{"id":560,"date":"2024-03-04T13:22:30","date_gmt":"2024-03-04T12:22:30","guid":{"rendered":"https:\/\/sparrow365.de\/?p=560"},"modified":"2024-11-04T20:20:51","modified_gmt":"2024-11-04T19:20:51","slug":"you-probably-dont-need-application-readwrite-all","status":"publish","type":"post","link":"https:\/\/sparrow365.de\/index.php\/en\/2024\/03\/04\/you-probably-dont-need-application-readwrite-all\/","title":{"rendered":"You (probably) don’t need Application.ReadWrite.All"},"content":{"rendered":"

When Microsoft first disclosed<\/a> the January Midnight Blizzard<\/strong> attack and posted their subsequent deeper analysis<\/a> I followed the resulting content with great interest – risks posed by Enterprise Applications<\/strong> are a topic near and dear to me. <\/p>\n

\n

I will try to keep this article standalone, but it might be a good idea to skim the Articles before continuing<\/em><\/p>\n<\/blockquote>\n

If you use Microsoft 365 to a reasonable level, you will<\/em><\/strong> have applications with a large scope of permissions in your Tenant<\/strong> (think Backup Solutions, Script Automations, etc.) – which is why you should treat the Entra ID Role "(Cloud) App Administrator"<\/em> like a Global Administrator<\/strong>. By setting Credentials for the System Identity that holds the applications‘ permissions, they can connect to the associated APIs in its name and use privileges you might never have granted the Users directly. The same applies<\/strong> to the application-level Graph API role "Application.ReadWrite.All<\/strong>".<\/p>\n

Since I don’t have anything to add to the main Points of Interest for the breach, lateral movement between Tenants<\/a> through enterprise Applications and how to correctly grant API permissions in Exchange Online<\/a>, I won’t be revisiting those topics. However, there is one area where I would like to see more Information – once discovered in your Tenant<\/em>, it is sometimes not easy to find how to avoid<\/strong> or get rid of highly privileged API Roles.<\/strong> One such Example is Application.ReadWrite.All<\/strong><\/a>.<\/p>\n

The whole Midnight Blizzard attack chain might have started directly with an App Owner of the Multi-Tenant App, but it could easily have been an application in the Test Tenant with this Permission, through which the Attacker moved to the Multi-Tenant App (Microsoft is not entirely clear on this).<\/p>\n

So, let’s take a look at some use cases where the first reflex<\/strong> might be to use "Application.ReadWrite.All", but there are better solutions<\/strong>:<\/p>\n

\n

I will be using PowerShell in my demos, but since Graph is a REST API, examples can be transferred to any Programming Language with support for HTTP requests
\nI hold these truths to be self evident: Delegated Permissions are preferable over Application Permissions, and if you only need Read permissions you don’t use a ReadWrite scope<\/em><\/p>\n<\/blockquote>\n


<\/p>\n

General Configuration Management<\/h2>\n

To start out, in the vast majority of cases, we do not want to manage all<\/strong> applications in Tenant, but only a specific set. Let’s begin with an application wanting to manage its own configuration.<\/p>\n

\n

Remember: In the Graph API App Registrations<\/em> are on the application<\/strong> Endpoint, an Enterprise app<\/em> is a servicePrincipal<\/strong> – Quick summary of the difference<\/em><\/a>
\nWhen used too often I might refer to App Registrations as "AppRegs<\/strong>", and Enterprise Apps as "EApps<\/strong>" <\/p>\n<\/blockquote>\n

First Attempt<\/h3>\n

If we take a look at the Graph API documentation<\/a> for managing App Registrations, we can already see a potential Option (the same goes for Enterprise Apps<\/a>): <\/p>\n

\"DocumentedLeastPrivileges\"<\/p>\n

So, we add the Scope to our App Registration, Grant the Permissions on the Enterprise App and are done, right? <\/p>\n

\"activeScopes\"<\/p>\n

Well, now that I have the scope in my Graph Session, I try to change my EApp to require a User to be assigned before they can log in:
\nInvoke-MgGraphRequest "PATCH" "https:\/\/graph.microsoft.com\/v1.0\/servicePrincipals(appId='$($graphConfig.clientID)')" -Body @{ appRoleAssignmentRequired = $true }<\/code> <\/p>\n

And promptly get denied:<\/strong><\/p>\n

\"ErrorMessageSelfPatch\"<\/p>\n


<\/p>\n

Adding Ownership<\/h3>\n

This is logical if we think about it. We just gave the Enterprise App permission to manage applications that it Owns<\/strong>, but we don’t own anything<\/strong> (Click here for Microsofts Overview of application ownership)<\/em><\/a>. So how do we fix that? At time of writing (Feb. 2024), the Entra Portal does not offer EApps when we try to add an Owner to an Enterprise App or an App Registration. <\/p>\n

However, if we authenticate against the Graph API with the delegated<\/em><\/strong> Scope "Application.ReadWrite.All" as a user with at least Application Administrator<\/strong> (or Owner), we can add the necessary ownership – an Object can even own itself.<\/p>\n

\n

Remember – Even though credentials are configured on the App Registration, the Enterprise App \/ service Principal holds all the Permissions in a Tenant<\/strong><\/p>\n

See also the Microsoft Documentation of Adding Owners to Enterprise Apps<\/a><\/p>\n<\/blockquote>\n

# Fetch the Object ID of our EApp by App \/ Client ID\n$enterpriseAppID    = ( Invoke-MgGraphRequest "GET" "https:\/\/graph.microsoft.com\/v1.0\/servicePrincipals(appId='$($graphConfig.clientID)')?select=id" ).id\n\n# Add the EApp as an Owner to itself\n$params = @{ "@odata.id" = "https:\/\/graph.microsoft.com\/v1.0\/servicePrincipals\/$enterpriseAppID" }\nInvoke-MgGraphRequest "POST" "https:\/\/graph.microsoft.com\/v1.0\/servicePrincipals\/$enterpriseAppID\/owners\/`$ref" -Body $params<\/code><\/pre>\n

<\/p>\n
So let’s try again (We don’t get a response on successful execution so I won’t show the command line)<\/em>:
\nInvoke-MgGraphRequest "PATCH" "https:\/\/graph.microsoft.com\/v1.0\/servicePrincipals(appId='$($graphConfig.clientID)')" -Body @{ appRoleAssignmentRequired = $true }<\/code><\/p>\n
\"alt\"<\/p>\n
Success! And we can’t take over the entire Tenant from here, since we only control one Application<\/strong> \ud83e\udd73<\/p>\n
Funnily enough, even though we can’t add Enterprise Apps as Owners through the UI, once we added them, they are visible:<\/p>\n
\"PortalOwnerView\"<\/p>\n

<\/p>\n
If we need the ability to change the properties of our App Registration, we can add Ownership rights like this:<\/p>\n
\n
In this example I am still using the App \/ Client ID of the EApp I am logged in as, replace as needed<\/p>\n
See also the Microsoft Documentation of Adding Owners to App Registrations<\/a><\/p>\n<\/blockquote>\n
# Fetch the ID of The EApp that we want to use for Management\n$enterpriseAppID    = (Invoke-MgGraphRequest "GET" "https:\/\/graph.microsoft.com\/v1.0\/servicePrincipals(appId='$($graphConfig.clientID)')?select=id").id\n$appRegistrationID  = (Invoke-MgGraphRequest "GET" "https:\/\/graph.microsoft.com\/v1.0\/applications(appId='$($graphConfig.clientID)')?select=id").id\n\n# We add our EApp as the Owner of the AppReg \n$params = @{ "@odata.id" = "https:\/\/graph.microsoft.com\/v1.0\/servicePrincipals\/$enterpriseAppID" }\nInvoke-MgGraphRequest "POST" "https:\/\/graph.microsoft.com\/v1.0\/applications\/$appRegistrationID\/owners\/`$ref" -Body $params<\/code><\/pre>\n

<\/p>\n
Now I should be able to manage the App Registration as well, so let’s try to add a redirect URI for SSO: <\/p>\n
$params = @{ web = @{ redirectUris = @("https:\/\/demo.com") } }\nInvoke-MgGraphRequest "PATCH" "https:\/\/graph.microsoft.com\/v1.0\/applications(appId='$($graphConfig.clientID)')" -Body $params<\/code><\/pre>\n
And again we are successful:<\/p>\n
\"appRegEditSuccess\"<\/p>\n

<\/p>\n
Application Credential Management<\/h2>\n
Probably one of the most common requests in application management is to self-manage credentials<\/strong>. The consistent Expiry of Secrets and Certificates is either in need of close monitoring or, preferably, automation.<\/p>\n
With "Application.ReadWrite.OwnedBy<\/strong>", and our Enterprise App already having ownership of the App Registration from the last chapter, we can update Credentials – since they are just another property.<\/p>\n
Secrets<\/h3>\n
\n
See also the Microsoft Documentation of Updating App Registrations<\/a><\/p>\n<\/blockquote>\n
$appRegistrationID  = (Invoke-MgGraphRequest "GET" "https:\/\/graph.microsoft.com\/v1.0\/applications(appId='$($graphConfig.clientID)')?select=id").id\n$params = @{\n    passwordCredential = @{\n        displayName = "Secret$(get-date -f "ddMMyy")"\n    }\n}\n# Depending on where you need the secret, it is probably a good idea to put it there as quickly as possible ;) \n$response = Invoke-MgGraphRequest POST "https:\/\/graph.microsoft.com\/v1.0\/applications\/$appRegistrationID\/addPassword" -body $params<\/code><\/pre>\n
\n
If I actually have to use secrets like this I prefer only storing them in secure strings, since they are better protected in memory:<\/em>
\n$secret = ConvertTo-SecureString $(Invoke-MgGraphRequest POST "https:\/\/graph.microsoft.com\/v1.0\/applications\/$appRegistrationID\/addPassword" -body $params).secretText -AsPlainText -Force<\/code><\/code><\/p>\n<\/blockquote>\n
In our Response we get the secret as secretText, along with some metadata (remember to store it somewhere, or it is gone forever):
\n\"secretMetadata\"<\/p>\n
We can also see the Secret in the UI (just not the Value):<\/p>\n
\"secretUI\"<\/p>\n

<\/p>\n
Keys \/ Certificates<\/h3>\n
However, I am sure noone needs secrets<\/strong> anymore. They are just so much worse than Asymmetric Authentication Methods<\/strong>, so obviously all Applications have moved to Certificates<\/strong> for Authentication right? RIGHT?<\/em><\/strong> A man can dream…<\/p>\n
In theory we could do manage Certificates even without<\/strong> "Application.ReadWrite.OwnedBy<\/em>"<\/a> Permissions, but I was unable to get it to work<\/a> in PowerShell – I may revisit it later or would very much appreciate a pointer to a working implementation in the open Q&A question<\/a>…<\/p>\n
With me being unable to demonstrate the really cool<\/em> solution (for now), I don’t really have much to add to the Microsoft Documenation<\/a>. I do use the Value from the Certificate Store though:<\/p>\n
\n
Keep in mind that this command REPLACES ALL CURRENTLY CONFIGURED CERTIFICATES<\/strong> on the enterprise application<\/p>\n<\/blockquote>\n
$Certificate = Get-Item "Cert:\\CurrentUser\\My\\$($graphConfig.newThumb)" -ErrorAction Stop\n$params = @{\n    keyCredentials = @(\n        @{\n            type = "AsymmetricX509Cert"\n            usage = "Verify"\n            key = [convert]::ToBase64String($Certificate.GetRawCertData())\n            displayName = "CN=20240228"\n        }\n    )\n}\nInvoke-MgGraphRequest PATCH "https:\/\/graph.microsoft.com\/v1.0\/applications(appId='$($graphConfig.clientID)')" -Body $params<\/code><\/pre>\n

<\/p>\n
Scaling<\/h2>\n
So, we now have a good grasp of how we can manage single applications. But how do expand our Scope?<\/strong> There are usecases where we want to hold control over many Enterprise Apps \/ App Registrations (I will shorten to<\/em> "Apps"<\/strong> to refer to both from here on out)<\/em>. <\/p>\n
Think Infrastructure as Code Solutions like Terraform, or maybe we have a backup system that wants to circumvent Graph API rate limits<\/a> by creating more EApps<\/a> <\/p>\n
So essentially we would need at least one "Manager" App and a bunch of "Workers". The annoying<\/em> solution would be to create a bunch of Apps in advance – and go through the base ownership assignment<\/a> afterwards. Not great, but thankfully it is much simpler – if we use "Application.ReadWrite.OwnedBy<\/strong>" on our "Head" Application, we can then use it to create Apps as needed<\/strong>.<\/p>\n
\n
We can also call the servicePrincipal Endpoint to create associated Enterprise Apps, but that just looks the same<\/em><\/p>\n<\/blockquote>\n
Invoke-MgGraphRequest POST "https:\/\/graph.microsoft.com\/v1.0\/applications" -body @{ displayName = "CreatedByApp" }<\/code><\/p>\n
The executing Enterprise App is automatically added as the Owner<\/strong> of the new App:<\/p>\n
\"newAppReg\"<\/p>\n

<\/p>\n
However, keeping track of all our ownership relations will be challenging. The solutions I know as currently available are building an automation<\/strong> based on Custom Security Attributes<\/a> or creating a tracking system<\/strong> in directory extensions<\/a>. Either way, these are not great options – so are we doomed to either give far too broad permissions<\/strong> or try to keep track of a potentially complex web of ownership relations<\/strong>?<\/p>\n

<\/p>\n
The "Best" Option<\/h2>\n
If we truly<\/strong> want to go for "least privilege", Graph API Scopes are not the way. At their core, Apps are Entra ID Objects, making custom roles<\/a> a significantly more granular option for permissions management. "Application.ReadWrite.OwnedBy<\/strong>" just happens to be almost a drop in replacement<\/strong> for the commonly used "Application.ReadWrite.All<\/strong>". <\/p>\n
\n
OAuth scopes have the advantage of being easily transferrable between Tenants – when creating an Application only for your Tenant this is not really a fair argument and you better really REALLY trust the developer to give these permissions to a multi-tenant App…<\/p>\n<\/blockquote>\n
Once we look at the Options available in Entra ID, there would be one painfully obvious solution: For Users, Groups and Devices we can already create Administrative Units<\/strong><\/a>. These allow scoping Built-In and Custom Roles only to a subset of Objects<\/strong> in a directory, including the creation of new objects within its‘ scope.
\nThis would result in an easily scalable and auditable collection<\/strong> of Apps.
\nAlas, using AUs to manage Apps is currently (March 2024) not supported<\/strong> by Microsoft…<\/p>\n

<\/p>\n
Conclusion<\/h2>\n
On your next review of App Permissions<\/a>, ask developers if it would be possible to use less privileges<\/strong>. Remember, prioritizing safety is often secondary<\/strong> in the development process. Challenge the assertion ‚we just need it<\/em>‚ by looking for the specific usecases that have to be covered – maybe there are solutions that have not been considered.<\/p>\n
On the other hand, even though I go into how we can and should replace Application.ReadWrite.All<\/em>, this is not always<\/em> a good idea. If there is a System that Owns 90% of Apps, the management Overhead<\/strong> usually does not justify the little added security.
\nAdditionally, if you find the option of Entra ID custom roles interesting, understanding which Entra ID Permissions are necessary for a given Graph operation is not easy<\/strong> – you have to be willing to take on some trial and error.<\/p>\n

<\/p>\n
Did I miss a common usecase or you want to debate me why one might need Application.ReadWrite.All<\/strong>? I don’t want your email address, so please discuss on my associated LinkedIn Post<\/a>.<\/p>\n

<\/p>\n
If you are interested in the things I do follow me on LinkedIn<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"
When Microsoft first disclosed the January Midnight Blizzard attack and posted their subsequent deeper analysis I followed the resulting content with great interest – risks posed by Enterprise Applications are a topic near and dear to me. I will try to keep this article standalone, but it might be a good idea to skim the… » weiterlesen<\/a><\/p>\n","protected":false},"author":2,"featured_media":562,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[76,78],"tags":[80,82,236,232,230,84,165,234,238,88,90,96,98,228,100,169,171,240],"class_list":["post-560","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-me-id-en","category-powershell-en","tag-aad-en","tag-aad-connect-en","tag-administrative-units","tag-application-readwrite-all","tag-application-readwrite-ownedby","tag-azure-ad-en","tag-best-practices-en","tag-custom-roles","tag-enterprise-app-ownership","tag-entra-en","tag-entra-id-en","tag-graph-en","tag-graph-api-en","tag-least-privilege","tag-microsoft-graph-en","tag-minimize-access-en","tag-overprivilege-en","tag-security"],"_links":{"self":[{"href":"https:\/\/sparrow365.de\/index.php\/wp-json\/wp\/v2\/posts\/560","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sparrow365.de\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sparrow365.de\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sparrow365.de\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sparrow365.de\/index.php\/wp-json\/wp\/v2\/comments?post=560"}],"version-history":[{"count":8,"href":"https:\/\/sparrow365.de\/index.php\/wp-json\/wp\/v2\/posts\/560\/revisions"}],"predecessor-version":[{"id":578,"href":"https:\/\/sparrow365.de\/index.php\/wp-json\/wp\/v2\/posts\/560\/revisions\/578"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sparrow365.de\/index.php\/wp-json\/wp\/v2\/media\/562"}],"wp:attachment":[{"href":"https:\/\/sparrow365.de\/index.php\/wp-json\/wp\/v2\/media?parent=560"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sparrow365.de\/index.php\/wp-json\/wp\/v2\/categories?post=560"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sparrow365.de\/index.php\/wp-json\/wp\/v2\/tags?post=560"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}