Create a JSON file to store permission scopes required for ScubaGear #1380
Conversation
buidav
added
the
enhancement
There was a problem hiding this comment.
- Can you move the file from the /Connection folder to a new /Permissions folder instead?
- I noticed you removed the ScubaGearSPPermissions node. In the future ScubaGear will have a utility script that helps users register a service principal to run the tool. Is the thought that our new utility script can just filter the GraphCmdLetPermissions node for entries that are of runtype = application and just use that list to create the needed permissions for the service principal in Entra Id?
- We need to add the following REST APIs as entries to the GraphCmdLetPermissions node along with their associated required permissions. Entra Id now includes direct calls to REST APIs without Cmdlets and therefore we need to ensure those permissions are represented.
- /beta/roleManagement/directory/roleEligibilityScheduleInstances
- /beta/roleManagement/directory/roleAssignmentScheduleInstances
- /beta/identityGovernance/privilegedAccess/group/eligibilityScheduleInstances
- /beta/privilegedAccess/aadGroups/resources
mitchelbaker-cisa
changed the title
mitchelbaker-cisa
force-pushed
the
main
branch
from
79d40ae to
1218df3
Compare
PowerShell/ScubaGear/Modules/Permissions/ScubaGear-Permissions.json
Outdated
Show resolved
Hide resolved
mitchelbaker-cisa
force-pushed
the
main
branch
from
1218df3 to
3dc451f
Compare
mitchelbaker-cisa
force-pushed
the
main
branch
2 times, most recently
from
40c59a0 to
23a7323
Compare
mitchelbaker-cisa
force-pushed
the
main
branch
from
23a7323 to
9d48ea1
Compare
There was a problem hiding this comment.
Found a few more multi-valued fields that are represented as strings when singletons. Recommend consistently representing as multi-valued structure (array or dictionary) to make the structure easier to traverse in all cases. Specific fields and examples are included in review comments below.
PowerShell/ScubaGear/Modules/Permissions/ScubaGearPermissions.json
Outdated
Show resolved
Hide resolved
PowerShell/ScubaGear/Modules/Permissions/ScubaGearPermissions.json
Outdated
Show resolved
Hide resolved
PowerShell/ScubaGear/Modules/Permissions/ScubaGearPermissions.json
Outdated
Show resolved
Hide resolved
|
Updated leastPermissions and poshModule keys to array type. |
PowerShell/ScubaGear/Modules/Permissions/ScubaGearPermissions.json
Outdated
Show resolved
Hide resolved
PowerShell/ScubaGear/Modules/Permissions/ScubaGearPermissions.json
Outdated
Show resolved
Hide resolved
| "dod": "https://{domain}-admin.sharepoint.mil.us" | ||
| }, | ||
| "poshModule": ["Microsoft.Online.SharePoint.PowerShell"], | ||
| "leastPermissions": ["Sites.FullControl.All"], |
There was a problem hiding this comment.
Connect-SPOService doesn't support Service Principal auth. This should be empty array.
There was a problem hiding this comment.
A new property was added to indicate noninteractive permissions, "spRolePermissions": []. @buidav does that resolve your comment? Or are additional changes needed.
PowerShell/ScubaGear/Modules/Permissions/ScubaGearPermissions.json
Outdated
Show resolved
Hide resolved
Testing Instructions for Interactive authenticationThe purpose of this set of tests is to exercise the new pieces of code with an interactive login. There will be separate instructions for testing with service principal. PreparationDownload the main branch and run ScubaGear to create a local scuba results json file which will be used later in a comparison. Run with aad, defender and sharepoint. Include the same products when you run the new code in the steps below. Download https://github.com/MichaelHicks-MSFT/ScubaGear/tree/main to a local folder /PermissionsJSON Test 1 - Ensure Get-ScubaGearPermissions sets up up the correct permissions for ScubaGear to run interactively and ScubaGear produces the expected output json and policy resultsGo to Microsoft Graph Powershell in the Entra Id > Enterprise Applications and click on Permissions Compare this file against the Scuba results file created from the main branch and ensure that there are no differences that would indicate that the new Powershell code changes had any material effect on the items below. Ignore timestamp and ReportUUID differences.
If there are differences between the two files, this indicates that the introduction of the Get-ScubaGearPermissions cmdlet may have introduced a bug. Test 2 - Ensure Get-ScubaGearPermissions does not generate any permissions errors (e.g. 401)Examine the Powershell window where the PermissionsJSON branch was executed and note any permissions errors (e.g. "unauthorized") Test 3 -Determine if there are any differences in the permissions created in the tenant that require a reviewGo to the Entra Id > Enterprise Applications and open the permissions for the Microsoft Graph Powershell app. These are the permissions created by running the PermissionsJSON with the new Get-ScubaGearPermissions cmdlet in the Connect-Tenant code. |
…ncipal PR. Updated interactive and noninteractive markdowns to account for new permissions.
Test Results for Interactive authentication - E5 tenantTest 1 - Ensure Get-ScubaGearPermissions sets up up the correct permissions for ScubaGear to run interactivelyCompared the configuration settings export and policy check results. No difference between the main branch versus this one. Pass. Test 2 - Ensure Get-ScubaGearPermissions does not generate any permissions errors (e.g. 401)No permissions errors observed in the console. Pass. Test 3 -Determine if there are any differences in the permissions created in the tenant that require a reviewSome new permissions that were not there before were requested for the MS Graph Powershell (Microsoft Graph Command Line Tools) service principal. After discussion with the MS team, this is because each of the cmdlets documented in the JSON permissions include the least privileged permission required to execute the respective cmdlet. Pass. |
Test Results for Interactive authentication - G3 tenantTest 1 - Ensure Get-ScubaGearPermissions sets up up the correct permissions for ScubaGear to run interactivelyPass. Test 2 - Ensure Get-ScubaGearPermissions does not generate any permissions errors (e.g. 401)Pass. Test 3 -Determine if there are any differences in the permissions created in the tenant that require a reviewPass. |
Test Results for Interactive authentication - GCC High tenantTest 1 - Ensure Get-ScubaGearPermissions sets up up the correct permissions for ScubaGear to run interactivelyPass. Test 2 - Ensure Get-ScubaGearPermissions does not generate any permissions errors (e.g. 401)Pass. Test 3 -Determine if there are any differences in the permissions created in the tenant that require a reviewPass. |
…xchange online protection for gcchigh/dod. Fixed the id for api output. Created a new unit test to validate the permissions helper module. Updated ScubaGear redundant permissions function (Get-ScubaGearEntraRedundantPermissions). Added all environments to the Invoke-GraphDirectly unit tests.
|
Should the cmdlet Get-ScubaGearEntraRedundantPermissions be renamed to Get-ScubaGearEntraMinimumPermissions? hopefully I understood the intent of the function.
|
Testing Instructions for Non-Interactive authenticationThe purpose of this set of tests is to exercise the new pieces of code with an non-interactive login using a service principal. PreparationDownload the main branch and run ScubaGear to create a local scuba results json file which will be used later in a comparison. Run with aad, defender and sharepoint. Include the same products when you run the new code in the steps below. Download https://github.com/MichaelHicks-MSFT/ScubaGear/tree/main to a local folder /PermissionsJSON Create a new registered app in the test tenant named: ScubaGearPermissionsJSON
Go into the permissions page for the new registered app and add the Graph permissions listed by the previous cmdlet From here on out, you will use the newly registered application ScubaGearPermissionsJSON to authenticate to ScubaGear for the tests and your certificate. Test 1 - Ensure that Connect-Tenant in ScubaGear works correctly with non interactive auth and ScubaGear produces the expected output json and policy resultsInvoke ScubaGear with the new service principal and your certificate to generate a scuba results JSON file Compare this file against the Scuba results file created from the main branch and ensure that there are no differences that would indicate that the new Powershell code changes had any material effect on the items below. Ignore timestamp and ReportUUID differences.
If there are differences between the two files, this indicates that the introduction of the Get-ScubaGearPermissions cmdlet may have introduced a bug. Test 2 - Ensure Get-ScubaGearPermissions does not generate any permissions errors (e.g. 401)Examine the Powershell window where the PermissionsJSON branch was executed and note any permissions errors (e.g. "unauthorized") |
Test Results for Non-Interactive authentication - GCC High, E5 and G3 tenantsThe tests were performed on all tenant types listed above. I created a brand new application to test with in each tenant and gave it the permissions listed by the Get-ScubaGearEntraRedundantPermissions cmdlet. Test 1 - Ensure that Connect-Tenant in ScubaGear works correctly with non interactive auth and ScubaGear produces the expected output json and policy resultsPass. Test 2 - Ensure Get-ScubaGearPermissions does not generate any permissions errors (e.g. 401)Pass. |
Testing changes to Invoke-GraphDirectlyThe AAD export provider function Invoke-GraphDirectly was tested indirectly by executing ScubaGear against Entra Id in three tenant types. No issues observed. |
|
Consider initializing the variable $objects before it is used.
|
|
Tested parameter validation of Get-ScubaGearPermissions and behaves as expected.
|
|
I have completed my review. Outstanding enhancement! @buidav and @mitchelbaker-cisa Here are the remaining items for review (you can split up the work if you like):
@DickTracyII @MichaelHicks-MSFT Left some minor final comments but the major items were tested. Thank you. |
|
@DickTracyII @MichaelHicks-MSFT this PR will have to solve some major merge conflicts with |
|
I was using ScubaGearPermissions.json as a reference for another issue that I'm working on and I noticed we are missing Get-MgBetaDirectoryObject from the file. |
I will add that to the file. |
|
This PR is being recreated with a new branch directly in the ScubaGear repo. |
🗣 Description
Permissions file containing current SCuBAGear permissions mapping.
💭 Motivation and context
Added permissions file to allow centralized management of all SCuBAGear Microsoft Graph permissions.
#1391 is a follow up to this issue, which aims to modify the Connection module to read from the new ScubaPermissions.json file instead of hard coded values.
Closes #1356
🧪 Testing
Testing was conducted across commercial and gcchigh tenants. Created PowerShell code that imported the JSON file and made connections to Microsoft Graph utilizing the permission scopes defined under Permission within the ScubaGearGraphScopes section of the file.
✅ Pre-approval checklist
✅ Pre-merge checklist
PR passed smoke test check.
Feature branch has been rebased against changes from parent branch, as needed
Use
Rebase branchbutton below or use this reference to rebase from the command line.Resolved all merge conflicts on branch
Notified merge coordinator that PR is ready for merge via comment mention
✅ Post-merge checklist