Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ApplicationSecret handling results in PlainText passwords in the resulting MOF #1714

Closed
rberghuis opened this issue Jan 26, 2022 · 3 comments · Fixed by #2312 or #2371
Closed

ApplicationSecret handling results in PlainText passwords in the resulting MOF #1714

rberghuis opened this issue Jan 26, 2022 · 3 comments · Fixed by #2312 or #2371
Assignees
@NikCharlebois
Labels
Breaking Changes Core Engine
Milestone
1.22.406 - Breaki...

Comments

@rberghuis
Copy link

rberghuis commented Jan 26, 2022
edited
Loading

Based on the usage of ApplicationSecret, this is currently stored as Plain Text in MOF-files regardless of the use of Set-M365DSCAgentCertificateConfiguration, as DSC doesn't recognize this as a 'Secret' by itself.

Microsoft365DSC/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1

Lines 1580 to 1586 in 76c81cd

Connect-M365Tenant -Workload $Workload `
-ApplicationId $InboundParameters.ApplicationId `
-TenantId $InboundParameters.TenantId `
-ApplicationSecret $InboundParameters.ApplicationSecret `
-Url $Url `
-SkipModuleReload $Global:CurrentModeIsExport `
-ProfileName $ProfileName

The referencing module also expects a plain-text secret ([system.string]) as show below, but would implement it as a [System.Management.Automation.PSCredential] retrieving the 'SecureString' and coverting that back to plaintext upon connect. As it is then a PSCredential object, the MOF will reference this as such, making it possible to encrypt the secret using a certificate by leveraging the Set-M365DSCAgentCertificateConfiguration.

[Parameter()]
[System.String]
$ApplicationSecret,

<# omitted #>

[Parameter()]
[SecureString]
$CertificatePassword,

Example code using an Application Secret

Configuration AADGroupLifecyclePolicy
{
    Param (
        [Parameter(Mandatory=$false)]
        [ValidateScript({$_ -match 'onmicrosoft.com'})]
        [string]$TenantId,

        [Parameter(Mandatory=$false)]
        [System.Guid]$ApplicationId,

        [Parameter(Mandatory=$false)]
        [string]$ApplicationSecret,
    )

    Import-DscResource -ModuleName Microsoft365DSC

    Node localhost
    {
        AADGroupLifecyclePolicy 'AADGroupLifecyclePolicy'
        {
            # Authentication details
            TenantId                                      = $TenantId
            ApplicationId                                 = $ApplicationId
            ApplicationSecret                             = $ApplicationSecret
            # Settings
            IsSingleInstance                              = "Yes"
            AlternateNotificationEmails                   = @("[email protected]")
            GroupLifetimeInDays                           = 365
            ManagedGroupTypes                             = "All"
        }
    }
}

Results into a MOF-file like

/*
@TargetNode='localhost'
@GeneratedBy=M365ConfigAgentSvc
@GenerationDate=01/26/2022 08:30:23
@GenerationHost=M365DSC
*/

instance of MSFT_AADGroupLifecyclePolicy as $MSFT_AADGroupLifecyclePolicy1ref
{
    ResourceID = "[AADGroupLifecyclePolicy]AADGroupLifecyclePolicy";
    TenantId = "contoso.onmicrosoft.com";
    ApplicationSecret = "The_PlainText_Application_Pa$$w0rd_here";
    ApplicationId = "123456789-abcd-1337-dcba-9876543210";
    AlternateNotificationEmails = {
        "[email protected]"
    };
    SourceInfo = "C:\\Agent\\_work\\1\\s\\DSC\\Azure-AD\\Group-Lifecycle-Policy.ps1::42::9::AADGroupLifecyclePolicy";
    ManagedGroupTypes = "All";
    IsSingleInstance = "Yes";
    ModuleName = "Microsoft365DSC";
    ModuleVersion = "1.22.105.1";
    GroupLifetimeInDays = 365;
    ConfigurationName = "AADGroupLifecyclePolicy";
};
instance of OMI_ConfigurationDocument
{
    Version="2.0.0";
    MinimumCompatibleVersion = "1.0.0";
    CompatibleVersionAdditionalProperties= {"Omi_BaseResource:ConfigurationName"};
    Author="M365ConfigAgentSvc";
    GenerationDate="01/26/2022 08:30:23";
    GenerationHost="M365DSC";
    Name="AADGroupLifecyclePolicy";
};

Edited to provide syntax highlighting
@NikCharlebois
Copy link
Collaborator

NikCharlebois commented Jan 26, 2022
edited
Loading

We are aware of this and have a fix in place. However this will need to be a breaking change since the ApplicationSecret parameter will need to be changed from being a String to a SecureString object for EVERY resource in the project. Next breaking change release is scheduled for April 6th 2022.

@NikCharlebois NikCharlebois self-assigned this Feb 4, 2022
@NikCharlebois
Copy link
Collaborator

Update on this, SecureString is not a supported type for MOF files. Either we make ApplicationSecret a PSCredential (breaking) or we keep it as is for the time being (until we review how to address in PoSh 7.2+)

@NikCharlebois NikCharlebois mentioned this issue Sep 21, 2022
Merged
@NikCharlebois
Copy link
Collaborator

This will be fixed as part of 1.22.1005.1

@NikCharlebois NikCharlebois mentioned this issue Oct 5, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@NikCharlebois NikCharlebois

Labels
Breaking Changes Core Engine
Projects
None yet
Milestone
1.22.406 - Breaking Changes
Development

Successfully merging a pull request may close this issue.

Fix 1714 NikCharlebois/Microsoft365DSC
Release 1.22.1005.1 NikCharlebois/Microsoft365DSC
3 participants
@NikCharlebois @andikrueger @rberghuis