Description
Describe the feature
Suggestions for new tests:
-
Check for service principals with tenant-wide application Graph permissions that could be converted to RBAC for Applications for improved security. Recommendation/tip.
-
Check for service principals with relevant permission (see below) both configured using RBAC and tenant-wide Graph permission. Likely misconfigured and high risk.
Related to #961
This will help promote the latest recommendations for assigning least-privilege permissions in Exchange Online.
Additional context
#945 introduced tests to verify use of Application Access Policy to restrict the tenant-wide Graph permissions. This method is being replaced by RBAC for Applications going forward.
We should either update/replace them to only recommend using the latest solution (RBAC), or make sure the tests don't conflict. E.g. exclude instances in the first test where the app is properly configured with a Application Access Policy.