rules/findings/m365/microsoft_fabric/ms-fabric-service-principals-can-create-and-use-profiles.json
|
{
"args": [ ], "provider": "Microsoft365", "serviceType": "Fabric", "serviceName": "Microsoft 365", "displayName": "Ensure Service Principals cannot create and use profiles", "description": "\r\n\t\tService principal profiles provide a flexible solution for apps used in a multitenancy deployment. The profiles enable customer data isolation and tighter security boundaries between customers that are utilizing the app. \r\n\t\tThe recommended state is `Enabled for a subset of the organization` or `Disabled`.\r\n ", "rationale": "Service Principals should be restricted to a security group to limit which Service Principals can interact with profiles. This supports the principle of least privilege.", "impact": "Disabled is the default behavior.", "remediation": { "text": "\r\n\t\t\t###### To remediate using the UI: \r\n\t\t\t1. Navigate to Microsoft Fabric https://app.powerbi.com/admin-portal \r\n\t\t\t2. Select Tenant settings. \r\n\t\t\t3. Scroll to Developer settings. \r\n\t\t\t4. Set Allow service principals to create and use profiles to one of these states: \r\n\t\t\t * State 1: Disabled \r\n\t\t\t * State 2: Enabled with Specific security groups selected and defined. \r\n\t\t\t**Important** : If the organization doesn\u0027t actively use this feature it is recommended to keep it Disabled. \r\n\t", "code": { "powerShell": null, "iac": null, "terraform": null, "other": null } }, "recommendation": null, "references": [ "https://learn.microsoft.com/en-us/fabric/admin/service-admin-portal-developer", "https://learn.microsoft.com/en-us/power-bi/developer/embedded/embed-multi-tenancy" ], "compliance": [ { "name": "CIS Microsoft 365 Foundations Benchmark", "version": "7.0.0", "reference": "9.1.11", "profile": [ "E3 Level 1" ] } ], "level": "medium", "tags": [ ], "rule": { "path": "m365_fabric_tenant", "subPath": null, "selectCondition":{ "conditions": [ [ "settingName", "eq", "AllowServicePrincipalsCreateAndUseProfiles" ] ] }, "query": [ { "filter": [ { "conditions": [ [ "enabled", "eq", "True" ], [ "enabledSecurityGroups.Count", "gt", "0" ] ], "operator": "and" } ] }, { "connectOperator": "or", "filter": [ { "conditions": [ [ "enabled", "eq", "False" ] ] } ] } ], "shouldExist": true, "returnObject": null, "removeIfNotExists": null }, "output": { "html": { "data": { "properties": { "title": "Title", "tenantSettingGroup": "Group", "enabledSecurityGroups": "Security Groups", "enabled": "Enabled" }, "expandObject": null }, "table": "default", "decorate": [ { "itemName": "Enabled", "itemValue": "enabled", "className": "badge badge-danger badge-xl" }, { "itemName": "Security Groups", "itemValue": "NotSet", "className": "badge badge-danger badge-xl" } ], "emphasis": [ ], "actions": { "objectData": { "properties": [ "title", "enabled", "location", "tenantSettingGroup", "enabledSecurityGroups" ], "expandObject": null, "limit": null }, "showGoToButton": "True", "showModalButton": "True", "directLink": null } }, "text": { "data": { "properties": { }, "expandObject": null }, "status": { "keyName": [ ], "message": "Ensure Service Principals cannot create and use profiles", "defaultMessage": "Ensure Service Principals cannot create and use profiles" }, "properties": { "resourceName": null, "resourceId": null, "resourceType": null }, "onlyStatus": false } }, "idSuffix": "fabric_service_principals_can_create_and_use_profiles", "notes": [ ], "categories": [ ], "immutable_properties": [ ], "id": "microsoft365_2155" } |