Framework/Configurations/SVT/AAD/AAD.EnterpriseApplication.json
{
"FeatureName": "EnterpriseApplication", "Reference": "aka.ms/azsktcp/serviceprincipal", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "AAD_EnterpriseApplication_Use_Cert_Credentials", "Description": "SPNs must not use password creds - use cert creds instead", "Id": "SPN110", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckSPNPasswordCredentials", "Rationale": "Password credentials tend to be easier to compromise via various attacks. They are also symmetric leading to attack vectors on both ends of the flow. Use of certificate credentials alleviates these shortcomings.", "Recommendation": "Refer: TODO", "Tags": [ "SDL", "TCP", "Automated", "AuthN" ], "Enabled": false }, { "ControlID": "AAD_EnterpriseApplication_Review_Legacy_SPN", "Description": "SPNs of type legacy should be carefully reviewed", "Id": "SPN120", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "ReviewLegacySPN", "Rationale": "The 'Legacy' SPN type is only for backward compatibility. Ensure that all such entries are carefully reviewed and purged where appropriate.", "Recommendation": "Refer: TODO", "Tags": [ "SDL", "TCP", "Automated", "AuthN" ], "Enabled": false }, { "ControlID": "AAD_EnterpriseApplication_Check_Key_Expiry", "Description": "SPN key credentials should be renewed before expiry", "Id": "SPN130", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckCertNearingExpiry", "Rationale": "SPN credentials should be rotated in a timely manner to ensure availability of the app/service that is using the SPN.", "Recommendation": "Refer: TODO", "Tags": [ "SDL", "TCP", "Automated", "AuthN" ], "Enabled": false }, { "ControlID": "AAD_EnterpriseApplication_AuthZ_Add_FTE_Owners_Only", "Description": "All owners of the enterprise application should be FTE only.", "Id": "SPN140", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckEnterpriseApplicationHasFTEOwnerOnly", "Rationale": "Owners of the enterprise app have access to critical app settings such as group permissions, credentials and user assignments. Providing ownership to FTE accounts only leads to better app governance and prevents malicious users from outside the enterprise from accessing critical data.", "Recommendation": "1. Access Enterprise Applications. --> 2. Locate and select the relevant application. --> 3. Proceed to Owners under Manage. --> 4. Check the users with the role as Configuration Owner. 5. Remove any user with non-Member account from the owners.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "AAD_EnterpriseApplication_AuthZ_Minimize_Permissions_Granted", "Description": "Enterprise (line of business) apps should be granted the least permissions needed to various resources", "Id": "SPN150", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckEnterpriseAppUsesMiniminalPermissions", "Rationale": "Apps should only be granted the least needed permission possible to prevent risky unauthorized access to enterprise resources. App permissions are riskier than delegated permissions as these do not require user consent.", "Recommendation": "1. Access Enterprise Applications. --> 2. Locate and select the relevant application. --> 3. Go to Permissions under Security. --> 4. Review the risky permissions for this app listed in EnterpriseApplication.LOG file and revoke them.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "AAD_EnterpriseApplication_AuthZ_Minimize_Permissions_Granted_To_Multitenant_Apps", "Description": "Enterprise (line of business) apps should be granted the least permissions needed to various resources", "Id": "SPN160", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckEnterpriseMultiTenantAppUsesMiniminalPermissions", "Rationale": "Apps should only be granted the least needed permission possible to prevent risky unauthorized access to enterprise resources. App permissions are riskier than delegated permissions as these do not require user consent.", "Recommendation": "1. Access Enterprise Applications. --> 2. Locate and select the relevant application. --> 3. Go to Permissions under Security. --> 4. Review the risky permissions for this app listed in EnterpriseApplication.LOG file and revoke them.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "AAD_EnterpriseApplication_AuthN_Do_Not_Use_Credentials", "Description": "Enterprise application should not use credentials.", "Id": "SPN170", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckEnterpiseApplicationDoesNotUsePasswordCredentials", "Rationale": "Password credentials tend to be easier to compromise via various attacks. They are also symmetric leading to attack vectors on both ends of the flow.", "Recommendation": "1. Access Enterprise Applications. --> 2. Locate and select the relevant application. --> 3. Go to Permissions under Security. --> 4. Review the risky permissions for this app listed in EnterpriseApplication.LOG file and revoke them.", "Tags": [ "SDL", "TCP", "Automated", "AuthN" ], "Enabled": true } ] } |