Is it possible to limit AppRoleAssignment.ReadWrite.All ?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 39%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAT%3C/text%3E%3C/svg%3E)
Arp, Thomas
11
Reputation points
The Permission AppRoleAssignment.ReadWrite.All allows for "self-elevation", in that it makes it possible to add more permissions to the service principal that has this permission. Also, the SP could potentially create other users and assign this permission to them, making them able to self-elevate as well.
Are there any ways of limiting the assignments to particular groups, service principals and/or resources?
In particular, we wish to automate creation of applications and assign required group memberships to those newly created applications, without worrying that if the credentials for the automation should be leaked, we'll potentially have a giant security hole.
We have tried to limit access through use of Application.ReadWrite.OwnedBy, such that one SP can't mess with the applications created by another.
I understand there's a concept of grant policies and that they might be able to limit when we grant access to the permission, but once we do elevate to AppRoleAssignment.ReadWrite.All, I don't see how it helps.
Microsoft Security | Microsoft Graph
Sign in to answer