Restrict access to Azure Active Directory Graph API services to authorized network segments
provider "azurerm" {
features {}
}
data "azurerm_client_config" "current" {}
resource "azuread_application" "example" {
name = "example-app"
homepage = "https://homepage"
identifier_uris = ["https://uri"]
reply_urls = ["https://replyurl"]
available_to_other_tenants = false
oauth2_allow_implicit_flow = true
}
resource "azuread_service_principal" "example" {
application_id = azuread_application.example.application_id
}
resource "azuread_service_principal_password" "example" {
service_principal_id = azuread_service_principal.example.id
value = "example_password"
end_date = "2020-01-01T01:02:03Z"
}
This Terraform script creates an Azure Active Directory application and a service principal associated with it. The service principal is granted a password, which is hardcoded as "example_password".
The main vulnerability here lies in the unrestricted access to the Azure AD Graph API services. The service can be accessed from anywhere on the Internet, and the URL of the service and the credentials are found in the application code.
This is a serious security concern because anyone who gains access to this code can potentially access and manipulate the Azure AD Graph API services. The hardcoded credentials (in this case, the service principal password) make the system even more vulnerable to unauthorized access and potential data breaches.
Moreover, the
available_to_other_tenants attribute is set to
false, which means the application is available to users in any Azure AD tenant, not just the one where it's registered. This could potentially allow unauthorized users to access the application.
Finally, the
oauth2_allow_implicit_flow attribute is set to
true, which enables the OAuth 2.0 implicit grant flow. This flow allows the application to obtain an access token directly from the Azure AD authorization endpoint, without needing to authenticate first. This could potentially allow an attacker to impersonate a legitimate user and gain unauthorized access to the application.
provider "azurerm" {
features {}
}
data "azurerm_client_config" "current" {}
resource "azuread_application" "example" {
name = "example-app"
homepage = "https://homepage"
identifier_uris = ["https://uri"]
reply_urls = ["https://replyurl"]
available_to_other_tenants = false
}
resource "azuread_service_principal" "example" {
application_id = azuread_application.example.application_id
}
resource "azuread_service_principal_password" "example" {
service_principal_id = azuread_service_principal.example.id
value = var.service_principal_password
end_date = "2020-01-01T01:02:03Z"
}
The updated code removes the 'oauth2_allow_implicit_flow' attribute from the 'azuread_application' resource. This attribute was allowing the application to use the OAuth 2.0 implicit flow, which is less secure and has been deprecated.
The 'azuread_service_principal_password' resource now references a variable for the password value instead of hardcoding it. This is a more secure practice as it prevents sensitive information from being exposed in the code. The actual password can be provided as a variable when running Terraform.
Please note that this code update alone is not enough to fully address the vulnerability. Additional steps need to be taken outside of the code:
1. Configure Conditional Access policies in Azure Active Directory to restrict access to the Azure AD Graph API services. This can be done in the Azure portal.
2. Establish trusted locations for accessing the Azure AD Graph API services. This can be done by following the Azure documentation.
3. Regularly review and update the access control configurations for the Azure AD Graph API services to ensure they are still appropriate and secure.