i was reading about AAD privilege escalation in one of the article where the author states that "if you compromise an Application Administrator account or the on-premise Sync Account you can read and modify directory settings, group memberships, user accounts, SharePoint sites and OneDrive files. This is done by assigning credentials to an existing service principal with these permissions and then impersonating these applications"
my questions are?
1.how can i find what privilege my app admin account has and how it is different from the permissions
that "application " has.
2. what does assigning credentials to a service principal means?
As mentioned in Carl's link,
The Application Administrator role allows users to create and manage all aspects of enterprise applications, application registrations, and application proxy settings. This role also grants the ability to consent to delegated permissions and application permissions, with the exception of permissions on the Microsoft Graph API.
Applications can have different privileges added to them, and a user in the Application Administrator role can add extra permissions to an application and theoretically use those credentials to impersonate the app's identity and have more privileges than originally intended.
An Azure service principal is a security identity used by user-created apps, services, and automation tools to access specific Azure resources. Just as a user is represented by a security principal called a user principal, an app is represented by a service principal. The service principal provides an identity for your app, allowing you to delegate only the necessary permissions to the app. It improves security if you only grant it the minimum permissions level needed to perform its management tasks. So if you assign credentials to a service principal you can grant or restrict the app's access to certain resources.
Related
From the page about Azure CLI Sign-in:
Service principals are accounts not tied to any particular user, which can have permissions on them assigned through pre-defined roles. Authenticating with a service principal is the best way to write secure scripts or programs, allowing you to apply both permissions restrictions and locally stored static credential information
It seems that a service principal is kind of a service account, a sort of identity which isn't tied to any specific person.
On the other hand, from here it seems that a service principal is an instantiation of the Application object in the domain of App registrations. This has something to do with registering an application so it can be authorized using OAuth 2.0 etc. etc.
So I can't understand the relation between these two concepts. Can someone help?
Service principal is sort of a service account.
It is the thing that permissions are assigned to.
For example, if you consent to an application reading your user profile on your behalf, that adds an OAuth 2 permission grant to the service principal.
Application permissions add an app role assignment to the service principal when granted.
When you make an app registration, a service principal is also created in that same Azure AD tenant.
Even though you add required permissions and consent to them through the app registration forms, the permissions are actually assigned to the service principal.
The app registration is only really a template.
Where this gets interesting is if you have a multi-tenant app (other Azure AD tenants' users can use your app).
In this case a service principal representing your app is also created in other Azure AD tenants when a user consents to the permissions your app requires.
Essentially you get an automatically generated service account in each tenant using your app.
This allows admins to decide which permissions to grant your app, which users can access the app etc.
Are Azure's RBAC tools and capabilities appropriate for delineating and enforcing app-specific user permissions?
What I've been seeing is that Azure's RBAC capabilities seem to involve managing Azure resources: BLOB services, storage accounts, app services, etc.
But what I don't see are examples of Azure RBAC being used to manage app- (or domain-) specific permissions, like "Allow the user to approve purchasing this widget" or "Allow user to categorize these items as Foo, Bar, or Baz", or "Allow the user to view financial data only from these company divisions".
Am I fundamentally misunderstanding how Azure RBAC works, or what it's used to manage? Can anyone point out examples of Azure role definitions that include permissions like the ones above, or point to documentation of how I might set those up?
I believe you are looking for application specific permissions which can be achieved, by configuring API permissions in apps, registered in AD. Please correct me if my understanding is wrong.
So the difference between API Permissions and Role Assignments is as below:
API Permissions: 2 types.
Delegated permissions are appropriate for client apps that access a web API as the signed-in user, and whose access should be restricted to the permissions you select in the next step.
Delegated permissions are used when authentication is done under user's context and are returned in scope claim of the token.
Application permissions are for service or daemon-type applications that need to access a web API as themselves, without user interaction for sign-in or consent. Unless you've defined application roles for your web API, this option is disabled.
App permissions are used when authentication is done under application (service principal) context and are returned in roles claim. For example, if you have a web application, you can configure it to allow access to the user, if the scope claim contains read, otherwise deny access. Or grant write access to application only when roles claim contains write.
You should configure API Permissions when you would like to return the permissions in the Access token. When application consumes the token, it makes authorization decision on the basis of permissions present in the token.
Role Assignments:
RBAC is the authorization system you use to manage access to Azure resources. When using RBAC, an administrator grants permissions to roles, and not to individual users or groups. The administrator can then assign roles to different users and groups to control who has access to what content and functionality.
Role assignments are used to assign permission to users/service principals on Azure Resources. In this case authorization is done by Azure and not by the end application which happens in case of API permissions.
Please ref the below articles for detailed explanation with examples.
https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added
I need to register an application in Azure AD using PowerShell. I plan to use the New-AzADApplication cmdlet. The cmdlet documentation states the following:
Below are the permissions needed to create an application:
Azure Active Directory Graph
Application.ReadWrite.OwnedBy
Microsoft Graph
Directory.AccessAsUser.All
Directory.ReadWrite.All
I've learned that these permissions are scopes, which is a new concept to me and something I don't know how to deal with in Azure. I found this short demo, which shows these scopes can be managed as API permissions from the Azure App registration context. However, that demo shows the scopes being managed after the application has already been created. How can I establish the proper scopes before the application is created?
Or, more generally, how can I ensure that I have the appropriate permissions to execute the New-AzADApplication cmdlet?
The application that needs those permissions is Azure AD PowerShell in this case. If it didn't have a service principal in your AAD tenant yet, you would be asked for consent to those scopes on first login when using the Connect-AzureAD cmdlet.
In my experience, the service principal that it uses already exists in your tenant. So it already has the needed permissions. But what will also matter is your user permissions. Since it uses delegated permissions, it is acting on behalf of your user. In order for it to be able to create the app, it needs to have the necessary scope/delegated permission and your user must be able to create applications.
The cmdlets do also support acting as a service principal/app, in which case application permissions given to the app used to authenticate would apply, not delegated permissions. But that's another case that I don't think you are asking about.
Applications are able to note which permissions they require (both delegated and application) in the app registration portal. This allows use of the /.default scope and the Azure portal's "Grant admin consent" option.
You can follow this process:
1.Go to your application in the Azure portal – App registrations experience, or create an app if you haven't already.
2.Locate the API Permissions section, and within the API permissions
click Add a permission.
3.Select Microsoft Graph from the list of available APIs and then add
the permissions that your app requires.
4.Save the app registration.
Our use case is this: our application needs to access the Azure AD of customer organizations to:
Authenticate users
Sync users' profile data to our app when it changes on AD
Read and subscribe to booking changes in meeting rooms
Our app therefore needs the User.Read.All permission to read profiles of users, but also Calendar.Read.All but the latter must be scoped to a specific group (so as the protect the privacy of actual users). According to this article, a tenant administrator can restrict access of an application to a specific group, but I don't see any way to do this for a single permission, so it would restrict all permissions of an enterprise app to this group. Am I missing something or is this simply impossible and I would need to use multiple service accounts for this purpose?
Currently we can not restric the specific application permission to access a specific group. But we can scope application permissions to specific Exchange Online mailboxes.
Administrators can use ApplicationAccessPolicy cmdlets to control mailbox access of an app that has been granted any of the following application permissions:
Mail.Read
Mail.ReadBasic
Mail.ReadBasic.All
Mail.ReadWrite
Mail.Send
MailboxSettings.Read
MailboxSettings.ReadWrite
Calendars.Read
Calendars.ReadWrite
Contacts.Read
Contacts.ReadWrite
So if you have both User.Read.All and Calendar.Read, the ApplicationAccessPolicy will only work for Calendar.Read permission. The ApplicationAccessPolicy are specific to Exchange Online resources and do not apply to other Microsoft Graph workloads.
I am working with an organization that has disabled user consent for azure apps.
"Users can consent to apps accessing company data on their behalf" is set to No in the Azure Portal.
I would like developers to be able to give consent to they own apps in azure without setting the above setting to yes. (the apps needs the "Sign in and read user profile" delegated permissions Azure AD).
1: Is it correct that the only other way is the assign the developers to one of the Azure AD roles that has one of these permissions: Application Developer, Application Administrator or Cloud Application Administrator?
2: I would also like to automate this process during a AzureDevOps release pineline. Currently the release pipeline creates all needed Azure resources via ARM Templates.
But how do I automate the App Registration without going to the Portal?
And how do I ensure that the release pipeline has the correct Azure AD permission to give consent?
Can I force the Pipeline to run as an "Azure AD Service User that I give the above role?
Update 1
It seems that its possible to do Azure AD Registration with powershell. http://blog.octavie.nl/index.php/2017/09/13/creating-azure-ad-app-registration-with-powershell-part-1
Since the AzureAD is using MFA, the script will display an interactive credential dialog when running. Not sure if we can suppress that.
Update 2
And give app consent with powershell. https://www.mavention.nl/blogs-cat/create-azure-ad-app-registration-with-powershell-part-2/?cn-reloaded=1
Update 3
So to automate the whole process, I was thinking if we could use a Azure DevOps Service Connection to execute these powershell scripts during the release pipeline?
Not sure what permission is needed for the Azure DevOps Service Connection?
It should also suppress the MFA credential dialog.
Is it correct that the only other way is the assign the developers to one of the Azure AD roles that has this permission: Application Developer, Application Administrator or Cloud Application Administrator?
It depends on the permissions the app is requesting, and who you would like the developers to be consenting for (themselves, or the entire organization):
Members of the Application Developer directory role can consent only to delegated permissions (not application permissions), and only on behalf of themselves (not on behalf of the entire tenant). Only other members of this role would be able to use the app (they would each consent on behalf of themselves), and only if the permissions requested are user-consentable delegated permissions. If your only requirement is for developers to be able to get delegated User.Read permission to Microsoft Graph, then this would work.
Members of the Application Administrator and Cloud Application Administrator directory roles can consent on behalf of all users for both delegated permissions and app-only permissions, except for app-only permissions to Azure AD or Microsoft Graph. These roles are both very privileged, and it is unlikely you would want the average developer to posses this--certainly not if the only permission needed is delegated User.Read.
But how do I automate the App Registration without going to the Portal?
With the Microsoft Graph API, you can register an app by creating an Application object. As of 2018-12-05, this is still in beta in Microsoft Graph.
If you require a production-ready endpoint, the Azure AD Graph API supports this, which is what's used by the various command-line and PowerShell options: New-AzureADApplication, az ad app create, and New-AzureRmADApplication.
To do this without a user involved, the client application (the one creating the app registration) requires the Application.ReadWrite.OwnedBy application permission, at minimum.
And how do I ensure that the release pipeline has the correct Azure AD permission to give consent?
This is where things get complicated. While it is possible to create the app registration (the Application object) as described above, these is currently no application permission that would allow an app to grant consent for another app. Though there is work underway to allow for "normal" application permissions to allow one app to grant other apps some permissions, currently only members of the directory roles authorized to consent to these permissions are able to perform this action.