Enhance AzureAD Scanning with Microsoft Graph Permissions

What is a one sentence summary of your feature request?

Modify the AzureAD scanning functionality in PingCastle to utilize Microsoft Graph permissions through an Azure application instead of requiring Global Admin permissions.

Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.

Currently, the process of scanning AzureAD requires that the scanning account possesses Global Admin permissions. This approach not only raises security concerns—since Global Admin accounts have extensive permissions that could be exploited if compromised—but it also complicates the auditing and compliance processes required in many organizations. The need to provide elevated access to a scanning tool can deter users from implementing necessary security assessments.

By leveraging Microsoft Graph API permissions through an Azure application, PingCastle could simplify the scanning process and enhance security posture. Microsoft Graph provides a more granular approach to permissions, allowing for specific access rights tailored to the needs of the scanning functionality without the risks associated with Global Admin privileges. This change would facilitate a more secure, controlled environment while still obtaining the necessary information about the AzureAD environment.

How do you currently solve the challenges you have by not having this feature?

At present, organizations often must navigate the difficulties of granting Global Admin access to a scanning tool, frequently resulting in reluctance to use the tool or complicated security reviews and audits. This can lead to gaps in monitoring and vulnerability assessments within the AzureAD environment, as teams may avoid using the scanning tool to mitigate security risks. Implementing Microsoft Graph permissions would eliminate these issues, allowing for more secure, efficient scanning with reduced administrative burdens, ultimately strengthening the organization’s security framework while still enabling thorough assessments of the AzureAD environment.

Hi Phillip,
Thanks for the input here. We have been making strides to get there already as the AzureAD module had a fair bit of tech debt to sort out.

Over the course of the PingCastle 3.3 releases we:

• Migrated calls from old AzureAD and MSOnline API to Graph API
• Enhanced functionality for scans such as
  • Enhanced MFA Prompting where required
  • Bugs in the output
  • Automatic token refreshing for large scans
  • Enhanced error logging

The calls that require the use of Global Admin I think are non-graphAPI calls that are still left over. We will be looking at getting these removed and some more EntraID Updates coming over the next few months or so.

We currently have a feature in progress for renaming all AzureAD to EntraID and becoming standardized there.

This will be our next one where we will focus on the following as you stated:

• Using Graph API only
• Enabling automated scans using App registrations.

Cheers!
Joe