Migrate MFA/SSPR Retrieval to GA API when available

briandelmsft / STAT-Function

Azure Function for the Microsoft Sentinel Triage AssistanT (STAT)

https://aka.ms/mstat

MIT License

9 stars 1 forks source link

Migrate MFA/SSPR Retrieval to GA API when available #27

Closed briandelmsft closed 7 months ago

briandelmsft commented 1 year ago

The retrieval of SSPR/MFA data currently using the Microsoft Graph beta endpoint: /beta/reports/credentialUserRegistrationDetails

When this is GA, migrate this call to the stable version of the API

mikedizzle commented 1 year ago

Wait...what part of STAT queries SSPR/MFA stuff?

briandelmsft commented 1 year ago

Hi @mikedizzle The Base Module Accounts array includes these properties per account entity: isMfaRegistered isSSPREnabled isSSPRRegistered

The returned data is obtained from the API endpoint listed above
The returned data is included in the Account comment made by the base module
If the API call fails, the base module continues without this information. This API call may fail if the necessary permissions i not granted to the identity running STAT, or if the API limit has been exceeded (this particular API is limited to 5 requests per 10 seconds

briandelmsft commented 1 year ago

GA api is now available for this: https://learn.microsoft.com/en-us/graph/api/userregistrationdetails-get?view=graph-rest-1.0&tabs=http

However, new API requires a different permission, AuditLog.Read.All so it won't be the smoothest of transitions. Old API set to retire and stop returning data on June 30, 2024

Added new permissions to permissions script in 06255d7c8a9a8e8c01f1a2c4bcc0186bebce0305