classicacsprincipals.csv file details
Summary
This csv file contains information about the SharePoint Azure ACS principals that have been assessed.
Columns
The following columns are included:
| Column | Description |
|---|---|
| ScanId | Id of the assessment |
| AppIdentifier | The Azure ACS application principal id that's being used by applications |
| HasExpired | If we can find the ACS principal's secrets and the most recent is expired then this is set to true, false otherwise |
| HasTenantScopedPermissions | Was this Azure ACS principal configured with permissions that apply to the whole tenant? |
| HasSiteCollectionScopedPermissions | Was this Azure ACS principal configured with permissions for one or more specific site collections, webs or lists? |
| Title | Title of the Azure ACS principal |
| AllowAppOnly | Can this Azure ACS principal be used to grant an application access without a user (so called app-only or application permissions) |
| AppId | The id of the Azure ACS principal |
| RedirectUri | The configured redirect URI |
| AppDomains | The configured application domain |
| ValidUntil | If we can find the ACS principal's secrets this shows the most recent validity |
| RemediationCode | Link to remediation code |
Note
The Expired, AppDomain and RedirectUri fields do require some more context for correct interpretation. Expired or HasExpired in the CSV files: this value is set depending on the discovered validity of the keycredentials set on the service/app principal. There however are cases when there's no validity found (so expiration date equal to '01/01/0001 00:00:00') which can happen because of:
- The principal was created using developing Add-Ins with Visual Studio and after deployment the app was not granted permissions or the deployment failed. Usually these also have a localhost
AppDomainand an emptyRedirectUri. These show up asExpired= true. - The principal was a "regular" Entra app that was granted permissions via appinv.aspx. In this case the
AppDomainandRedirectUrifields are empty just as is the validity. These show up asExpired= false as the keycredentials are set on the app principal. The assessment tool is not reading the app principal in this case. - Using Microsoft Graph PowerShell or Microsoft Graph APIs the keycredentails on the service principal were cleared. These show up as
Expired= true.