConfiguration.ReadWrite.All, DeviceManagementRBAC.ReadWrite.All, Domain.ReadWrite.All, Organization.ReadWrite.All, and Policy.ReadWrite.ConditionalAccess.
• Documentation Update: Updates the Test-MtHighRiskAppPermissions.md file to reflect the new permissions and the latest version of the azure-tiering research.
• Code Synchronization: Ensures the PowerShell script (Test-MtHighRiskAppPermissions.ps1) is synchronized with the updated list of high-risk permissions.

Changelog

• powershell/public/maester/entra/Test-MtHighRiskAppPermissions.md
  • Updates the description to include service principals in addition to applications.
  • Adds a reference to the Microsoft Application permissions tiering research by Emilien Socchi.
  • Updates the table of Tier-0 permissions to include Domain.ReadWrite.All, Organization.ReadWrite.All, and Policy.ReadWrite.ConditionalAccess.
  • Updates the date to 05.03.2025, Release v2.1.0
  • Fixes a minor formatting issue by removing a newline character at the end of the file.
• powershell/public/maester/entra/Test-MtHighRiskAppPermissions.ps1
  • Adds new pscustomobject entries for the following permissions: DeviceManagementConfiguration.ReadWrite.All (Application and Delegated), DeviceManagementRBAC.ReadWrite.All (Application and Delegated), Domain.ReadWrite.All (Application and Delegated), Organization.ReadWrite.All (Application and Delegated), and Policy.ReadWrite.ConditionalAccess (Application and Delegated).

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

---

Did you know?

PowerShell was initially named Monad and was renamed PowerShell in 2006.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

The pull request updates the HighRisk Apps Test to align with release v2.1.0, incorporating new Graph Permissions. The changes include modifications to the markdown documentation and the PowerShell script to reflect the updated permissions and their associated risks. Overall, the changes seem well-structured and aligned with the stated goal of keeping the test in sync with the latest release.

Summary of Findings

• Missing Delegated Permissions: The markdown documentation lacks descriptions for the delegated permissions added in the PowerShell script. This omission could lead to confusion regarding the scope and potential risks associated with these permissions. I did not add a review comment for this issue due to the review settings.
• Inconsistent Table Formatting: The table formatting in the markdown documentation could be improved for better readability and consistency. Specifically, ensuring consistent spacing and alignment within the table cells would enhance the overall presentation. I did not add a review comment for this issue due to the review settings.

Merge Readiness

The pull request introduces important updates to the HighRisk Apps Test, aligning it with the latest release. While the core functionality appears to be correctly implemented, the missing descriptions for delegated permissions in the markdown documentation and the inconsistent table formatting are areas that need attention. I am unable to approve this pull request, and recommend that it not be merged until the identified issues are addressed to ensure clarity and maintainability. It is also recommended that others review and approve this code before merging.

[merill]

LGTM