🗣 Description

We received public reports of the Entra ID report failing to compile due to an invalid JSON primitive issue. If a tenant has no risky third party applications, then the original code was returning $null, resulting in the culprit key value risky_third_party_service_principals: , in either ProviderSettingsExport.json or ScubaResults_.json.

The check for finding 3rd party service principals was also improved with the addition of Get-MgBetaOrganization commandlet in Format-RiskyThirdPartyServicePrincipals.

💭 Motivation and context

Resolves #1607
Resolves #1658

🧪 Testing

We determined there are four cases that occur regarding risky application/service principal data:

• Both risky apps and risky 3rd party SPs exist
• Neither risky apps or risky 3rd party SPs exist
• No risky apps exist but risky 3rd party SPs exist
• Risky apps exist but no risky 3rd party SPs exist

We tested each one of these cases and replicated the invalid JSON primitive error in the last case, "risky apps exist but no risky 3rd party SPs exist."

To replicate, we modified RiskyPermissions.json with a single permission (ideally something no applications are assigned):

{
    "resources": {
        "00000003-0000-0000-c000-000000000000": "Microsoft Graph",
        "00000002-0000-0ff1-ce00-000000000000": "Office 365 Exchange Online",
        "00000003-0000-0ff1-ce00-000000000000": "Office 365 SharePoint Online",
        "c5393580-f805-4401-95e8-94b7a6ef2fc2": "Office 365 Management APIs"
    },
    "permissions": { 
        "Microsoft Graph": {
            "d07a8cc0-3d51-4b77-b3b0-32704d1f69fa": "AccessReview.Read.All"

        },
        "Office 365 Management APIs": {
            
        },
        "Office 365 Exchange Online": {
            
        },
        "Office 365 SharePoint Online": {
           
        }
    }
}

Add the "AccessReview.Read.All" permission to at least one application registration in a tenant and check that no service principals have the permission assigned.

Test this across a few different test tenants, e.g. G3, G5, E5.

Run the new unit tests:

Invoke-Pester -Output 'Detailed' -Path '.\PowerShell\ScubaGear\Testing\Unit\PowerShell\Providers\AADProvider\Export-AADProvider.Tests.ps1'

✅ Pre-approval checklist

• This PR has an informative and human-readable title.
• PR targets the correct parent branch (e.g., main or release-name) for merge.
• Changes are limited to a single goal - eschew scope creep!
• Changes are sized such that they do not touch excessive number of files.
• All future TODOs are captured in issues, which are referenced in code comments.
• These code changes follow the ScubaGear content style guide.
• Related issues these changes resolve are linked preferably via closing keywords.
• All relevant type-of-change labels added.
• All relevant project fields are set.
• All relevant repo and/or project documentation updated to reflect these changes.
• Unit tests added/updated to cover PowerShell and Rego changes.
• Functional tests added/updated to cover PowerShell and Rego changes.
• All relevant functional tests passed.
• All automated checks (e.g., linting, static analysis, unit/smoke tests) passed.

✅ Pre-merge checklist

• PR passed smoke test check.

• Feature branch has been rebased against changes from parent branch, as needed

  Use Rebase branch button below or use this reference to rebase from the command line.

• Resolved all merge conflicts on branch

• Notified merge coordinator that PR is ready for merge via comment mention

• Demonstrate changes to the team for questions and comments.
  (Note: Only required for issues of size Medium or larger)

✅ Post-merge checklist

• Feature branch deleted after merge to clean up repository.
• Verified that all checks pass on parent branch (e.g., main or release-name) after merge.