Table of Contents
Managed Identity Permissions Gather Like Moss on a Tree
A side effect of running the Microsoft Graph PowerShell SDK cmdlets in interactive sessions is that the service principal for the SDK app can accrue a collection of Graph permissions over time. Although only delegated permissions are available in SDK interactive sessions, the fact remains that the SDK app tends to become highly permissioned over time unless someone takes the time to review and remove unneeded permissions regularly. Because the SDK app can hold so many permissions, some organizations secure access to the app so that only nominated accounts can use it.
Azure Automation Accounts used by Managed Identities Also Accrue Permissions
If assigned the necessary permissions, runbooks executed by Azure Automation accounts that use managed identities for authentication can include cmdlets from modules like the SDK, Teams, and Exchange Online management. Like the app used for SDK interactive sessions, the service principals for the Azure Automation accounts hold the consented permissions, and like the SDK, these service principals can collect a wide variety of permissions over time. Figure 1 shows some of the permissions held by one of the Azure Automation accounts I use in my tenant.
It’s not just Graph permissions that the service principal might hold consent for. If a runbook needs to execute cmdlets from the Teams or Exchange Online PowerShell modules, the automation account must have consent to use the appropriate permission (like the Exchange Manage As App permission). The automation account must also be a member of the Exchange Administrator role group.
Checking Managed Identity Permissions
All of which leads to the conclusion that Azure Automation accounts used with Microsoft 365 might hold many permissions and become a target for attackers. As we know from the recent Midnight Blizzard attack against Microsoft, attackers can exploit a highly-permissioned app to exfiltrate data. It therefore pays to review the permissions used for managed identities periodically.
Yesterday, I discussed the Export-MsIdAppConsentGrantReport cmdlet and its usefulness to tenant administrators to track OAuth permissions assigned to apps. The cmdlet includes the service principals for managed identities but doesn’t have a way to filter on just those service principals, so we employ the same kind of technique as used to report app permissions using a filter to find the set of service principals for managed identities:
[array]$ManagedIdentities = Get-MgServicePrincipal -Filter "servicePrincipalType eq 'ManagedIdentity'" | Sort-Object DisplayName
After finding the set of managed identities, it’s a matter of querying the service principal for each managed identity to discover the set of permissions it has and resolving the identifier for each permission to translate the GUID to a human-friendly permission. To do the job, I usually build a hash table containing the GUIDs (keys) and permission names (values). It’s much faster to use a GUID to look up a hash table than search through the set of permissions known to the Graph, Exchange Online, and Teams.
Throwing everything together into a PowerShell script (available from GitHub) gives the result shown in Figure 2. You can see that I added a suffix to show the source (like [Teams]) for non-Graph permissions.
I didn’t bother adding the code to send the report out via email. That’s easily accomplished by copying the mail send code from the script to report app permissions. Remember to change the message subject and report title!
Automation Preserves Administrator Sanity
Only four managed identities are present in my tenant so checking the permissions assigned to each through the Entra admin center isn’t hard and doesn’t take much time. However, keeping an eye on permission acquisition by managed identities is boring and likely to be a task postponed in favor of tackling some more interesting work. Because automation cuts through the drudge, it’s invaluable for tenant administration. I hear that’s the promise of Copilot too…
Learn more about how the Microsoft 365 applications and Entra ID really work on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem.