Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Please further limit read access to some properties of the deviceHealthScript resource #734

Open
andyrobbins opened this issue Dec 11, 2024 · 0 comments
Labels

Comments

@andyrobbins
Copy link

Hello,

We are creating an audit tool to identify risks in some Microsoft systems, including Intune. As part of that work, we are looking at auditing risks surrounding various resource types, including deviceHealthScript resources.

https://learn.microsoft.com/en-us/graph/api/resources/intune-devices-devicehealthscript?view=graph-rest-beta

The deviceHealthScript resource type includes these two properties:

  • detectionScriptContent
  • remediationScriptContent

Those properties' values are base64-encoded PowerShell scripts.

This is problematic because our experience has been that PowerShell scripts often contain sensitive material such as credentials. When we deploy our software to our customers, we ask them to create an Entra application and grant the application the least privilege required to read information relevant to how we identify risks. Our product is a SaaS product, so the customer's data winds up in our infrastructure.

We can of course control our data collection software to filter out the detectionScriptContent and remediationScriptContent field values before the data is sent to our SaaS instance. But we would prefer, if possible, to be able to select a least-privilege MS Graph app role that can list deviceHealthScript objects, but cannot read the detectionScriptContent and remediationScriptContent field values. We believe this would be the most effective change to limit the risks we ourselves are creating for our customers.

The two MS Graph app roles that enable reading deviceHealthScript resources are:

  • DeviceManagementConfiguration.Read.All
  • DeviceManagementConfiguration.ReadWrite.All

Perhaps a possible solution could be to add a new MS Graph app role called:

  • DeviceManagementConfiguration.ReadBasic.All

And then constrain access to reading property values on deviceHealthScript objects such that the detectionScriptContent and remediationScriptContent fields cannot be read when presenting a JWT with only that permission. This would function similarly to the existing User.ReadBasic.All MS Graph app role: https://learn.microsoft.com/en-us/graph/permissions-reference#userreadbasicall

Thank you for your consideration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant