Skip to content

feat(scanner): add enterprise App Registration and Managed Identity rules#197

Open
TFT444 wants to merge 2 commits into
devfrom
feat/193-app-reg-managed-identity
Open

feat(scanner): add enterprise App Registration and Managed Identity rules#197
TFT444 wants to merge 2 commits into
devfrom
feat/193-app-reg-managed-identity

Conversation

@TFT444

@TFT444 TFT444 commented Jul 15, 2026

Copy link
Copy Markdown
Collaborator

What does this PR do?

Adds a cohesive enterprise identity security pack for Microsoft Entra App Registrations and Azure Managed Identities, while consolidating App Registration inventory so all related rules share one cached, paginated Graph request per scan.

Rules

Rule Severity Detection
AZ-IDN-010 MEDIUM App Registration has no owner
AZ-IDN-011 HIGH Non-loopback HTTP redirect URI
AZ-IDN-012 MEDIUM OAuth implicit token issuance enabled
AZ-IDN-013 MEDIUM Password credentials present
AZ-IDN-014 HIGH Multi-tenant app lacks full application-instance property lock
AZ-IDN-015 HIGH Managed identity has Owner or Contributor at subscription scope

Existing rule improvement

AZ-IDN-006 now reuses AzureClient.get_applications() instead of performing its own Graph request. The accessor:

  • follows @odata.nextLink;
  • caches successful, empty, and failed inventory states;
  • expands only minimal owner IDs;
  • requests only security-relevant application properties;
  • returns None on Graph failure so rules cannot mistake an incomplete scan for compliance.

Managed Identity detection uses Graph's immutable servicePrincipalType=ManagedIdentity filter and correlates principal IDs with cached subscription RBAC assignments. Privileged roles are matched by immutable built-in role-definition GUIDs and exact subscription scope.

Data minimization

Findings do not include:

  • tokens or credential values;
  • credential key IDs or hints;
  • complete redirect URIs;
  • owner names, email addresses, or user principal names.

Only counts, boolean states, role names, principal IDs, and required resource identifiers are retained.

Assignment restriction decision

The proposed AZ-IDN-016 resource-provider assignment-restriction rule is intentionally deferred. Microsoft documents the new portal feature, but the current public Managed Identity REST response reliably exposes isolationScope, not the configured resource-provider restriction collection. This PR does not infer or invent an undocumented field.

Permissions

Read-only scanning requires:

  • Microsoft Graph application permission Application.Read.All;
  • Azure action Microsoft.Authorization/roleAssignments/read.

No Graph write permission is requested by the scanner.

Compliance

Mappings were added for the repository's NIST CSF 1.1, ISO/IEC 27001:2013, and SOC 2 schemas. The current CIS Azure Foundations 2.0.0 file has no direct controls for these checks, so mappings are explicitly numbered TBD-IDN-* placeholders rather than claiming unsupported CIS coverage.

Testing

  • 409 tests passed from a clean checkout
  • 3 existing environment-dependent tests skipped
  • 58 focused identity tests passed
  • Pagination and per-scan caching tested
  • Graph and Azure RBAC failures tested as indeterminate states
  • Loopback IPv4, IPv6, localhost, HTTPS, and native redirect cases tested
  • Exact subscription versus resource-group scope tested
  • Ruff lint and format checks passed
  • Bash syntax checks passed for all playbooks
  • Bandit passed at the CI threshold
  • No new dependency introduced
  • Live tenant validation (requires an approved non-production Entra/Azure environment)

Related issue

Closes #193

@github-actions

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@TFT444
TFT444 requested review from m-khan-97 and removed request for SHAURYAKSHARMA24, parthrohit22 and ritiksah141 July 15, 2026 12:54
@TFT444 TFT444 self-assigned this Jul 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

feat(scanner): propose enterprise App Registration and Managed Identity security pack

1 participant