Applications in Microsoft Entra represent the definition of an application, such as its name, associated secrets, the permissions and roles assigned to it, and the publisher info (along with much more..). Service Principals have a relationship to the application in its home tenant or within an external tenant (if it is a multi-tenant application), they also govern the application connecting to Microsoft Entra ID with the specific permissions consented to the application.
The relationship between applications and service principals is such that the application serves as a blueprint (or template) to create one or more service principals. So to summarise, an application defines the app settings and the Service Principal (also known as the Security Principal) facilitates the application’s access to resources in Entra.
It is extremely important to ensure that you only consent for applications to the least required permissions to perform the actions they need to perform. Unfortunately, some vendors of third-party applications still lack the necessary due diligence for the least privilege during development and over-zealously ask for permissions that should not be needed. This is also true for administrators who have recently Microsoft PowerShell scripts from legacy PowerShell modules to new Microsoft Graph PowerShell SDKs.
In this article, I will walk you through how to use the Microsoft Graph Developer proxy to identify the minimum permissions needed for your PowerShell scripts and other applications.
The approach
In this article, you will use Microsoft’s Graph Developer Proxy tool to intercept requests made to Microsoft Graph using the Microsoft Graph PowerShell SDK and report back on the minimum permissions to make said requests successfully and improve security.
Installing the Microsoft Graph Developer Proxy
The latest version of the Microsoft Graph Developer Proxy can either be downloaded from the GitHub repo or installed directly through WinGet. Here I will show you how to install the tool from the WinGet repository which is the quickest and simplest method.
First open PowerShell and run the following command:
winget install Microsoft.DevProxy
The installation window will automatically pop up and self-complete. Once finished, the package should report as successfully installed.
Configuring the Microsoft Graph Developer Proxy
Out of the box, the developer proxy will only intercept requests made to the following URL ‘https://jsonplaceholder.typicode.com/*’. In earlier versions of the tool, this was not the case which may caused some confusion.
You first need to configure the developer proxy to watch the Microsoft Graph URLs and enable the required plugins to support producing Graph errors and advising on minimum permissions.
To do this, open the file browser and navigate to the following path: %localappdata%\Programs\Dev Proxy and open the devproxyrc.json file.
Delete everything within the file, then copy and paste the below code into the file and click Save. Note that this example also sets the rate limit to 0, which ensures no requests are automatically dropped by the proxy, as out of the box, the developer proxy is used to simulate errors to Microsoft Graph.
{
"$schema": "https://raw.githubusercontent.com/microsoft/dev-proxy/main/schemas/v0.19.1/rc.schema.json",
"plugins": [
{
"name": "GraphSelectGuidancePlugin",
"enabled": true,
"pluginPath": "~appFolder/plugins/dev-proxy-plugins.dll"
},
{
"name": "GraphBetaSupportGuidancePlugin",
"enabled": true,
"pluginPath": "~appFolder/plugins/dev-proxy-plugins.dll",
"urlsToWatch": [
"https://graph.microsoft.com/beta/*",
"https://graph.microsoft.us/beta/*",
"https://dod-graph.microsoft.us/beta/*",
"https://microsoftgraph.chinacloudapi.cn/beta/*"
]
},
{
"name": "MinimalPermissionsPlugin",
"enabled": true,
"pluginPath": "~appFolder/plugins/dev-proxy-plugins.dll",
"configSection": "minimalPermissionsPlugin"
},
{
"name": "MinimalPermissionsGuidancePlugin",
"enabled": false,
"pluginPath": "~appFolder/plugins/dev-proxy-plugins.dll"
},
{
"name": "GraphConnectorGuidancePlugin",
"enabled": true,
"pluginPath": "~appFolder/plugins/dev-proxy-plugins.dll",
"urlsToWatch": [
"https://graph.microsoft.com/*/external/connections/*/schema",
"https://graph.microsoft.us/*/external/connections/*/schema",
"https://dod-graph.microsoft.us/*/external/connections/*/schema",
"https://microsoftgraph.chinacloudapi.cn/*/external/connections/*/schema"
]
},
{
"name": "GraphSdkGuidancePlugin",
"enabled": true,
"pluginPath": "~appFolder/plugins/dev-proxy-plugins.dll"
},
{
"name": "ODataPagingGuidancePlugin",
"enabled": true,
"pluginPath": "~appFolder/plugins/dev-proxy-plugins.dll"
},
{
"name": "GraphClientRequestIdGuidancePlugin",
"enabled": true,
"pluginPath": "~appFolder/plugins/dev-proxy-plugins.dll"
},
{
"name": "GraphRandomErrorPlugin",
"enabled": true,
"pluginPath": "~appFolder/plugins/dev-proxy-plugins.dll",
"configSection": "graphRandomErrorsPlugin"
},
{
"name": "ExecutionSummaryPlugin",
"enabled": true,
"pluginPath": "~appFolder/plugins/dev-proxy-plugins.dll",
"configSection": "executionSummaryPlugin"
}
],
"urlsToWatch": [
"https://graph.microsoft.com/v1.0/*",
"https://graph.microsoft.com/beta/*",
"https://graph.microsoft.us/v1.0/*",
"https://graph.microsoft.us/beta/*",
"https://dod-graph.microsoft.us/v1.0/*",
"https://dod-graph.microsoft.us/beta/*",
"https://microsoftgraph.chinacloudapi.cn/v1.0/*",
"https://microsoftgraph.chinacloudapi.cn/beta/*"
],
"graphRandomErrorsPlugin": {
"allowedErrors": [ 429, 500, 502, 503, 504, 507 ]
},
"executionSummaryPlugin": {
"groupBy": "url"
},
"minimalPermissionsPlugin": {
"type": "delegated"
},
"rate": 0,
"labelMode": "text",
"logLevel": "information"
}
Once saved, open PowerShell again and run the following command:
Devproxy
You will be asked to accept the installation of a certificate, enabling the dev proxy to intercept and decrypt the HTTPS traffic sent from your machine. You may also be prompted to accept changes to the Windows Firewall, which you must accept.
The update will then continue and will finish once the Microsoft Graph database has been updated successfully.
Test that this is working by opening another PowerShell window, connecting to Microsoft Graph and running a single command such as Get-MgBetaUser. You should see the request appear in the Developer Proxy window.
Using the Microsoft Graph Developer Proxy to find minimal permissions
Now the developer proxy is fully configured, clear the screen by clicking ‘c‘ on your keyboard, this will ensure you have a clear working environment.
You then want to use the record function to record the requests your system makes to Microsoft Graph, then once the recording is over, it can make recommendations on the minimum permissions for the requests you made.
It is also worth noting now that the developer proxy will intercept all requests to Microsoft Graph and as your system may make requests to Graph to support some of the applications already installed, you may get more responses than you expected. I recommend you now close the developer proxy and relaunch it using the following command:
devproxy --watch-process-names pwsh
This will ensure only requests from PowerShell 7 are intercepted (This is recommended when using the Microsoft Graph SDK, which is what I am using for testing).
Start recording your session in the Developer Proxy window by clicking ‘r‘ on your keyboard. Then, in a separate window, make a request to Microsoft Graph using the Graph PowerShell SDK. You should see the request be passed through the Developer Proxy.
When you have finished running your command or script, click ‘s‘ in the Develop Proxy window, this will stop the recording and report back the minimal permissions.