- Published on
Bro—where are my rolls?
- Authors
- Name
- reed
- @horsekey_sec
Hi. Writing this so future Reed (and others) can remember the difference between scopes, roles, and wids (well-known IDs) in the context of Microsoft graph activity logs.
To test, I registered four different app in my tenant with different RBAC configurations. The permissions used didn't really matter, but I was testing Intune already so I decided to use those permissions. Here are the results of the testing for where and why each permission shows up.
This table expects you are familiar with the different ways you can configure RBAC within Entra ID. If I'm missing a specific scenario—please let me know so I can re-test and update the chart.
Tests and Findings
| Application | RBAC Setup | Field | Graph Permission | Why? |
|---|---|---|---|---|
| 🥐 Dinner Roll | Application Permissions | Roles | DeviceManagementManagedDevices.ReadWrite.All | Since this is an application-only token—there are no scopes and the roles section is populated which was confusing to me since this is not the location of directory roles (these are in Wids). |
| 🧺 Bread Basket | Application Permissions with Directory Role | Roles + Wids | DeviceManagementManagedDevices.Read.All + Intune Administrator | Similar to above. We can also see the Service Principal has the Intune Admin role in the Wids field. |
| 🧑🍳 Roll Maker | Delegated Permissions | Scopes | DeviceManagementManagedDevices.PrivilegedOperations.All | Since a user has to be associated with delegated permissions—Scopes will be populated because they (along with what the application can access) define effective access. |
| 🐴 Roll Eater | Delegated Permissions with Directory Role on user | Scopes + Wids | DeviceManagementManagedDevices.Read.All + Intune Administrator | Similar to above. We also get the user's roll in the Wids field. |
Abbreviated Graph Log Examples
| App | ApiVersion | RequestMethod | ResponseStatusCode | UserAgent | RequestUri | DurationMs | ResponseSizeBytes | Roles | DeviceId | UniqueTokenId | UserId | ServicePrincipalId | Scopes | ClientAuthMethod | Wids | Type |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 🥐 Dinner Roll | v1.0 | GET | 200 | curl/8.5.0 | https://graph.microsoft.com/v1.0/deviceManagement/managedDevices?$top=1&$select=id,deviceName,complianceState | 818567 | 502 | DeviceManagementManagedDevices.ReadWrite.All | f816b226-... | 1 | 0997a1d0-0d1d-4acb-b408-d5ca73121e90 | MicrosoftGraphActivityLogs | ||||
| 🧺 Bread basket | v1.0 | GET | 200 | curl/8.5.0 | https://graph.microsoft.com/v1.0/deviceManagement/managedDevices?$top=1&$select=id,deviceName,complianceState | 3834924 | 502 | DeviceManagementManagedDevices.Read.All | 032fa0ba-... | 1 | 3a2c62db-5318-420d-8d74-23affee5d9d5 0997a1d0-0d1d-4acb-b408-d5ca73121e90 | MicrosoftGraphActivityLogs | ||||
| 🧑🍳 Roll Maker | v1.0 | GET | 200 | curl/8.5.0 | https://graph.microsoft.com/v1.0/deviceManagement/managedDevices?$top=1&$select=id,deviceName,complianceState | 1291164 | 502 | me | DeviceManagementManagedDevices.PrivilegedOperations.All DeviceManagementManagedDevices.Read.All profile openid email | 0 | 62e90394-69f5-4237-9190-012177145e10 3a2c62db-5318-420d-8d74-23affee5d9d5 b79fbf4d-3ef9-4689-8143-76b194e85509 | MicrosoftGraphActivityLogs | ||||
| 🐴 Roll Eater | v1.0 | GET | 200 | curl/8.5.0 | https://graph.microsoft.com/v1.0/deviceManagement/managedDevices?$top=1&$select=id,deviceName,complianceState | 1246434 | 502 | me | DeviceManagementManagedDevices.Read.All profile openid email | 0 | 62e90394-69f5-4237-9190-012177145e10 3a2c62db-5318-420d-8d74-23affee5d9d5 b79fbf4d-3ef9-4689-8143-76b194e85509 | MicrosoftGraphActivityLogs |
Why is this important?
Knowing how these show up in logs will ensure you have an accurate understanding of the permissions certain objects have during an investigation or threat hunts. I hope this table also helps other threat hunters create detections and investigate overly permissioned workload identities within their tenant.
You should be ingesting graph activity logs if you have the means to! They give a great unified view into activity across a tenant. Lookout for a follow-up post next month that looks at how you infer activity based on specific Graph endpoints to hunt within your tenant without having to ingest separate diagnostic logs.
Side things
I didn't realize it--but it seems like Graph will bundle permissions together, but display two different permissions in activity logs. Just something to keep in mind—I have not enumerated all the possibilities here but they should at least be accurate. Splits seems to happen like this:
DeviceManagementManagedDevices.PrivilegedOperations.All
|
(becomes)
|
|_ DeviceManagementManagedDevices.PrivilegedOperations.All
|_ DeviceManagementManagedDevices.Read.All
Also, the ClientAuthMethod field is pretty useful here to distinguish the authorization method used outlined here
0: public client
1: client secret
2: client certificate
Anyways, thanks for readin'—stay safe out there keyboard cowboy...