Microsoft365_Dev_Security_2024_05_16.pdf

EUROPEAN COLLABORATION SUMMIT
EUROPEAN COLLABORATION
SUMMIT 2024
Microsoft 365
Dev Security
From Full Trust to Zero
Trust
Markus Moeller
MVP

Agenda
About
• Me
Authentication
• SP Rest vs Graph
• SSO
• Credential
Handling
• Secure Config
Handling
Managed
Identities
• Permissions
SPFx & 3rd
party API
• MSGraphClient
• AadHttpClient
• Domain isolated?
Permission
Scope
• App
• Delegated
• RSC
Summary
• Wrap up
• Resources
• Q&A

• Markus Moeller
• Microsoft 365 Developer Expert
• Microsoft MVP
• Microsoft 365 & Power Platform
Community (PnP) team member
• Avanade Germany
• @moeller2_0
• https://mmsharepoint.wordpress.com
• Proud dad of 1 (4yrs)
• Cancer fighter
About me

Authentication
▪ SPFx
▪ User context login est.
▪ “No need to care for”
▪ MSGraphClient
▪ Prepped ServicePrincipal
▪ Tenant-Wide access
▪ AadHttpClient
▪ Prepped ServicePrincipal
▪ Tenant-Wide access (to backend process only)
▪ “Other” app
▪ Context ID / bootstrap token → SSO
▪ MSAL2
▪ App individual access
▪ More effort

Credential Handling

Azure Key Vault
▪ Read/Write from Application
▪ Access via Code or SecretUri reference in App Service Config
▪ Auth via Secret Endpoint / Managed Identity
▪ Azure App Config Service btw a similar service for less sensitive values
▪ Read / Write access possible (user config)

Managed Identities
▪ Can simply be added to “any” Azure resource
▪ No credential / secret / key management
▪ User Managed Identities to be shared with several resources
▪ NO multi-tenant
▪ (Graph) permissions to be applied via code (PS, Rest, …)
▪ To ServicePrincipal only
▪ UI? Not possible…
▪ PowerShell?
▪ Rest?
▪ Azure CLI the potential leanest way

ManagedIdentity (Credential)?
Credentials
Credentials
Managed Identity
STO
P

Demo

3rd party Api access
▪ In SPFx: MSGraphClient, AadHttpClient
▪ Prefer: AadHttpClient !!!
▪ No anonymous access in Azure Functions / Apps
▪ Restrict client-side to “hide” buttons
▪ Restrict server-side to really prevent access
▪ Domain-isolated web parts?

Enable Auth for Azure Function
[FunctionName("WriteListItem")]
public static async Task<IActionResult> Run( [HttpTrigger(AuthorizationLevel.Anonymous, "get", "post", Route = null)]
HttpRequest req, ILogger log) { ...

SharePoint

SharePoint – Enterprise Application

Delegated vs App permissions
User Delegated
▪ Access to resources of a kind “the user” has
access to
▪ User access needs to be granted
▪ Eventually “Create”, too
▪ User login / token needed for operations
Application
▪ Access to ALL resources of a kind
▪ Access without a user
▪ Unattended processes
▪ Can be partially limited by “.Selected” (RSC)

Use delegated permissions
▪ Benefit from user login / context / SSO
▪ Grant users access to all data / resources needed
▪ Users should be able to create resources and take ownership
▪ Do you really think your app is the only one that can treat your data / resources in the right
manner?

If app permissions needed
▪ Use LOWEST permissions possible
▪ Try to restrict by resource specific consent (RSC)
▪ MAXIMIZE restriction to your app
▪ Limit access to appId to small # of programmers / admins
▪ Take care of code base

RSC (resource specific consent)
▪ One app creates (with higher privileges) resource
▪ Teams Team, SharePoint Site
▪ Enables other app(s) on this one
▪ App permission Sites.Selected + selected resource

RSC
Sites
App based
Sites.FullControl
App based
Sites.Selecte
d
Delegated
CEO personal site [ ]
Homesite [ ] [ ]
Intranet sites [ ] [ ]
Collaboration sites [ ] [ ]

RSC – 2023

RSC – Side by side
https://graph.microsoft.com/v1.0/sites/5333d91a-756e-
4b65-a0b7-3be8b35d7ddf,ee4302ef-c5fb-4e9e-963f-
0d1d4aaaaabd/permissions/<perm-id>
{
...
"value": [
{ "id": "aTowaS50fG1zL....",
"roles": [
"write"
],
"grantedToIdentitiesV2": [
{
"application": {
"displayName": "spoRSCApplication",
"id": "26e871b9-54bc-4d3c-b062-607e64b9e48d"
}
}
],
...
}
]
}
https://graph.microsoft.com/v1.0/sites/caf3e616-82a6-
4847-8949-a9ef59e2dccd,ee4302ef-c5fb-4e9e-963f-
0d1d4aaaaabd/permissions/<perm-id>
{
"@odata.context":
"https://graph.microsoft.com/v1.0/$metadata#sites('caf3
e616-82a6-4847-8949-a9ef59e2dccd%2Cee4302ef-c5fb-
4e9e-963f-0d1d4aaaaabd')/permissions",
"value": []
}
With selected permissions Without selected permissions

RSC – 2024 I
SharePoint: Sites.Selected with delegated scope
▪ App still needs Sites.Selected permissions to site
o But SCA can grant this (code needed!)
▪ Additionally user needs any kind of access
▪ First step towards … no more (app based) Sites.FullControl.All

RSC – 2024 I

RSC – Q2 / 2024
▪ Q2 ??
▪ SharePoint: Application Site Creation without Sites.FullControl.All
▪ Sites.Create.All
▪ More granular RSC permissions also coming around

Summary – Key takeaways
▪ Security is a moving target
▪ Always challenge: Least privilege
▪ Sample code / snippets simplify to demonstrate
▪ (Mine, too!!!) Always challenge before taking into Prod
▪ AI doesn’t help here so far
▪ Security usually makes dev more complex
▪ Convince your client, more effort → More security
▪ Nevertheless, there is great functionality/tools out there
▪ Get to know them → NOW!
▪ RSC esp with SharePoint becoming a gamechanger in 2024 …

Resources
▪ M365 Development Security - From full trust to ZeroTrust (pnp.github.io)
▪ Speaker's blog
▪ On this specific topic
▪ Azure CLI the potential leanest way
▪ Azure Key Vault
▪ SharePoint: Application Site Creation without Sites.FullControl.All

THANK YOU,
YOU ARE AWESOME
PLEASE RATE THIS SESSION
IN THE MOBILE APP.
Questions?
Now, or later …:
Markus Moeller
@moeller2_0
https://mmsharepoint.wordpress.com

Microsoft365_Dev_Security_2024_05_16.pdf

Recommended

Recommended

More Related Content

Similar to Microsoft365_Dev_Security_2024_05_16.pdf

Similar to Microsoft365_Dev_Security_2024_05_16.pdf (20)

Recently uploaded

Recently uploaded (20)

Microsoft365_Dev_Security_2024_05_16.pdf