“同意申请”和“添加委派权限授予”有什么区别?

时间:2020-06-04 13:47:46

标签: oauth-2.0 azure-active-directory

我一直在浏览发送到我的SIEM的Azure Active Directory审核日志,并注意到存在Consent to ApplicationAdd delegated permission grant类型的事件。我不确定有什么区别-我以为授予应用程序同意就是授予其委派权限?

作为一个具体示例,以下是两个事件,它们是在同一时间(四舍五入到第二个用户)使用相同的correlationId向同一用户触发的-因此,它们大概是在同一“流”。我删除了一些不相关的字段,还删除了标记化的GUID等。

这是Consent to Application事件:

{
    "Actor": [
        {"ID": "name@corp.com", "Type": 5},
        {"ID": "Actor_PUID" "Type": 3},
        {"ID": "User_guid_user", "Type": 2},
        {"ID": "guid_user", "Type": 2},
        {"ID": "User", "Type": 2}
    ],
    "ActorContextId": "guid_actor_context_id",
    "AzureActiveDirectoryEventType": 1,
    "CreationTime": "2020-04-28T11:51:30",
    "ExtendedProperties": [
        {"Name": "actorContextId", "Value": "guid_actor_context_id"},
        {"Name": "actorObjectId", "Value": "guid_user"},
        {"Name": "actorObjectClass", "Value": "User"},
        {"Name": "actorUPN", "Value": "name@corp.com"},
        {"Name": "actorPUID", "Value": "Actor_PUID"},
        {"Name": "targetContextId", "Value": "guid_actor_context_id"},
        {"Name": "targetObjectId", "Value": "guid_target_object"},
        {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"},
        {"Name": "targetSPN", "Value": "guid_target_spn"},
        {"Name": "targetName", "Value": "App Name"},
        {
            "Name": "targetIncludedUpdatedProperties",
            "Value": "[\"ConsentContext.IsAdminConsent\",\"ConsentContext.IsAppOnly\",\"ConsentContext.OnBehalfOfAll\",\"ConsentContext.Tags\",\"ConsentAction.Permissions\",\"TargetId.ServicePrincipalNames\"]"
        }
    ],
    "Id": "guid_id",
    "ModifiedProperties": [
        {
            "Name": "ConsentAction.Permissions",
            "NewValue": "[] => [[Id: XXX, ClientId: 00000000-0000-0000-0000-000000000000, PrincipalId: guid_user, ResourceId: guid_resource_id, ConsentType: Principal, Scope:  openid offline_access Calendars.ReadWrite]]; ",
            "OldValue": ""
        },
        {"Name": "TargetId.ServicePrincipalNames", "NewValue": "guid_target_spn", "OldValue": ""}
    ],
    "ObjectId": "guid_target_spn",
    "Operation": "Consent to application.",
    "RecordType": 8,
    "ResultStatus": "Success",
    "Target": [
        {"ID": "ServicePrincipal_guid_target_object", "Type": 2},
        {"ID": "guid_target_object", "Type": 2},
        {"ID": "ServicePrincipal", "Type": 2},
        {"ID": "App Name", "Type": 1},
        {"ID": "guid_target_spn", "Type": 2},
        {ID": "guid_target_spn", "Type": 4}
    ],
    "TargetContextId": "guid_actor_context_id",
}

这大概意味着对象ID为guid_user(和相同主体ID)的用户向App Name授予服务主体guid_target_spn的权限,以委托方式访问资源guid_resource_id权限openid offline_access Calendars.ReadWrite

现在,这里是Add delegated permission grant

{
    "Actor": [
        {"ID": "user@corp.com", "Type": 5},
        {"ID": "user_puid", "Type": 3},
        {"ID": "User_user_guid", "Type": 2},
        {"ID": "user_guid", "Type": 2},
        {"ID": "User", "Type": 2}
    ],
    "ActorContextId": "guid_actor_context_id",
    "CreationTime": "2020-04-28T11:51:30",
    "ExtendedProperties": [
        {"Name": "actorContextId", "Value": "guid_actor_context_id"},
        {"Name": "actorObjectId", "Value": "user_guid"},
        {"Name": "actorObjectClass", "Value": "User"},
        {"Name": "actorUPN", "Value": "user@corp.com"},
        {"Name": "actorPUID", "Value": "user_puid"},
        {"Name": "targetContextId", "Value": "guid_actor_context_id"},
        {"Name": "targetObjectId", "Value": "guid_resource_id"},
        {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"},
        {
            "Name": "targetSPN",
            "Value": "https://dod-graph.microsoft.us;https://graph.microsoft.com/;https://graph.microsoft.us;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;Microsoft.Azure.AgregatorService"
        },
        {"Name": "targetName", "Value": "Microsoft Graph"},
        {
            "Name": "targetIncludedUpdatedProperties",
            "Value": "[\"ServicePrincipal.ObjectID\",\"ServicePrincipal.DisplayName\",\"ServicePrincipal.AppId\",\"ServicePrincipal.Name\",\"TargetId.ServicePrincipalNames\"]"
        },
        {
            "Name": "additionalTargets",
            "Value": "[{\"ObjectID\":\"guid_target_object\",\"DisplayName\":null,\"ObjectClass\":\"ServicePrincipal\",\"AppId\":null,\"Name\":null}]"
        },
    ],
    "ModifiedProperties": [
        {"Name": "ServicePrincipal.ObjectID", "NewValue": "guid_target_object", "OldValue": ""},
        {"Name": "ServicePrincipal.DisplayName", "NewValue": "", "OldValue": ""},
        {"Name": "ServicePrincipal.AppId", "NewValue": "", "OldValue": ""},
        {"Name": "ServicePrincipal.Name", "NewValue": "", "OldValue": ""},
        {
            "Name": "TargetId.ServicePrincipalNames",
            "NewValue": "https://dod-graph.microsoft.us;https://graph.microsoft.com/;https://graph.microsoft.us;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;Microsoft.Azure.AgregatorService",
            "OldValue": ""
        }
    ],
    "ObjectId": "https://dod-graph.microsoft.us;https://graph.microsoft.com/;https://graph.microsoft.us;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;Microsoft.Azure.AgregatorService",
    "Operation": "Add delegated permission grant.",
    "OrganizationId": "guid_actor_context_id",
    "RecordType": 8,
    "ResultStatus": "Success",
    "SupportTicketId": "",
    "Target": [
        {"ID": "ServicePrincipal_guid_resource_id", "Type": 2},
        {"ID": "guid_resource_id", "Type": 2},
        {"ID": "ServicePrincipal", "Type": 2},
        {"ID": "Microsoft Graph", "Type": 1},
        {"ID": "00000003-0000-0000-c000-000000000000", "Type": 2},
        {
            "ID": "https://dod-graph.microsoft.us;https://graph.microsoft.com/;https://graph.microsoft.us;https://canary.graph.microsoft.com;https://graph.microsoft.com;https://ags.windows.net;00000003-0000-0000-c000-000000000000/ags.windows.net;00000003-0000-0000-c000-000000000000;Microsoft.Azure.AgregatorService",
            "Type": 4
        }
    ],
    "TargetContextId": "guid_actor_context_id",
    "UserId": "user@corp.com",
    "UserKey": "user_puid@corp.com",
}

我正试图弄清所有这些。具体来说-

1)第二件事是什么意思?怎么说这是关于授予权限的,但是没有提到该权限是什么?显然,这与第一次调用的资源ID相同,但是以什么方式呢?它是否授予Microsoft Graph对相同资源的访问权限(如果是,则授予哪个权限)?

2)在第一个通话中,guid_target_object是什么?它代表应用程序ID吗?如果是这样,为什么它显示为ServicePrincipal_guid_target_object

1 个答案:

答案 0 :(得分:2)

您可以在门户中找到审核日志,导航至企业应用程序->审核日志。

当您添加代理权限(例如Microsoft Graph->代理权限),然后单击按钮grant admin consent for xxx时,将发送以下四个审核日志: enter image description here

您提到的两个呼叫是同时发生的。 添加委派权限授予的目标是Microsoft Graph和添加权限的应用程序。 同意应用的目标只是应用。 这是一个过程中的两个步骤。

更新

从我的测试结果来看,add a delegated permission仅发送更新应用程序更新服务主体。单击按钮时将发送您提到的两个日志(xxx的管理员同意),并且同时发送。这是由微软决定的。

如果想知道权限,可以在更新应用程序->修改的属性中找到它们。

id是Microsoft图形中权限的resource identer image description here

您可以使用Powershell获取权限的值:

(Get-AzureADServicePrincipal -ObjectId <object-id of the MS Graph in your tenant>).Oauth2Permissions | Where-Object {$_.Id -eq '570282fd-fa5c-430d-a7fd-fc8dc98a9dca'}

enter image description here

相关问题
最新问题