cloud-architekt / azuread-attack-defense Goto Github PK

Running: AADSCA-AddedPermToLogicAppMSI.ps1 tells me I don't have permissions to do GetServicePrincipals

Could you indicate the steps to follow?
At the moment I have created the logspace
I have deployed the ARM with all the data.

Thank you !!!

Hello,

I have read ConsentGrant.md, and I would like to bring your attention to the following issue concerning the mitigation option "Create a “permission grant condition set” for all users on the specific application" (l. 498):

This adds a specific client ID to a condition set in order to allow user consent to this particular application. However, there is an undocumented limitation to Consent Policies which only allows 99 client IDs to be used in Consent Policies tenant-wide, regardless of how these IDs are distributed over condition sets/policies. (The same is true for tenant ID.)

Unfortunately, this limitation was introduced secretly, and we have discovered it by accident during testing. Investigation with Microsoft is pending, but at the moment, this is a serious drawback for this mitigation option.

Do you know of any other option which preserves user consent while maintaining relatively fine control? Permission classification seems too coarse since a lot of permissions can be very harmful in illicit consent attacks while having proper use cases for other apps (e.g., MS Graph Mail.Read permission). I have also read the linked blog post, but this approach is not suitable for a large number of consents.

Looking forward to hear your thoughts on this.

Best,

Alex

When I run the Logic App, I get the following error:

{
"error": {
"code": "AuthenticationError",
"message": "AADSTS500014: The service principal for resource '47ee738b-3f1a-4fc7-ab11-37e4822b007e' is disabled. This indicate that a subscription within the tenant has lapsed, or that the administrator for this tenant has disabled the application, preventing tokens from being issued for it. Trace ID: 703bc6a1-ad77-4b3b-a7ba-3aa6 Correlation ID: 175795e3-c60d-454c-9a83-a1ce Timestamp: 2024-03-20 13:36:24Z",
"innerError": {
"date": "2024-03-20T13:36:24",
"request-id": "175795e3-c60d-454c-9a83-a1ce7f7ff9e3",
"client-request-id": "175795e3-c60d-454c-9a83-a1ce7f7ff9e3"
}
}
}

Hi Guys! When working through the setup I'am encountering an issue with the Workbook creation. Adding the Workbook based on the add Sentinel Workbook procedure and copy/pasting the raw workbook code in the advanced settings doesn't let me save the workbook because of error:

'Cannot load from JSON: This item type is 1 (text), but the JSON provided was undefined (Unknown)'

Structure of the paste looks good and is aligned with the original layout from the github repo. Maybe you guys have any ideas/suggestions?

Thanks in advance!

Hi Guys,

Great idea first of all.

What would be the best way to modify the recommended value in the workbook? Tried to do this form within the workbook itself but doesn't seem possible.

Is the only option to modify "config/AadSecConfig.json" file, and would I need a location to store it and call it from once modified?

Thank you!

In the appendix about monitoring the link to [Azure Security Benchmark Workbook] no longer works

The workbook isnt displaying since it cannot find AADSCA_CL table. I am getting the following error message -'table' operator: Failed to resolve table expression named 'AADSCA_CL'.
Can you please send me the json for AADSCA_CL?

Thanks,

After deploying to Azure, I don't see the Managed Identity "Import-AADSCAtoLAWS" that is described in the documentation. It is not listed in the resource group, nor is it listed int he Managed Identities portal I did not see any errors during the deployment.

I do see a Logic App named "Import-AADSCAtoLAWS", it appears that the documentation may be incorrect, and that the "Managed Identity" named "Import-AADSCAtoLAWS", should actually be a logic app.

It would be massively cool to have a full mapping of both attacks and defenses to the MITRE ATT&CK Framework as to have a translation into a common language for easy integration into existing ATT&CK-based defense solutions.

When trying to deploy the logic app, there are no details regarding the Azure RBAC subscription permissions required to execute the application. There are details for the Microsoft Graph permissions but nothing regarding the Azure RBAC permissions. Am I missing something?

If would be nice if the instructions were a bit more granular.

Microsoft Graph API offers an endpoint to get sync settings of AAD Connect Server:
https://learn.microsoft.com/en-us/graph/api/resources/onpremisesdirectorysynchronizationfeature

I have been wondering how concerned we need to be about rogue apps in Teams, have you given this any thought? Should we add something to this project to investigate this risk?

In the current LogicApp, the allowedToUseSSPR setting from the authorization policy is interpreted as the SSPR policy for end-users.

However, this setting is managing the SSPR policy for administrators, as per documentation: https://learn.microsoft.com/en-gb/entra/identity/authentication/concept-sspr-policy?WT.mc_id=Portal-Microsoft_AAD_IAM#administrator-reset-policy-differences

This is also the result of my tests: