Last updated
Was this helpful?
Last updated
Was this helpful?
If you're interested in taking advantage of the CSP/CPV Permission Checker within your Rewst organization, .
Your Rewst service account that is used to manage your Microsoft tenants requires , without them you can run into a slew of issues. This workflow is designed to identify if any of these roles are missing at a specified client location.
Refer to the instructions in the section of the documentation.
Before unpacking, make sure to enable the necessary organizations in the trigger configuration section. This can be done by toggling Activate for all current and future managed organizations
or by selecting from the available organization list.
Within the [ROC] M365: CSP/CPV Permission Checker main workflow, click Test
.
From the dropdown menu, select the tenant you want to check permissions for. This list is derived from the organizations enabled in your trigger configuration.
Provide any domain associated with the managing organization's tenant to fetch it's ID.
The [ROC] M365: Get Tenant Info by Domain sub-workflow uses the collected domain, represented as {{ CTX.primary_domain }}
.
A GET
request is made to:
https://login.microsoftonline.com/{{ CTX.provided_domain }}/.well-known/openid-configuration
A data alias is created for the msp_tenant_id
, which is extracted from the returned tenant info using the following Jinja statement:
The [ROC] M365: Get Role Assignments sub-workflow is initiated.
Base URL: https://graph.microsoft.com/beta
Endpoint: /roleManagement/directory/roleAssignments?$filter=roleDefinitionId eq '{{ CTX.role_id }}'&$expand=principal
The output differentiates between present and absent roles, with results set for comparison in the subsequent step.
Compile and analyze results
A comparison is conducted between the msp_tenant_id
and the IDs from the returned roles to ensure appropriate permissions.
A summary of the roles is generated, and a missing roles
data alias is defined.
Example output:
The are confirmed through a GET
request to the following Graph endpoint:
Easily identify any missing GDAP roles within your managed Microsoft tenants required for Rewst to perform it's necessary actions.