Major Refactor of previous solution

• You can read about some of the use cases in the previous solutions documentation solution

Read the MIT license

⚠ Only use this tool if you know what you are doing and have reviewed the code

⚠ Always test the tool first in test environments with non-sensitive data

Beta v 0.1.0
- Compared to previous version uses now JSON batching and larger resultsize across all queries. 2-3x faster than the previous version
- Release for Azure Security meetup UG

Major performance improvement with JSON batching

1. List app type

2. Collect appOwners from both objects (when both exist) spn and application

3. Collect all credential types from both objects (when both exist) spn and application

4. Review replyUrls for dangling DNS records

• Please note, in case of multitenant app, these values might be outdated (ReplyURL changes are not reflected visibly on the resulting SPN object, but are nonetheless effective)

5. Check if the object has been assigned AAD roles

6. List API permissions in the following format

{ "permissionsReading": [
        "\"AppRole --> api-15764 --> Microsoft Graph - permission: PrivilegedAccess.Read.AzureAD\"",
        "\"AppRole --> api-15764 --> Microsoft Graph - permission: RoleManagement.Read.All\"",
        "\"AppRole --> api-15764 --> Microsoft Graph - permission: PrivilegedAccess.Read.AzureResources\"",
        "\"AppRole --> api-15764 --> Microsoft Graph - permission: PrivilegedAccess.Read.AzureADGroup\"",
        "\"AppRole --> api-15764 --> Office 365 Management APIs - permission: ActivityFeed.Read\"",
        "\"oauth2PermissionGrants --> AllPrincipals --> Microsoft Graph - permission: User.Read\"",
        "\"oauth2PermissionGrants --> AllPrincipals --> Microsoft Graph - permission: Directory.AccessAsUser.All\"",
        "\"oauth2PermissionGrants --> admin santasalo --> Microsoft Graph - permission: User.Read\"",
    ]
  }

Access to Azure Cloud Shell (Bash)

• Permissions to create new storage account or to use existing one.
• Access to Log Analytics workspace
• Azure CLI installed (this get tokens from the underlying Azure CLI installation)

About the generated KQL

• The query is valid for 10 minutes, as SAS tokens are only generated for 10 minutes

Start

git clone https://github.com/jsa2/AADAppAudit

cd AADAppAudit

storageAcc=dogs
rg=queryStorage-29991
location=westeurope
az storage account show-connection-string -g $rg  -n  $storageAcc -o json  > src/config.json

rnd=$RANDOM
rg=queryStorage-$rnd
location=westeurope
# You can ignore the warning "command substitution: ignored null byte in input"
storageAcc=storage$(head /dev/urandom | tr -dc a-z | head -c10)

echo $storageAcc
# Create Resource Group
az group create -n $rg \
-l $location \
--tags="svc=scan"


# Create storageAcc Account 
az storage account create -n $storageAcc  -g $rg --kind storageV2 -l $location -t Account --sku Standard_LRS

az storage account show-connection-string -g $rg  -n  $storageAcc -o json  > src/config.json
# Creates retention policy
az storage account management-policy create --account-name $storageAcc  -g $rg --policy @retention.json

If you are running the tool in Azure Cloud Shell then all depedencies are already installed

# in the folder where the solution was installed 
npm install

node main 

# paste the code in runtime.kql to the desired log analytics worspace
# "navigate to kql/runtime.kql if code does not open up

Run the pasted query in the workspace

• Remove installation of this service (removes the json files that were stored for the query)
• Delete the resource group (if you provisoned new one) az group delete -n $rg

Feel free to open issue or pull requests