Hi everyone! I'm getting started with PowerShell and MgGraph, and I'd love to confirm my understanding of a few concepts related to connecting and using Graph in a safe manner. Here are my questions: 1) When I connect using `Connect-MgGraph` and specify a specific scope, I only gain access to that scope, correct? 2) If I connect without specifying any scope, I then have access to everything the GraphCommandLineTool app can access, right? 3) There's an option to 'consent on behalf of your organization' when I connect with specified scopes. I've heard this is generally considered bad practice because it can grant too many permissions to the service principal over time. Is this true? 4) If the service principal does accumulate too many rights, is this a significant security risk? As I understand it, this would potentially allow users access to a lot more than they should have. 5) What are best practices to prevent a service principal from gathering permissions unnecessarily? Should organizations advise users against checking 'consent on behalf of your organization,' or is it better to periodically delete and recreate the app? 6) Finally, what's the best way to run scripts? Is it acceptable to log in with my admin account for that? Thanks for your help!
5 Answers
One key point to remember is that while there’s no limit to the number of service principals, there is a cap on role assignments. So keeping them scoped just to what’s necessary is crucial. Additionally, disabling user consent in your organization is often a wise move to prevent unauthorized applications from accessing sensitive data. In our case, we had a plethora of unused apps until we set restrictions.
You’re spot on with your understanding of the scopes, except for the second point. When connecting without a specified scope, you don’t automatically get access to everything—the permissions are limited to what your own account can access. That's really important for security. And yes, it's generally a good idea for admins to avoid granting organization-wide permissions unless absolutely necessary, as this can expose sensitive data. About running scripts, I recommend using an admin account only when strictly necessary to maintain a good security posture, practicing a zero-trust approach.
When you use `Connect-MgGraph`, the scopes granted are tied to that service principal, which means you can reconnect later without respecifying them. Users shouldn't really hit "consent on behalf of your org" unless they have the appropriate admin rights—otherwise, they shouldn’t be able to do it without admin approval. Also, there are no limits on how many service principals can exist, but roles should be kept as minimal as possible for better security. For scripting, it's advisable to not use your own account past the initial development stage; consider offloading to a non-user identity for production work. You might also want to look into Azure Automation for running scripts without needing a constant user sign-in.
Seems like you have a solid grasp! Some people struggle even more with this—it’s impressive that you’re diving into these details already.
These practices are definitely best for organization security. You’re doing great by wanting to get this right early on! Consider also checking out the Microsoft documentation on security best practices for Graph.
It's great to see someone eager to understand this thoroughly, especially with how complex permissions can get!