Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

⭐️ extend microsoft entra id application resource to search for expiring credentials #4516

Merged
merged 5 commits into from
Aug 9, 2024
Merged

⭐️ extend microsoft entra id application resource to search for expiring credentials #4516

merged 5 commits into from
Aug 9, 2024

Conversation

chris-rock
Copy link
Member

@chris-rock chris-rock commented Aug 9, 2024
edited
Loading

This PR adds a new applicability to quickly identify expiring credentials for Microsoft Entra ID Application Registrations.

First we connect to our Microsoft 365 account via shell cnspec shell ms365 --tenant-id bb22a034-d544-4b9e-a222-6a166840f64c

Quickly see all application in Entra ID

Just type microsoft.applications and you see an overview of all applications and if the application has expired credentials.

cnspec> microsoft.applications
microsoft.applications: [
  0: microsoft.application id="0030c47a-6318-431a-9f85-1b051484c7cf" displayName="chis-mac-testing" hasExpiredCredentials=true
]
cnspec>

Verify an specific application has no expired credentials

For applications it is essential that attached credentials are valid. This can easily be tested via:

cncnspec> microsoft.application(name: "chis-testing").hasExpiredCredentials
[ok] value: true

List all application with expired credentials

For operations, it is important to see easily all applications that have expired credentials. This can easily be achieved via:

cnspec> microsoft.applications.none(hasExpiredCredentials)
[failed] [].none()
  actual:   [
    0: microsoft.application displayName="chis-mac-testing" id="0030c47a-6318-431a-9f85-1b051484c7cf" hasExpiredCredentials=true
  ]

Ensure no client secrets are used

To verify that no applications use client secrets run the following queries:

cnspec> microsoft.applications.none(secrets != empty)
[failed] [].none()
  actual:   [
    0: microsoft.application displayName="chis-mac-testing" id="0030c47a-6318-431a-9f85-1b051484c7cf" hasExpiredCredentials=true {
      secrets: [
        0: microsoft.application microsoft.passwordCredential id = 0030c47a-6318-431a-9f85-1b051484c7cf
      ]
    }
  ]

Application details

We extended the details for applications:

microsoft.application(name: "chis-mac-testing") { * }
microsoft.application: {
  appId: "0030c47a-6318-431a-9f85-1b051484c7cf"
  hasExpiredCredentials: true
  createdAt: 2022-10-08 20:47:57 +0200 CEST
  identifierUris: []
  tags: [
    0: "tag1"
  ]
  name: "chis-mac-testing"
  secrets: [
    0: microsoft.passwordCredential description="Password uploaded on Fri Jul 05 2024" expires=2025-01-01 10:37:17.872 +0100 CET keyId="0030c47a-6318-431a-9f85-1b051484c7cf"
  ]
  certificates: [
    0: microsoft.keyCredential thumbprint="1CECDD980A4F255D399E6C9625C13FBF872CD994" description="O=example, L=SF, S=CA, C=US" expires=2023-10-08 17:42:09 +0200 CEST keyId="8173c250-6909-47af-a56f-6332223eee1a"
  ]
  info: []
  publisherDomain: "exmple.onmicrosoft.com"
  notes: "internal notes"
  createdDateTime: 2022-10-08 20:47:57 +0200 CEST
  description: "description value"
  id: "0030c47a-6318-431a-9f85-1b051484c7cf"
}

@github-actions GitHub Actions

This comment has been minimized.

Sign in to view
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Aug 9, 2024

Test Results

3 097 tests   3 096 ✅  1m 27s ⏱️
  370 suites      1 💤
   28 files        0 ❌

Results for commit 8418a8c.

afiune
afiune approved these changes Aug 9, 2024
View reviewed changes
Copy link
Contributor

@afiune afiune left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sweeeeet!! Any way we can have some unit testing at all? 🤔

@chris-rock
Copy link
Member Author

That would require us to mock the azure api. Seems like azure does not have this.

chris-rock and others added 2 commits August 9, 2024 21:54
@chris-rock @tas50
Update providers/ms365/resources/ms365.lr.manifest.yaml
ba9fdfd 
Co-authored-by: Tim Smith <tsmith84@gmail.com>
@chris-rock @tas50
Update providers/ms365/resources/ms365.lr.manifest.yaml
88133e8 
Co-authored-by: Tim Smith <tsmith84@gmail.com>
@chris-rock @tas50 @misterpantz
Apply suggestions from code review
fde8644 
Co-authored-by: Tim Smith <tsmith84@gmail.com>
Co-authored-by: Letha <letha@mondoo.com>
@chris-rock chris-rock merged commit 758e1ec into main Aug 9, 2024
8 checks passed
@chris-rock chris-rock deleted the chris-rock/ms-entra-apps branch August 9, 2024 20:19
@github-actions github-actions bot locked and limited conversation to collaborators Aug 9, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@tas50 tas50 tas50 left review comments

@misterpantz misterpantz misterpantz left review comments

@afiune afiune afiune approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@chris-rock @tas50 @afiune @misterpantz