⭐️ Microsoft 365 application roles and service principal app roles (#…

…4574)

* ⭐️ Microsoft 365 application roles
* ⭐️ Microsoft 365 service principal app roles

providers/ms365/resources/applications.go

@@ -8,6 +8,7 @@ import (
  "encoding/base64"
  "errors"
  "fmt"
+ "github.com/rs/zerolog/log"
  "net/url"
  "time"
 
@@ -97,6 +98,33 @@ func newMqlMicrosoftApplication(runtime *plugin.Runtime, app models.Applicationa
  nativeAuthenticationApisEnabled = &val
  }
 
+ mqlAppRoleList := []interface{}{}
+ appRoles := app.GetAppRoles()
+ for i := range appRoles {
+ appRole := appRoles[i]
+
+ uuid := appRole.GetId()
+ if uuid == nil {
+ log.Debug().Msg("appRole ID is nil")
+ continue
+ }
+
+ mqlAppRoleResource, err := CreateResource(runtime, "microsoft.application.role",
+ map[string]*llx.RawData{
+ "__id": llx.StringData(uuid.String()),
+ "id": llx.StringData(uuid.String()),
+ "name": llx.StringDataPtr(appRole.GetDisplayName()),
+ "description": llx.StringDataPtr(appRole.GetDescription()),
+ "value": llx.StringDataPtr(appRole.GetValue()),
+ "allowedMemberTypes": llx.ArrayData(convert.SliceAnyToInterface(appRole.GetAllowedMemberTypes()), types.String),
+ "isEnabled": llx.BoolDataPtr(appRole.GetIsEnabled()),
+ })
+ if err != nil {
+ return nil, err
+ }
+ mqlAppRoleList = append(mqlAppRoleList, mqlAppRoleResource)
+ }
+
  mqlResource, err := CreateResource(runtime, "microsoft.application",
  map[string]*llx.RawData{
  "__id": llx.StringDataPtr(app.GetId()),
@@ -134,6 +162,7 @@ func newMqlMicrosoftApplication(runtime *plugin.Runtime, app models.Applicationa
  "requestSignatureVerification": llx.DictData(requestSignatureVerification),
  "parentalControlSettings": llx.DictData(parentalControlSettings),
  "publicClient": llx.DictData(publicClient),
+ "appRoles": llx.ArrayData(mqlAppRoleList, types.Resource("microsoft.application.role")),
  })
  if err != nil {
  return nil, err

providers/ms365/resources/ms365.lr

@@ -269,6 +269,24 @@ microsoft.application @defaults("id displayName hasExpiredCredentials") {
  parentalControlSettings dict
  // Public client configuration
  publicClient dict
+ // Application roles
+ appRoles []microsoft.application.role
+}
+
+// Microsoft Entra ID app roles are custom roles to assign permissions to users or apps
+private microsoft.application.role @defaults("name value isEnabled"){
+ // App role ID
+ id string
+ // Display name
+ name string
+ // Description
+ description string
+ // Value
+ value string
+ // Allowed member types
+ allowedMemberTypes []string
+ // App state
+ isEnabled bool
 }
 
 // Microsoft Entra AD Application certificate
@@ -357,6 +375,8 @@ private microsoft.serviceprincipal @defaults("name") {
  accountEnabled bool
  // Whether it is a first-party Microsoft application
  isFirstParty() bool
+ // Application roles
+ appRoles []microsoft.application.role
 }
 
 // Microsoft Service Principal Assignment

providers/ms365/resources/ms365.lr.manifest.yaml

@@ -23,6 +23,8 @@ resources:
  api:
  min_mondoo_version: 9.0.0
  appId: {}
+ appRoles:
+ min_mondoo_version: 9.0.0
  applicationTemplateId:
  min_mondoo_version: 9.0.0
  certificates:
@@ -92,6 +94,16 @@ resources:
  web:
  min_mondoo_version: 9.0.0
  min_mondoo_version: 5.15.0
+ microsoft.application.role:
+ fields:
+ allowedMemberTypes: {}
+ description: {}
+ id: {}
+ isEnabled: {}
+ name: {}
+ value: {}
+ is_private: true
+ min_mondoo_version: 9.0.0
  microsoft.devicemanagement:
  fields:
  deviceCompliancePolicies: {}
@@ -271,6 +283,8 @@ resources:
  min_mondoo_version: 9.0.0
  appRoleAssignments:
  min_mondoo_version: latest
+ appRoles:
+ min_mondoo_version: 9.0.0
  applicationTemplateId:
  min_mondoo_version: 9.0.0
  assignmentRequired:

providers/ms365/resources/serviceprincipals.go

@@ -5,6 +5,7 @@ package resources
 
 import (
  "context"
+ "github.com/rs/zerolog/log"
 
  "github.com/microsoftgraph/msgraph-sdk-go/models"
  "github.com/microsoftgraph/msgraph-sdk-go/serviceprincipals"
@@ -68,6 +69,7 @@ var servicePrincipalFields = []string{
  "appRoleAssignmentRequired",
  "accountEnabled",
  "verifiedPublisher",
+ "appRoles",
 }
 
 func (a *mqlMicrosoft) serviceprincipals() ([]interface{}, error) {
@@ -130,6 +132,33 @@ func newMqlMicrosoftServicePrincipal(runtime *plugin.Runtime, sp models.ServiceP
 
  verifiedPublisher, _ := convert.JsonToDict(newVerifiedPublisher(sp.GetVerifiedPublisher()))
 
+ mqlAppRoleList := []interface{}{}
+ appRoles := sp.GetAppRoles()
+ for i := range appRoles {
+ appRole := appRoles[i]
+
+ uuid := appRole.GetId()
+ if uuid == nil {
+ log.Debug().Msg("appRole ID is nil")
+ continue
+ }
+
+ mqlAppRoleResource, err := CreateResource(runtime, "microsoft.application.role",
+ map[string]*llx.RawData{
+ "__id": llx.StringData(uuid.String()),
+ "id": llx.StringData(uuid.String()),
+ "name": llx.StringDataPtr(appRole.GetDisplayName()),
+ "description": llx.StringDataPtr(appRole.GetDescription()),
+ "value": llx.StringDataPtr(appRole.GetValue()),
+ "allowedMemberTypes": llx.ArrayData(convert.SliceAnyToInterface(appRole.GetAllowedMemberTypes()), types.String),
+ "isEnabled": llx.BoolDataPtr(appRole.GetIsEnabled()),
+ })
+ if err != nil {
+ return nil, err
+ }
+ mqlAppRoleList = append(mqlAppRoleList, mqlAppRoleResource)
+ }
+
  args := map[string]*llx.RawData{
  "id": llx.StringDataPtr(sp.GetId()),
  "type": llx.StringDataPtr(sp.GetServicePrincipalType()),
@@ -155,6 +184,7 @@ func newMqlMicrosoftServicePrincipal(runtime *plugin.Runtime, sp models.ServiceP
  "appRoleAssignmentRequired": llx.BoolDataPtr(sp.GetAppRoleAssignmentRequired()),
  "accountEnabled": llx.BoolDataPtr(sp.GetAccountEnabled()),
  "verifiedPublisher": llx.DictData(verifiedPublisher),
+ "appRoles": llx.ArrayData(mqlAppRoleList, types.Resource("microsoft.application.role")),
  }
  info := sp.GetInfo()
  if info != nil {