CSP/CPV Permission Checker
Easily identify any missing GDAP roles within your managed Microsoft tenants required for Rewst to perform it's necessary actions.
If you're interested in taking advantage of the CSP/CPV Permission Checker within your Rewst organization, unpack it from the Crate Marketplace.
Overview
Your Rewst service account that is used to manage your Microsoft tenants requires specific GDAP roles in order to perform it's various actions, without them you can run into a slew of issues. This workflow is designed to identify if any of these roles are missing at a specified client location.
Usage
Installing the Crate
Refer to the instructions in the Unpack a Crate section of the documentation.
Before unpacking, make sure to enable the necessary organizations in the trigger configuration section. This can be done by toggling
Activate for all current and future managed organizations
or by selecting from the available organization list.
Execute the Workflow
Within the [ROC] M365: CSP/CPV Permission Checker main workflow, click
Test
.From the dropdown menu, select the tenant you want to check permissions for. This list is derived from the organizations enabled in your trigger configuration.
Provide any domain associated with the managing organization's tenant to fetch it's ID.
Workflow Steps
Gather Tenant Info
The [ROC] M365: Get Tenant Info by Domain sub-workflow uses the collected domain, represented as
{{ CTX.primary_domain }}
.A
GET
request is made to:https://login.microsoftonline.com/{{ CTX.provided_domain }}/.well-known/openid-configuration
Determine Tenant ID
A data alias is created for the msp_tenant_id
, which is extracted from the returned tenant info using the following Jinja statement:
Assess Roles
The [ROC] M365: Get Role Assignments sub-workflow is initiated.
The Necessary GDAP roles are confirmed through a
GET
request to the following Graph endpoint:Base URL:
https://graph.microsoft.com/beta
Endpoint:
/roleManagement/directory/roleAssignments?$filter=roleDefinitionId eq '{{ CTX.role_id }}'&$expand=principal
The output differentiates between present and absent roles, with results set for comparison in the subsequent step.
Compile and Analyze Results
A comparison is conducted between the
msp_tenant_id
and the IDs from the returned roles to ensure appropriate permissions.A summary of the roles is generated, and a
missing roles
data alias is defined.
Example Output:
Last updated