Major Refactor of previous solution
- You can read about some of the use cases in the previous solutions documentation solution
Read the MIT license
⚠ Only use this tool if you know what you are doing and have reviewed the code
⚠ Always test the tool first in test environments with non-sensitive data
Beta v 0.1.0
- Compared to previous version uses now JSON batching and larger resultsize across all queries. 2-3x faster than the previous version
- Release for Azure Security meetup UG
Major performance improvement with JSON batching
- List app type
- Collect appOwners from both objects (when both exist) spn and application
- Collect all credential types from both objects (when both exist) spn and application
- Review replyUrls for dangling DNS records
- Please note, in case of multitenant app, these values might be outdated (ReplyURL changes are not reflected visibly on the resulting SPN object, but are nonetheless effective)
- Check if the object has been assigned AAD roles
- List API permissions in the following format
{ "permissionsReading": [
"\"AppRole --> api-15764 --> Microsoft Graph - permission: PrivilegedAccess.Read.AzureAD\"",
"\"AppRole --> api-15764 --> Microsoft Graph - permission: RoleManagement.Read.All\"",
"\"AppRole --> api-15764 --> Microsoft Graph - permission: PrivilegedAccess.Read.AzureResources\"",
"\"AppRole --> api-15764 --> Microsoft Graph - permission: PrivilegedAccess.Read.AzureADGroup\"",
"\"AppRole --> api-15764 --> Office 365 Management APIs - permission: ActivityFeed.Read\"",
"\"oauth2PermissionGrants --> AllPrincipals --> Microsoft Graph - permission: User.Read\"",
"\"oauth2PermissionGrants --> AllPrincipals --> Microsoft Graph - permission: Directory.AccessAsUser.All\"",
"\"oauth2PermissionGrants --> admin santasalo --> Microsoft Graph - permission: User.Read\"",
]
}
Access to Azure Cloud Shell (Bash)
- Permissions to create new storage account or to use existing one.
- Access to Log Analytics workspace
- Azure CLI installed (this get tokens from the underlying Azure CLI installation)
Requirement | description |
---|---|
✅ Access to Azure Cloud Shell Bash | Uses pre-existing software on Azure CLI, Node etc |
✅ Permissions to Azure subscription to create needed resources | Tool creates a storage account and a resource group. Possible also to use existing storage account. In both scenarios tool generates short lived read-only shared access links (SAS) for the externalData() -operator |
✅ User is Azure AD member | Cloud-only preferred with read-only Azure AD permissions. More permissions are needed if sign-in events are included |
✅ Existing Log Analytics Workspace | This is where you paste the output from this tool |
About the generated KQL
- The query is valid for 10 minutes, as SAS tokens are only generated for 10 minutes
Start
git clone https://github.com/jsa2/AADAppAudit
cd AADAppAudit
storageAcc=dogs
rg=queryStorage-29991
location=westeurope
az storage account show-connection-string -g $rg -n $storageAcc -o json > src/config.json
rnd=$RANDOM
rg=queryStorage-$rnd
location=westeurope
# You can ignore the warning "command substitution: ignored null byte in input"
storageAcc=storage$(head /dev/urandom | tr -dc a-z | head -c10)
echo $storageAcc
# Create Resource Group
az group create -n $rg \
-l $location \
--tags="svc=scan"
# Create storageAcc Account
az storage account create -n $storageAcc -g $rg --kind storageV2 -l $location -t Account --sku Standard_LRS
az storage account show-connection-string -g $rg -n $storageAcc -o json > src/config.json
# Creates retention policy
az storage account management-policy create --account-name $storageAcc -g $rg --policy @retention.json
If you are running the tool in Azure Cloud Shell then all depedencies are already installed
# in the folder where the solution was installed
npm install
node main
# paste the code in runtime.kql to the desired log analytics worspace
# "navigate to kql/runtime.kql if code does not open up
Run the pasted query in the workspace
- Remove installation of this service (removes the json files that were stored for the query)
- Delete the resource group (if you provisoned new one)
az group delete -n $rg
Feel free to open issue or pull requests