You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We are creating an audit tool to identify risks in some Microsoft systems, including Intune. As part of that work, we are looking at auditing risks surrounding various resource types, including deviceHealthScript resources.
The deviceHealthScript resource type includes these two properties:
detectionScriptContent
remediationScriptContent
Those properties' values are base64-encoded PowerShell scripts.
This is problematic because our experience has been that PowerShell scripts often contain sensitive material such as credentials. When we deploy our software to our customers, we ask them to create an Entra application and grant the application the least privilege required to read information relevant to how we identify risks. Our product is a SaaS product, so the customer's data winds up in our infrastructure.
We can of course control our data collection software to filter out the detectionScriptContent and remediationScriptContent field values before the data is sent to our SaaS instance. But we would prefer, if possible, to be able to select a least-privilege MS Graph app role that can list deviceHealthScript objects, but cannot read the detectionScriptContent and remediationScriptContent field values. We believe this would be the most effective change to limit the risks we ourselves are creating for our customers.
The two MS Graph app roles that enable reading deviceHealthScript resources are:
DeviceManagementConfiguration.Read.All
DeviceManagementConfiguration.ReadWrite.All
Perhaps a possible solution could be to add a new MS Graph app role called:
DeviceManagementConfiguration.ReadBasic.All
And then constrain access to reading property values on deviceHealthScript objects such that the detectionScriptContent and remediationScriptContent fields cannot be read when presenting a JWT with only that permission. This would function similarly to the existing User.ReadBasic.All MS Graph app role: https://learn.microsoft.com/en-us/graph/permissions-reference#userreadbasicall
Thank you for your consideration.
The text was updated successfully, but these errors were encountered:
Hello,
We are creating an audit tool to identify risks in some Microsoft systems, including Intune. As part of that work, we are looking at auditing risks surrounding various resource types, including deviceHealthScript resources.
https://learn.microsoft.com/en-us/graph/api/resources/intune-devices-devicehealthscript?view=graph-rest-beta
The deviceHealthScript resource type includes these two properties:
Those properties' values are base64-encoded PowerShell scripts.
This is problematic because our experience has been that PowerShell scripts often contain sensitive material such as credentials. When we deploy our software to our customers, we ask them to create an Entra application and grant the application the least privilege required to read information relevant to how we identify risks. Our product is a SaaS product, so the customer's data winds up in our infrastructure.
We can of course control our data collection software to filter out the detectionScriptContent and remediationScriptContent field values before the data is sent to our SaaS instance. But we would prefer, if possible, to be able to select a least-privilege MS Graph app role that can list deviceHealthScript objects, but cannot read the detectionScriptContent and remediationScriptContent field values. We believe this would be the most effective change to limit the risks we ourselves are creating for our customers.
The two MS Graph app roles that enable reading deviceHealthScript resources are:
Perhaps a possible solution could be to add a new MS Graph app role called:
And then constrain access to reading property values on deviceHealthScript objects such that the detectionScriptContent and remediationScriptContent fields cannot be read when presenting a JWT with only that permission. This would function similarly to the existing User.ReadBasic.All MS Graph app role: https://learn.microsoft.com/en-us/graph/permissions-reference#userreadbasicall
Thank you for your consideration.
The text was updated successfully, but these errors were encountered: