Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

⭐️ Microsoft 365 risky users resource #4570

Merged
merged 1 commit into from
Aug 19, 2024
Merged

⭐️ Microsoft 365 risky users resource #4570

merged 1 commit into from
Aug 19, 2024

Conversation

chris-rock
Copy link
Member

This PR adds the new microsoft.security.riskyUsers resource.

List of risky users

You can easily query for Entra risky users:

Note this requires an Microsoft Entra ID P2. See Entra ID License requirements for more details

cnquery> microsoft.security.riskyUsers
microsoft.security.riskyUsers: [
  0: microsoft.security.riskyUser principalName="ben@example.onmicrosoft.com" riskLevel="high" riskState="atRisk" lastUpdatedAt=2024-06-26 13:41:57.1498281 +0200 CEST
]

Or if you want to see all details:

cnquery> microsoft.security.riskyUsers { * }
microsoft.security.riskyUsers: [
  0: {
    id: "346de954-64f8-40db-bc19-aef1001858c0"
    principalName: "ben@example.onmicrosoft.com"
    user: microsoft.user id="346de954-64f8-40db-bc19-aef1001858c0" displayName="Soo Choi" userPrincipalName="ben@example.onmicrosoft.com"
    riskLevel: "high"
    riskDetail: "none"
    name: "Ben Rockwood"
    riskState: "atRisk"
    lastUpdatedAt: 2024-06-26 13:41:57.1498281 +0200 CEST
  }
]

Check that no risky user exists

To verify that no risk user exist, you can just use MQL's none() function:

microsoft.security.riskyUsers.none(riskState == "atRisk")
[failed] [].none()
  actual:   [
    0: microsoft.security.riskyUser riskState="atRisk" lastUpdatedAt=2024-06-26 13:41:57.1498281 +0200 CEST principalName="ben@example.onmicrosoft.com" riskLevel="high"
  ]

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Aug 17, 2024
edited
Loading

Test Results

3 097 tests  ±0   3 096 ✅ ±0   1m 28s ⏱️ +12s
  370 suites ±0       1 💤 ±0 
   28 files   ±0       0 ❌ ±0 

Results for commit 0be8a5d. ± Comparison against base commit 6e02adf.

♻️ This comment has been updated with latest results.

preslavgerchev
preslavgerchev reviewed Aug 19, 2024
View reviewed changes
providers/ms365/resources/security_riskyusers.go
ctx := context.Background()

filter := "riskState eq 'atRisk'"
resp, err := graphClient.IdentityProtection().RiskyUsers().Get(ctx, &identityprotection.RiskyUsersRequestBuilderGetRequestConfiguration{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: is there any way we can check for the p2 license here so we can show a nice err msg or will the API itself throw such an err if the tenant is not p2?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need a better concept in general to check for permissions in Azure. Not just this one.

preslavgerchev
preslavgerchev reviewed Aug 19, 2024
View reviewed changes
providers/ms365/resources/ms365.lr
// User name
name string
// User principal
principalName string
Copy link
Contributor

@preslavgerchev preslavgerchev Aug 19, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: maybe we can use the microsoft..user resource here? or can a risky user also be a service app?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, lets remove it for now and stick with user reference. Great idea.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok. I reviewed the code. I think we should keep principalName for now. Otherwise we always need to create all user objects. I would like to avoid that right now.

@chris-rock chris-rock merged commit 54e8063 into main Aug 19, 2024
15 checks passed
@chris-rock chris-rock deleted the chris-rock/ms365-risky-users branch August 19, 2024 21:22
@github-actions github-actions bot locked and limited conversation to collaborators Aug 19, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@preslavgerchev preslavgerchev preslavgerchev approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@chris-rock @preslavgerchev