Determine risky permissions assignable from both Microsoft Graph and other APIs

[mitchelbaker-cisa]

💡 Summary

Permissions like Sites.FullControl.All are covered in both Graph and the SharePoint API. Another example is Mail.ReadWrite which is assignable from Graph and Office 365 Exchange Online.

ScubaGear should catch a risky permissions regardless if it was assigned through Graph, another API, or vice versa.

(Resource App ID is in reference to the SharePoint API)

Motivation and context

Relates to the epic #1073 and ongoing work in #1327.

Implementation notes

The majority of risky API permissions in this list are pulled from MS Graph. Verify if MS Graph permissions are included as a subset in other Microsoft APIs.

Some initial APIs to investigate further:

• SharePoint APIs
• Office 365 Exchange Online
• Office 365 Management APIs

Acceptance criteria

How do we know when this work is done?

• [ ] For each API permission, determine if the permission can be assigned from other APIs. Take note of duplicate permissions in this issue.
• [ ] Duplicates are communicated with the development team and the API permissions list is updated accordingly.

[mitchelbaker-cisa]

Office 365 Exchange Online:

• User.ReadBasic.All
• User.Read.All
• Mail.ReadWrite
• Mail.Send
• MailboxSettings.Read
• MailboxSettings.ReadWrite
• Calendars.Read
• Calendars.Read.All
• Calendars.ReadWrite.All
• Contacts.Read
• Contacts.ReadWrite