Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AADApplication resource fails to detect drift when Permissions set to empty array #5534

Closed
SNikalaichyk opened this issue Dec 11, 2024 · 0 comments · Fixed by #5535 or #5538
Closed

Comments

@SNikalaichyk
Copy link

Module version: 1.24.1204.1

Description:

The AADApplication resource fails to detect drift, incorrectly interpreting an empty Permissions array as "ignore existing permissions" rather than "remove all permissions."

Steps to reproduce:

  1. Define an AADApplication resource
  2. Set the Permissions property to an empty array @()
  3. Apply the configuration to an existing application that has permissions
  4. Run drift detection

Expected result:

Drift should be detected, indicating a difference between the empty Permissions array and the existing permissions.

Actual result:

No drift is detected, and the existing permissions on the application are ignored.

Impact:

This issue can lead to unintended permissions remaining on applications, creating potential security vulnerabilities and making it difficult to maintain.

Sample configuration:

Configuration TestAppConfig {
    Import-DscResource -ModuleName Microsoft365DSC
    AADApplication 'TestApp' {
        AvailableToOtherTenants = $False
        DisplayName             = 'TestApp'
        Ensure                  = 'Present'
        Permissions             = @()
        ApplicationId           = $ApplicationId
        CertificateThumbprint   = $CertificateThumbprint
        TenantId                = $TenantId
    }
}

Test-DscConfiguration output:

VERBOSE: Perform operation 'Invoke CimMethod' with following parameters, ''methodName' = TestConfiguration,'className' = MSFT_DSCLocalConfigurationManager,'namespaceName' = root/Microsoft/Windows/DesiredStateConfiguration'.
VERBOSE: An LCM method call arrived from computer SERVER01 with user sid ***.
VERBOSE: [SERVER01]: LCM:  [ Start  Compare  ]
VERBOSE: [SERVER01]: LCM:  [ Start  Resource ]  [[AADApplication]TestApp]
VERBOSE: [SERVER01]: LCM:  [ Start  Test     ]  [[AADApplication]TestApp]
VERBOSE: [SERVER01]:                            [[AADApplication]TestApp] Testing configuration of AzureAD Application
VERBOSE: [SERVER01]:                            [[AADApplication]TestApp] Getting configuration of Azure AD Application
VERBOSE: [SERVER01]:                            [[AADApplication]TestApp] Attempting to retrieve Azure AD Application by DisplayName {TestApp}
VERBOSE: [SERVER01]:                            [[AADApplication]TestApp] An instance of Azure AD App was retrieved.
VERBOSE: [SERVER01]:                            [[AADApplication]TestApp] Retrieving permissions for Azure AD Application {TestApp}
VERBOSE: [SERVER01]:                            [[AADApplication]TestApp] [1/1]Obtaining information for App's Permission for {***}
VERBOSE: [SERVER01]:                            [[AADApplication]TestApp] GET https://graph.microsoft.com/beta/applications/***/onPremisesPublishing with 0-byte payload
VERBOSE: [SERVER01]:                            [[AADApplication]TestApp] received 325-byte response of content type application/json
VERBOSE: [SERVER01]:                            [[AADApplication]TestApp] On-premises publishing is not enabled for App {TestApp}
VERBOSE: [SERVER01]:                            [[AADApplication]TestApp] Get-TargetResource Result:
< Truncated >
Permissions={AdminConsentGranted=False
Name=User.Read
SourceAPI=Microsoft Graph
Type=Delegated}
< Truncated >
VERBOSE: [SERVER01]:                            [[AADApplication]TestApp] No Permissions exist for the current Azure AD App and no permissions were specified
VERBOSE: [SERVER01]:                            [[AADApplication]TestApp] Current Values:
< Truncated >
Permissions={AdminConsentGranted=False
Name=User.Read
SourceAPI=Microsoft Graph
Type=Delegated}
PublicClient=False
ReplyURLs=()
TenantId=***
VERBOSE: [SERVER01]:                            [[AADApplication]TestApp] Target Values: ApplicationId=***
AvailableToOtherTenants=False
CertificateThumbprint=***
DisplayName=TestApp
Ensure=Present
Permissions=()
TenantId=***
Verbose=True
VERBOSE: [SERVER01]:                            [[AADApplication]TestApp] Test-TargetResource returned True
VERBOSE: [SERVER01]: LCM:  [ End    Test     ]  [[AADApplication]TestApp] True in 35.6670 seconds.
VERBOSE: [SERVER01]: LCM:  [ End    Resource ]  [[AADApplication]TestApp]
VERBOSE: [SERVER01]: LCM:  [ End    Compare  ]     Completed processing compare operation. The operation returned True.
VERBOSE: [SERVER01]: LCM:  [ End    Compare  ]    in  36.0280 seconds.
VERBOSE: Operation 'Invoke CimMethod' complete.

PSComputerName  ResourcesInDesiredState        ResourcesNotInDesiredState     InDesiredState
--------------  -----------------------        --------------------------     --------------
localhost       {[AADApplication]TestApp}                                     True
VERBOSE: Time taken for configuration job to complete is 36.156 seconds
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant