MS Graph PS SDK app should have a verified publisher #482
Comments
ghost
added
the
|
I agree that the publisher should be verified just found the issue in 1.3 milestones..thanks |
|
Duplicate #449 |
|
I'm confused about the status of this issue. I am still seeing Unverified using 1.9.3. When will this be fixed? |
|
Almost 18 months later and this is still unresolved. |
|
Out of all the "bugs" in this issues list, this is one that cannot cause any regressions and shouldn't need any sort of buy-in, sign-off, or approval. None of my customers will trust this as the replacement for AzureAD and MSOnline until this is resolved. |
|
Related internal work item: https://microsoftgraph.visualstudio.com/Graph%20Developer%20Experiences/_workitems/edit/13822/ |
|
Hello folks. To add visibility here, Microsoft Graph PowerShell SDK uses a third-party appId as part of our security concerns on having incremental consent for permissions. So, being a published verified application in our case is something with no precedent, and even looking as an 'easy' thing to address and something that couldn't cause a regression, we do need yes, dig in and analyze the situation from every possible angle as well as have an agreement with Microsoft Security team. With that said, I would like to let you know that we have been working on it, yes, for quite some time, to figure out the path and finally become a publish verified application. I will update this thread once we get things done. Thanks for your patience. |
|
Word salad and no actual update.
…Sent from my iPhone
On May 10, 2022, at 1:40 PM, Maísa Rissi ***@***.***> wrote:
Hello folks.
To add visibility here, Microsoft Graph PowerShell SDK uses a third-party appId as part of our security concerns on having incremental consent for permissions.
Unfortunately, we have limitations on getting a 3rd party app publish verified under Microsoft Tenant (even being a MS application). The Microsoft security team has not allowed us to do this as the Microsoft Graph PowerShell appID is public and could be used in ways to break security and get access to Microsoft data.
And we can't use first-party appId as incremental consent has not been implemented yet.
So, being a published verified application in our case is something with no precedent, and even looking as an 'easy' thing to address and something that couldn't cause a regression, we do need yes, dig in and analyze the situation from every possible angle as well as have an agreement with Microsoft Security team.
With that said, I would like to let you know that we have been working on it, yes, for quite some time, to figure out the path and finally become a publish verified application.
I will update this thread once we get things done.
Thanks for your patience.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you commented.
|
|
maisarissi's update means that another app could spoof itself as a "trusted" publisher and potentially steal a user's credentials. The AADInternals module has cmdlets that show a proof-of-concept attack for nearly all popular MSFT first party apps. |
|
Any news regarding this? Is there any work in progress targeting this issue? |
|
Hi @peterboba . In the meantime, if the “unverified” note is concerning, an alternative option to consider is to use an app registration of your own, on which you can set yourselves as the verified publisher. You’d need to go through the publisher verification process, and use it with the Microsoft Graph PowerShell SDK: Connect-MgGraph -AppId "{your-own-app-id}" -Scopes "scope" |
|
Thanks @maisarissi ! |
|
ran into this today in my environment.. still not resolved eh? |
|
It has been more dan 2.5 years now and still no resolution. But my customers are now confronted with a " Unverified Publisher " warning. WHILE SIGNING IN AS A ADMINISTRATOR GIVING PERMISSIONS How can I explain this to my customers? BTW this is not only annoying for our customers. |
|
Last I recall, the explanation from Microsoft was, “It’s complicated”💩Sent from my iPhoneOn Aug 27, 2023, at 5:14 AM, PeterBizz ***@***.***> wrote:
It has been more dan 2.5 years now and still no resolution.
Azure AD Powershell will be deprecated soon. Microsoft urges us to switch to Microsoft Graph ( "to become future proof/ready" ) https://learn.microsoft.com/en-us/powershell/module/azuread/?view=azureadps-2.0#azuread
But my customers are now confronted with a " Unverified Publisher " warning. WHILE SIGNING IN AS A ADMINISTRATOR GIVING PERMISSIONS
How can I explain this to my customers?
What can expect from microsoft here?
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you commented.Message ID: ***@***.***>
|
|
I... just... have no words to describe this. Ready to jump out the window. |
|
Just ran into this situation with 'Microsoft Graph Command Line Tools' |
|
This situation is crazy. Here's me thinking I've downloaded a fake/malware version of the Graph PS tools... but then I find this thread. And then the realisation that I still have no idea whether I have a legit copy of the tools or not... |
|
🤦 So safe or not? |
same, after running: Connect-MgGraph -Scopes "User.ReadWrite.All"
|
|
It's unbelievable that this is still an open issue over 3 years after it was first logged. |
|
Initially, I don't know about this thread. I thought, there is an issue with Microsoft Graph and raised a Support request with them. MSFT Support Engineer shared this thread and informed this is an open issue. Today, I got another response from MSFT to register app in my tenant and get publisher verification done for my app in my tenant to fix this issue. I don't understand, it's been over three years, and it's disheartening to see that Microsoft still hasn't addressed this issue. Instead, their suggested solution seems unreasonable – asking users to register their own app within the tenant and become Microsoft Partners just to get a verified app. Why should we have to go through such lengths, including potentially paying for a partner program, to rectify an issue that should be Microsoft's responsibility to fix? https://developer.microsoft.com/en-us/graph/known-issues/?search=18030 |
timayabi2020
assigned sebastienlevert, CarolKigoonya and timayabi2020 and unassigned peombwa and maisarissi
|
@timayabi2020 how much longer is this going to take, |
|
This issue should be priority number one. This issue lingering for so long is extra ironic because Graph is perhaps the most powerful and therefore dangerous API in the Microsoft ecosystem. For example: how can I justify using this repo to automate Entra ID? |
|
hmm... I was surprised to find this as an issue. I do not like consenting to unverified apps :( |
and others
Currently during consent the app shows a slightly alarming
unverifiedpublisher -- this is misleading, as we know the publisher is Microsoft! The application should securely make that assertion so users and admins don't have to second-guess whether it is safe to use the tool.AB#6852
The text was updated successfully, but these errors were encountered: