feat: Spec 105 — Entra Admin Roles Evidence + Findings #128

ahmido · 2026-02-22T02:37:04Z

ahmido commented

2026-02-22 02:37:04 +00:00

Summary

Automated scanning of Entra ID directory roles to surface high-privilege role assignments as trackable findings with alerting support.

What's included

Core Services

EntraAdminRolesReportService — Fetches role definitions + assignments via Graph API, builds payload with fingerprint deduplication
EntraAdminRolesFindingGenerator — Creates/resolves/reopens findings based on high-privilege role catalog
HighPrivilegeRoleCatalog — Curated list of high-privilege Entra roles (Global Admin, Privileged Auth Admin, etc.)
ScanEntraAdminRolesJob — Queued job orchestrating scan → report → findings → alerts pipeline

UI

AdminRolesSummaryWidget — Tenant dashboard card showing last scan time, high-privilege assignment count, scan trigger button
RBAC-gated: ENTRA_ROLES_VIEW for viewing, ENTRA_ROLES_MANAGE for scan trigger

Infrastructure

Graph contracts for entraRoleDefinitions + entraRoleAssignments
config/entra_permissions.php — Entra permission registry
StoredReport.fingerprint migration (deduplication support)
OperationCatalog label + duration for entra.admin_roles.scan
Artisan command entra:scan-admin-roles for CLI/scheduled use

Global UX improvement

SummaryCountsNormalizer: Zero values filtered, snake_case keys humanized (e.g. report_deduped: 1 → Report deduped: 1). Affects all operation notifications.

Test Coverage

12 test files, 79+ tests, 307+ assertions
Report service, finding generator, job orchestration, widget rendering, alert integration, RBAC enforcement, badge mapping

Spec artifacts

specs/105-entra-admin-roles-evidence-findings/tasks.md — Full task breakdown (38 tasks, all complete)
specs/105-entra-admin-roles-evidence-findings/checklists/requirements.md — All items checked

Files changed

46 files changed, 3641 insertions(+), 15 deletions(-)

## Summary Automated scanning of Entra ID directory roles to surface high-privilege role assignments as trackable findings with alerting support. ## What's included ### Core Services - **EntraAdminRolesReportService** — Fetches role definitions + assignments via Graph API, builds payload with fingerprint deduplication - **EntraAdminRolesFindingGenerator** — Creates/resolves/reopens findings based on high-privilege role catalog - **HighPrivilegeRoleCatalog** — Curated list of high-privilege Entra roles (Global Admin, Privileged Auth Admin, etc.) - **ScanEntraAdminRolesJob** — Queued job orchestrating scan → report → findings → alerts pipeline ### UI - **AdminRolesSummaryWidget** — Tenant dashboard card showing last scan time, high-privilege assignment count, scan trigger button - RBAC-gated: `ENTRA_ROLES_VIEW` for viewing, `ENTRA_ROLES_MANAGE` for scan trigger ### Infrastructure - Graph contracts for `entraRoleDefinitions` + `entraRoleAssignments` - `config/entra_permissions.php` — Entra permission registry - `StoredReport.fingerprint` migration (deduplication support) - `OperationCatalog` label + duration for `entra.admin_roles.scan` - Artisan command `entra:scan-admin-roles` for CLI/scheduled use ### Global UX improvement - **SummaryCountsNormalizer**: Zero values filtered, snake_case keys humanized (e.g. `report_deduped: 1` → `Report deduped: 1`). Affects all operation notifications. ## Test Coverage - **12 test files**, **79+ tests**, **307+ assertions** - Report service, finding generator, job orchestration, widget rendering, alert integration, RBAC enforcement, badge mapping ## Spec artifacts - `specs/105-entra-admin-roles-evidence-findings/tasks.md` — Full task breakdown (38 tasks, all complete) - `specs/105-entra-admin-roles-evidence-findings/checklists/requirements.md` — All items checked ## Files changed 46 files changed, 3641 insertions(+), 15 deletions(-)

ahmido added 4 commits 2026-02-22 02:37:05 +00:00

spec: 105 Entra Admin Roles Evidence + Findings (spec + plan + checklist) dbb7f1fbab

spec: 105 clarifications — group counting + capability boundary b6e376e875

plan: spec 105 — Entra Admin Roles Evidence + Findings d25290d95e

Phase 0 research (R1-R10) + Phase 1 design artifacts:
- research.md: 10 decisions (fingerprint migration, Graph API, catalog, alerts)
- data-model.md: stored_reports migration, model/enum changes, new classes
- contracts/internal-services.md: 3 service + job contracts
- quickstart.md: implementation guide with file list + test commands
- plan.md: 6-phase implementation plan (A-F) with constitution check

Agent context: copilot-instructions.md updated

feat: spec 105 — Entra Admin Roles scan, reports, findings, widget + summary UX improvement 6b381e9517

- Entra admin roles scan job (ScanEntraAdminRolesJob)
- Report service with fingerprint deduplication
- Finding generator with high-privilege role catalog
- Admin roles summary widget on tenant view page
- Alert integration for entra.admin_roles findings
- Graph contracts for roleDefinitions + roleAssignments
- Entra permissions registry (config/entra_permissions.php)
- StoredReport fingerprint migration
- OperationCatalog label + duration for entra.admin_roles.scan
- SummaryCountsNormalizer: filter zeros, humanize keys globally
- 11 new test files (71+ tests, 286+ assertions)
- Spec + tasks + checklist updates

ahmido merged commit 6a15fe978a into dev

2026-02-22 02:37:37 +00:00

ahmido referenced this issue from a commit

2026-02-22 02:37:38 +00:00

feat: Spec 105 — Entra Admin Roles Evidence + Findings (#128)

Sign in to join this conversation.

No reviewers

No Label

No Milestone

No project

No Assignees

1 Participants

Notifications

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: ahmido/TenantAtlas#128