r/entra

Hi,

Last week I took a deeper look at Agent Identities, mainly from a security perspective. There are quite a few interesting aspects, such as cross-tenant agents and inheritable delegated/application API permissions.

One thing I am still unsure about is the effect of role assignments (Entra ID Roles / Azure Roles) on the Blueprint Principal. Do they actually have any practical effect? If yes, how could they be abused?

In my testing, when using the client credential flow to authenticate as the Blueprint Principal, the resulting token only contains the scopes AgentIdUser.ReadWrite.IdentityParentedBy and AgentIdentity.CreateAsManager, regardless of which API permissions were consented on the Blueprint Principal. I even tested this with a large number of Microsoft Graph permissions (578).

For other APIs, such as Azure ARM, the Blueprint Principal does not seem to be allowed to authenticate at all:

$tokens = Invoke-ClientCredential -TenantId "925c2cd8-xxxx-xxxx-xxxx-1257ffd75334" -ClientId "92d0854a-xxxx-xxxx-xxxx-6cea896c7de2" -ClientSecret "...." -Api "management.azure.com"
[*] Starting Client Credential flow: API management.azure.com / Client id: 92d0854a-xxxx-xxxx-xxxx-6cea896c7de2 / Auth: ClientSecret
[!] Aborting....
[!] Error: unauthorized_client
[!] Error Description: AADSTS82001: Agentic application '92d0854a-xxxx-xxxx-xxxx-6cea896c7de2' is not permitted to request app-only tokens for resource '797f4846-ba00-4fd7-ba43-dac1f8f63013'.

Therefore, Azure role assignments also do not appear to be abusable.

So, at the moment, it looks to me like roles assigned to Blueprint Principals are not directly abusable.

Is that understanding correct, or am I missing something?

we use entra external ID for customer auth and every time something needs changing like branding, a user flow, sign-in page layout, it's just portal work. make the change in dev, try to remember to do it again in prod, maybe write it down somewhere.

last month someone changed the login page layout in prod and we didn't catch it for a week. activity logs tell you something happened but not what it looked like before so good luck figuring out what changed.

looked at terraform/bicep for this but the resource coverage is pretty thin for anything past basic setup/creation. Are people writing their own graph api scripts?

trying to figure out if there's a workflow i'm missing before i go build something myself.

I'm at a bit of a loss as to how to resolve my issue. We manage a bunch of Macs. They used to be domain bound which was a legacy setup from years ago and that was just a cluster. Constant issues with password syncs not working and users unable to patch due to secure token passwords not matching user password etc. Vulnerability nightmare for well over a year. So we moved MDMs and switched to using Mosyle Auth for Entra based SSO. Worked well and we have Conditional Access enabled. Sends Compliance info no issues. Now comes where the issues start. We enabled passwordless MFA (Phish resistant MFA). Login process totally broke due to it attempting to use the Auth in place of a password which MacOS does not support. So users had to take multiple extra steps to get to password login and we had constant calls from users about not being able to get in.

So I went down the rabbit hole of Platform SSO instead with the Company Portal extension used for registration. The issue here is that Platform SSO joins the Mac to Entra. Which is step 1 of the setup process. Issue here is that if the device Entra Joins before it Registers it doesn't seem to actually register and so will never pass Compliance status to Entra. Every other part is in place. The login works, the password syncing works, you can see the icon in the menu bar for the account syncing, you go into settings and look under users & groups and see Platform SSO settings. Network Account Server shows Mac SSO Extension as Registered. I run app-sso platform -s and it verifies SSO tokens and all the registrations but still Entra has nothing but the base info and no compliance.

It's not a license issue as all our users have M365 E5 licenses. I'm at a loss as to how to make this all work. seems like compliance works fine for registered only devices but not Entra joined. So stuck between a rock and a hard place. either users can't login and switch to local login or jump through extra steps to switch from auth login to password, or we can't get compliance status because the devices are now Entra Joined instead of registered.

Has anyone managed to get both Platform SSO and Partner Compliance Management integration working?