rules/findings/m365/microsoft_fabric/ms-fabric-service-principals-can-create-workspaces-connections-and-deployments.json
|
{
"args": [ ], "provider": "Microsoft365", "serviceType": "Fabric", "serviceName": "Microsoft 365", "displayName": "Ensure service principals ability to create workspaces, connections and deployment pipelines is restricted", "description": " Use a service principal to access these Fabric APIs that aren't protected by a Fabric permission model. * Create Workspace * Create Connection * Create Deployment Pipeline To allow an app to use service principal authentication, its service principal must be included in an allowed security group. You can control who can access service principals by creating dedicated security groups and using these groups in other tenant settings. The recommended state is `Enabled for a subset of the organization` or `Disabled`. ", "rationale": "Leaving API access unrestricted increases the attack surface in the event an adversary gains access to a Service Principal. APIs are a feature-rich method for programmatic access to many areas of Power Bi and should be guarded closely.", "impact": "Service principals will need to be members of specific security groups in order to perform public API calls.", "remediation": { "text": " ###### To remediate using the UI: 1. Navigate to Microsoft Fabric https://app.powerbi.com/admin-portal 2. Select Tenant settings. 3. Scroll to Developer settings. 4. Set Service principals can create workspaces, connections, and deployment pipelines to one of these states: * State 1: Disabled * State 2: Enabled with Specific security groups selected and defined. *Important*: If the organization doesn't actively use this feature it is recommended to keep it Disabled. ", "code": { "powerShell": null, "iac": null, "terraform": null, "other": null } }, "recommendation": null, "references": [ "https://learn.microsoft.com/en-us/fabric/admin/service-admin-portal-developer" ], "compliance": [ { "name": "CIS Microsoft 365 Foundations Benchmark", "version": "7.0.0", "reference": "9.1.12", "profile": [ "E3 Level 1", "E5 Level 1" ] } ], "level": "medium", "tags": [ ], "rule": { "path": "m365_fabric_tenant", "subPath": null, "selectCondition":{ "conditions": [ [ "settingName", "eq", "ServicePrincipalAccessGlobalAPIs" ] ] }, "query": [ { "filter": [ { "conditions": [ [ "enabled", "eq", "True" ], [ "enabledSecurityGroups.Count", "gt", "0" ] ], "operator": "and" } ] }, { "connectOperator": "or", "filter": [ { "conditions": [ [ "enabled", "eq", "False" ] ] } ] } ], "shouldExist": true, "returnObject": null, "removeIfNotExists": null }, "output": { "html": { "data": { "properties": { "title": "Title", "tenantSettingGroup": "Group", "enabledSecurityGroups": "Security Groups", "enabled": "Enabled" }, "expandObject": null }, "table": "default", "decorate": [ { "itemName": "Enabled", "itemValue": "enabled", "className": "badge badge-danger badge-xl" }, { "itemName": "Security Groups", "itemValue": "NotSet", "className": "badge badge-danger badge-xl" } ], "emphasis": [ ], "actions": { "objectData": { "properties": [ "title", "enabled", "location", "tenantSettingGroup", "enabledSecurityGroups" ], "expandObject": null, "limit": null }, "showGoToButton": "True", "showModalButton": "True", "directLink": null } }, "text": { "data": { "properties": { }, "expandObject": null }, "status": { "keyName": [ ], "message": "Ensure service principals ability to create workspaces, connections and deployment pipelines is restricted", "defaultMessage": "Ensure service principals ability to create workspaces, connections and deployment pipelines is restricted" }, "properties": { "resourceName": null, "resourceId": null, "resourceType": null }, "onlyStatus": false } }, "idSuffix": "fabric_service_principals_can_create_workspaces", "notes": [ ], "categories": [ ], "immutable_properties": [ "settingName" ], "id": "microsoft365_2155" } |