Framework/Core/SVT/AAD/AAD.ServicePrincipal.ps1

Set-StrictMode -Version Latest 
class EnterpriseApplication: SVTBase
{    
    hidden [PSObject] $MgResourceObject;
    hidden [String] $SPNName;
    hidden [psobject] $RiskyPermissions;
    hidden [hashtable] $RiskyAdminConsentPermissionsCache;
    hidden [hashtable] $RiskyUserConsentPermissionsCache;
    hidden [PSObject] $SpnOwners;

    EnterpriseApplication([string] $tenantId, [SVTResource] $svtResource): Base($tenantId, $svtResource) 
    {
        #$this.GetMgResourceObject();
        $objId = $svtResource.ResourceId
        $this.MgResourceObject = Get-MgServicePrincipal -ServicePrincipalId $objId;
        $this.SPNName = $this.MgResourceObject.DisplayName
        $this.RiskyPermissions = [Helpers]::LoadOfflineConfigFile('Azsk.AAD.RiskyPermissions.json', $true);
        $this.SpnOwners = [array] (Get-MgServicePrincipalOwnerAsUser -ServicePrincipalId $objId -Select UserType, Mail, Id, UserPrincipalName);
    }

    hidden [PSObject] GetMgResourceObject()
    {
        return $this.MgResourceObject;
    }

    hidden [ControlResult] CheckSPNPasswordCredentials([ControlResult] $controlResult)
    {
        $spn = $this.GetMgResourceObject()

        if ($spn.PasswordCredentials.Count -gt 0)
        {
                $nPswd = $spn.PasswordCredentials.Count


                $controlResult.AddMessage([VerificationResult]::Failed,
                                        [MessageData]::new("Found $nPswd password credentials on SPN: $($this.SPNName).")); 
                                        
        }
        else
        {
            $controlResult.AddMessage([VerificationResult]::Passed,
                                        [MessageData]::new("Did not find any password credentials on SPN."));
        }
        return $controlResult;
    }
 
    hidden [ControlResult] ReviewLegacySPN([ControlResult] $controlResult)
    {
        $spn = $this.GetMgResourceObject()

        if ($spn.ServicePrincipalType -eq 'Legacy')
        {
                $controlResult.AddMessage([VerificationResult]::Verify,
                                        [MessageData]::new("Found an SPN of type 'Legacy'. Please review: $($this.SPNName)"));
        }
        else
        {
            $controlResult.AddMessage([VerificationResult]::Passed,
                                        [MessageData]::new("SPN is not of type 'Legacy'."));
        }
        return $controlResult;
    }

    hidden [ControlResult] CheckCertNearingExpiry([ControlResult] $controlResult)
    {
        $spn = $this.GetMgResourceObject()

        $spk = [array] $spn.KeyCredentials

        if ($spk -eq $null -or $spk.Count -eq 0)
        {
            #No key creds, pass the control.
            $controlResult.AddMessage([VerificationResult]::Passed,
                                [MessageData]::new("SPN [$($spn.DisplayName)] does not have a key credential configured. Passing control by default."));

        }
        else 
        {
            $renew = @()
            $expireDays = $this.ControlSettings.ServicePrincipal.ApproachingExpiryThresholdInDays;
            $expiringSoon = ([DateTime]::Today).AddDays($expireDays)  
            $needToRenew = $false
            $spk | % {
                $k = $_
                if ($k.EndDate -le $expiringSoon)
                {
                    $renew += $k.KeyId
                    $needToRenew = $true
                }
            }

            if ($needToRenew -eq $true) #found some key close to expiry
            {
                $controlResult.AddMessage([VerificationResult]::Failed,
                                    [MessageData]::new("One or more keys of SPN [$($spn.DisplayName)] have expired or are nearing expiry (<$expireDays days)."));

                $renewList = $renew -join ", "
                $controlResult.AddMessage([MessageData]::new("KeyIds nearing expiry:`n`t$renewList"));
            }
            else
            {
                $controlResult.AddMessage([VerificationResult]::Passed,
                                            [MessageData]::new("None of the configured keys for SPN [$($spn.DisplayName)] are nearing expiry (<$expireDays days)."));
            }
        }
        return $controlResult;
    }

    hidden [ControlResult] CheckEnterpriseApplicationHasFTEOwnerOnly([ControlResult] $controlResult)
    {
        $spn = $this.GetMgResourceObject()
        $owners = $this.SpnOwners;
        if ($owners -eq $null -or $owners.Count -eq 0)
        {
                $controlResult.AddMessage([VerificationResult]::Failed,
                                        [MessageData]::new("App [$($spn.DisplayName)] has no owner configured."));
        }
        elseif ($owners.Count -gt 0)
        {
            $guestOwners = @();
            $owners | % { 
                if ($_.UserType -eq 'Guest') 
                {
                    $guestOwners += $_.Mail
                }
            }
            if ($guestOwners.Count -gt 0)
            {
                $controlResult.AddMessage([VerificationResult]::Failed,"The following guest user(s) were found: ", $($guestOwners | Format-Table -AutoSize | Out-String));
                $controlResult.DetailedResult = (ConvertTo-Json $guestOwners);
            }
            else {
                $controlResult.AddMessage([VerificationResult]::Passed,
                                    [MessageData]::new("All owners of the enterprise application [$($spn.DisplayName)] are FTEs."));                
            }
        }
        return $controlResult;
    }

    hidden [hashtable] GetAdminConsentPermissions()
    {
        $spn = $this.GetMgResourceObject();
        $adminConsentRiskyPermissions = @{};

        # Application Level Permissions
        $applicationPermissionGrouping = (Get-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $spn.Id) | Group-Object -Property ResourceId;
        foreach($applicationPermissionGroup in $applicationPermissionGrouping)
        {
            foreach($permission in $applicationPermissionGroup.Group)
            {
                if ($null -ne $this.RiskyPermissions.PsObject.Properties[$permission.Id])
                {
                    $permissionId = $permission.Id;
                    if($adminConsentRiskyPermissions.ContainsKey($permission.ResourceId))
                    {
                        $adminConsentRiskyPermissions[$permission.ResourceId].Application.Add($this.RiskyPermissions.$permissionId.PermissionName);
                    }
                    else
                    {
                        $adminConsentRiskyPermissions[$permission.ResourceId] = [PSCustomObject]@{
                            Name = $permission.ResourceDisplayName
                            Delegated = [System.Collections.Generic.List[string]]::new()
                            Application = [System.Collections.Generic.List[string]]::new()
                        };
                        $adminConsentRiskyPermissions[$permission.ResourceId].Application.Add($this.RiskyPermissions.$permissionId.PermissionName);
                    }   
                }
            }
        }

        $delegatedPermissionGrants = @(Get-MgServicePrincipalOauth2PermissionGrant -ServicePrincipalId $spn.Id | Where-Object { $_.ConsentType -eq 'AllPrincipals' })
        if ($delegatedPermissionGrants.Count -eq 0)
        {
            return $adminConsentRiskyPermissions;
        }

        $spns = ([ResourceHelper]::FetchResourcesByObjectIdsAndCache(($delegatedPermissionGrants| ForEach-Object { $_.ResourceId })) | Group-Object -Property Id -AsHashTable);
        foreach($delegatedPermissionGrant in $delegatedPermissionGrants)
        {
            $resourceId = $delegatedPermissionGrant.ResourceId;
            $scopes = [System.Collections.Generic.HashSet[string]]::new($delegatedPermissionGrant.Scope.Split(" "));
            $riskyAdminConsentDelegatedPermissions = $spns[$resourceId].AdditionalProperties.oauth2PermissionScopes | 
                Where-Object { $scopes.Contains($_.value) -and $null -ne $this.RiskyPermissions.PsObject.Properties[$_.id]}
            if ($null -eq $riskyAdminConsentDelegatedPermissions -or $riskyAdminConsentDelegatedPermissions.Count -eq 0)
            {
                continue;
            }

            if (!$adminConsentRiskyPermissions.ContainsKey($resourceId))
            {
                $adminConsentRiskyPermissions[$resourceId] = [PSCustomObject]@{
                    Name = $spns[$resourceId].AdditionalProperties.DisplayName
                    Delegated = $riskyAdminConsentDelegatedPermissions.value
                    Application = [System.Collections.Generic.List[string]]::new()
                };
            }
            else 
            {
                $adminConsentRiskyPermissions[$resourceId].Delegated = $riskyAdminConsentDelegatedPermissions.value;
            }
        }

        return $adminConsentRiskyPermissions;
    }

    hidden [hashtable] GetUserConsentRiskyPermissions()
    {
        $spn = $this.GetMgResourceObject();
        $userConsentRiskyPermissions = @{}
    
        $delegatedPermissionGrants = @(Get-MgServicePrincipalOauth2PermissionGrant -ServicePrincipalId $spn.Id | Where-Object { $_.ConsentType -eq 'Principal' });
        if ($delegatedPermissionGrants.Count -eq 0)
        {
            return $userConsentRiskyPermissions;
        }
 
        $spns = ([ResourceHelper]::FetchResourcesByObjectIdsAndCache(($delegatedPermissionGrants| ForEach-Object { $_.ResourceId })) | Group-Object -Property Id -AsHashTable);
        foreach($delegatedPermissionGrant in $delegatedPermissionGrants)
        {      
            $resourceId = $delegatedPermissionGrant.ResourceId;
            $scopes = [System.Collections.Generic.HashSet[string]]::new($delegatedPermissionGrant.Scope.Split(" "));
            $riskyUserConsentDelegatedPermissions = $spns[$resourceId].AdditionalProperties.oauth2PermissionScopes | 
                Where-Object { $scopes.Contains($_.value) -and $null -ne $this.RiskyPermissions.PsObject.Properties[$_.id]}
                
            if ($null -eq $riskyUserConsentDelegatedPermissions -or $riskyUserConsentDelegatedPermissions.Count -eq 0)
            {
                continue;
            }

            if (!$userConsentRiskyPermissions.ContainsKey($resourceId))
            {
                $userConsentRiskyPermissions[$resourceId] = [PSCustomObject]@{
                    Name = $spns[$resourceId].DisplayName
                    Users = [System.Collections.Generic.HashSet[guid]]::new()
                    Delegated = [System.Collections.Generic.HashSet[string]]::new()
                };
                [void]$userConsentRiskyPermissions[$resourceId].Delegated.Add($riskyUserConsentDelegatedPermissions.value);
                [void]$userConsentRiskyPermissions[$resourceId].Users.Add($delegatedPermissionGrant.PrincipalId)
            }
            else 
            {
                [void]$userConsentRiskyPermissions[$resourceId].Delegated.Add($riskyUserConsentDelegatedPermissions.value);
                [void]$userConsentRiskyPermissions[$resourceId].Users.Add($delegatedPermissionGrant.PrincipalId);
            }
        }

        return $userConsentRiskyPermissions;
    }

    hidden [void] FetchAndCacheRiskyPermissions($includeUserConsentPermissions = $false)
    {
        if($null -eq $this.RiskyAdminConsentPermissionsCache)
        {
            $this.RiskyAdminConsentPermissionsCache = $this.GetAdminConsentPermissions();
        }
        
        if($includeUserConsentPermissions -and $null -eq $this.RiskyUserConsentPermissionsCache)
        {
            $this.RiskyUserConsentPermissionsCache = $this.GetUserConsentRiskyPermissions();
        }
    }

    hidden [void] VerifyAndReportRiskyPermissions([ControlResult] $controlResult)
    {
        $includeUserConsentPermissions = $this.ControlSettings.ServicePrincipal.IncludeUserConsentPermissions -or $true;
        $this.FetchAndCacheRiskyPermissions($includeUserConsentPermissions);
        if ($this.RiskyAdminConsentPermissionsCache.Count -eq 0 -and (!$includeUserConsentPermissions -or $this.RiskyUserConsentPermissionsCache.Count -eq 0))
        {
            $controlResult.AddMessage([VerificationResult]::Passed,
                                    [MessageData]::new("The enterprise application does not have any risky permissions."));
            return;
        }
            
        if ($this.RiskyAdminConsentPermissionsCache.Count -gt 0)
        {
            $controlResult.AddMessage([VerificationResult]::Failed,
                                    [MessageData]::new("The following risky permissions are granted to the enterprise application with admin consent: $($this.SPNName)"));
            $controlResult.AddMessage(($this.RiskyAdminConsentPermissionsCache.Values | ForEach-Object {[PSCustomObject]@{
                'API/Permission Name' = $_.Name
                'Delegated Permissions' = $_.Delegated -join ','
                'Application Permissions' = $_.Application -join ','
            }} | Format-Table -AutoSize | Out-String -Width 512));
            $controlResult.DetailedResult = (ConvertTo-Json $this.RiskyAdminConsentPermissionsCache -Depth 5);
        }
    
        if ($includeUserConsentPermissions -and $this.RiskyUserConsentPermissionsCache.Count -gt 0)
        {
            $controlResult.AddMessage([VerificationResult]::Failed,
            [MessageData]::new("The following risky permissions are granted to the enterprise application with user consent: $($this.SPNName)"));
    
            $controlResult.AddMessage(($this.RiskyUserConsentPermissionsCache.Values | ForEach-Object {[PSCustomObject]@{
                'API/Permission Name' = $_.Name
                'Users Count' = $_.Users.Count
                'Delegated Permissions' = $_.Delegated -join ','
            }} | Format-Table -AutoSize | Out-String -Width 512));
            $controlResult.DetailedResult = (ConvertTo-Json $this.RiskyUserConsentPermissionsCache -Depth 5);
        }
    }

    hidden [ControlResult] CheckEnterpriseAppUsesMiniminalPermissions([ControlResult] $controlResult)
    {
        $spn = $this.GetMgResourceObject();
        if($spn.ServicePrincipalType -ne "Application")
        {
            $controlResult.AddMessage([VerificationResult]::Passed,
                                    [MessageData]::new("The enterprise application is not of type 'Application'."));
            return $controlResult              
        }

        # TODO: Parametrize the $includeUserConsentPermissions
        $this.VerifyAndReportRiskyPermissions($controlResult);

        return $controlResult;
    }

    hidden [ControlResult] CheckEnterpriseMultiTenantAppUsesMiniminalPermissions([ControlResult] $controlResult)
    {
        $spn = $this.GetMgResourceObject();
        if($spn.ServicePrincipalType -ne "Application")
        {
            $controlResult.AddMessage([VerificationResult]::Passed,
                                    [MessageData]::new("The enterprise application is not of type 'Application'."));
            return $controlResult              
        }
    
        if($spn.AppOwnerOrganizationId -eq $this.TenantContext.TenantId)
        {
            $controlResult.AddMessage([VerificationResult]::Passed,
                                    [MessageData]::new("The enterprise application is not a cross-tenant application."));
            return $controlResult;
        }

        $this.VerifyAndReportRiskyPermissions($controlResult);

        return $controlResult;
    } 

    hidden [ControlResult] CheckEnterpiseApplicationDoesNotUsePasswordCredentials([ControlResult] $controlResult)
    {
        $spn = $this.GetMgResourceObject()
        if ($spn.ServicePrincipalType -ne 'Application')
        {
            $controlResult.AddMessage([VerificationResult]::Passed,
                                    [MessageData]::new("SPN is not of type 'Application'."));
            return $controlResult;
        }

        $this.CheckSPNPasswordCredentials($controlResult)
        return $controlResult;
    }

    <#
        hidden [ControlResult] TBD([ControlResult] $controlResult)
        {
            $spn = $this.GetMgResourceObject()
 
            if ($spn.xyz)
            {
                    $controlResult.AddMessage([VerificationResult]::Failed,
                                            [MessageData]::new("Please review: $($this.SPNName)"));
            }
            else
            {
                $controlResult.AddMessage([VerificationResult]::Passed,
                                            [MessageData]::new("PassMsg."));
            }
            return $controlResult;
        }
    #>

}