Major Changes
- Add high risk application/service principal permissions into results JSON #1462
ScubaGear now identifies Azure AD (aka Entra ID) registered applications and third-party service principals that have high risk permissions in a tenant. With this information you can conduct a review to flag suspicious and over-privileged applications and significantly reduce your attack surface from these commonly hard to manage assets. In the current release this information can be found in the ScubaResults JSON file. An upcoming release will add the data to the Azure AD HTML report. For now,risky_applicationsandrisky_third_party_service_principalskeys in the ScubaResults JSON file contains the details for review. - Add privileged service principals table to Azure AD baseline report #1467
- Add report UUID to the ScubaResults JSON filename #1426
- Add
-Scopeoption toInitialize-SCuBAto support module install asAllUsers#1388 - Add stacktraces to error output from ScubaGear #1468
- Remove HTML elements from ScubaResults.json #1384
- Revise Azure AD report header with new exclusion info and documentation name #1529
- Add version update notification on ScubaGear module import #1424
- Bump OPA version from v0.69.0 to v0.70.0 #1395
- Bump OPA version from v0.70.0 to v1.0.1 #1526
- Updated Microsoft.PowerApps.Administration.PowerShell min/max versions #1530
- See full list of enhancements here
Note
Microsoft has updated the permissions required to get configuration information from SharePoint Online. As a result, when running ScubaGear with interactive authentication, users only need to assign the Global Reader role. The user no longer requires the SharePoint Administrator role. This change enhances security by reducing the risk of unnecessary access and potential security vulnerabilities by limiting the permissions to only what is essential for ScubaGear to retrieve and assess SharePoint configuration details. ScubaGear never makes changes to the tenant,regardless of permissions of the user running it.
Bugs Fixed
- Fix crash when running OPA from UNC path #1387
- Improve performance of Defender query to count users without advanced auditing #1406
- Fix consistency of Entra checks for application & role exclusions #1537
- Fix Version Update check non-existent file reference #1481
- Fix Entra checks to test MS.AAD.3.3v1 policy for authenticator disabled #1549
- Config file error message for duplicate keys fixed and improved #1547
- See full list of bug fixes here
Baselines
- Update Front Matter across SCBs and specific language in the Defender SCB #1398
- Adding Conditional Access Policy Implementation Instructions to MS.AAD.1.1 #1312
- Update incorrect hyperlinks in SCB markdown #1413
- Remove extraneous SHALL from MS.DEFENDER.4.1 #1408
- Remove MS.SHAREPOINT4.2v1 due to Microsoft update to custom scripting settings #1447
- Update AAD.3.1v1 to include device-bound passkeys language and resource to MS.AAD.3.1 #1431
- Update MS.AAD.5.4v1 checks for teams group consent for deprecated setting #1460
- See full list of baseline updates here
Documentation
- Update HTML report template title (Security Baseline Conformation -> Secure Configuration Baseline) #1362
- Fix parameter default documentation typos #1374
- Correct omission in documentation about importing module when downloading from GitHub #1412
- Clarify License Requirements in assumptions.md #1439
- Add service principal setup to functional testing documentation #1423
- Document ability to add organizational metadata and complying with SCuBA policy checks via configuration file #1443
- Update SCB acronym to read as "Secure Configuration Baseline" #1440
- Update ScubaGear authentication documentation for additional GCC High, Defender, and SharePoint details #1557
- Update README with new ScubaGear graphic #1497
- Add Defender configuration options documentation #1515
- Remove outdated parameters from sample config files #1528
- See full list of documentation changes here
Full Changelog: v1.4.0...v1.5.0