Eddie.@ericonidentity behold the gap between IDP and service provider.
Push security ‘s GitHub has a SaaS attack matrix.
@ericonidentity creating an app owner in entra gives an attack path. Low privilege user has higher capabilities.
Owner is a static permission. Static bad.
The magical security principal is the service principal. It will have the perms of the app registration.
Multi tenant becomes multiplicative. The SP creds can be a master key.
@ericonidentity graph ai is a great target. You can enumerate. And the app privileges can let you do some enumeration.
@ericonidentity role management perms in an app let you manage any role in entra? Including other admin roles? Well done MS.
@ericonidentity SAML and federation. SAML owner lets you manipulate responses to priv esc? Urf …
@ericonidentity this won’t be visible in entra audit logs … and the hits keep on coming.
@ericonidentity regularly review perms. Annual isn’t frequent enough.
@ericonidentity devs! Not properly setting up auth and someone can cross tenant attack with an email address.
@ericonidentity the app stores the token, so cross tenant attacks use the existing token, which is permed for the user’s email. And you’re off.
@ericonidentity sign in with Google? Oooh boy. More of the same. And local auth from setup may still be hiding in the wings.
@ericonidentity tix is getting into my masters paper about the failure of existing audit logging in SaaS. And now tying that to IDP logs and connecting the dots is harder.
@ericonidentity what do?
Limit use of other IDP.
SaaS posture management.
Browser level identity security.
@ericonidentity defense in depth across stack:
Users
Entra
Apps
Monitor across stack: (need high existing maturity of security)
ITDR
Browser monitoring
SSPM
Very time consuming. Don’t expect to check for all abuses all the time. Prioritize.