Azure AD Applications - Expanded Inventory¶
Date: 2026-02-27 Scope: All Azure AD apps in tenant 03a1fb23-83f2-4fbf-81f9-e40d15b58719
Risk Summary¶
| Risk Level | Count | Apps |
|---|---|---|
| CRITICAL | 3 | Portal Dev, CyberArk, TASY Jutta Batista PRD |
| HIGH | 12 | APEX, PAT-Token-Manager, dor-dev-hub, Portal Conecta, TASY HML, RDSL Finance, Engineering Portals, Neoh, etc |
| MEDIUM | 2 | AWS Migration Assessment, Neoh |
Azure AD Applications Inventory¶
1. CRITICAL RISK - Portal de Relacionamento - Dev¶
{
"app_id": "cc06aa03-844a-42c3-aa7d-acca4982c39d",
"name": "Portal de Relacionamento - Dev",
"status": "COMPROMISED",
"active_secrets": 2,
"secret_hints": ["Qjc"],
"permissions": ["User.Read.All", "Group.Read.All"],
"risk": "CRITICAL",
"notes": "CONFIRMED ACTIVE - Graph API working, can enumerate all users and groups"
}
2. CRITICAL RISK - TASY Hospital Information System¶
{
"app_id": "b3a95d25-d382-4a72-bcca-975ac0b388d0",
"name": "TASY-NACIONAL-JUTTA-BATISTA-PRD",
"url": "https://hisjuttabatista.rededor.com.br/",
"active_secrets": 1,
"secret_hint": "SxZ",
"expiry": "2027-12-11",
"risk": "CRITICAL",
"sensitivity": "PATIENT DATA - Hospital Information System",
"notes": "Contains medical records for Jutta Batista hospital"
}
3. CRITICAL RISK - CyberArk Identity RDOR¶
{
"app_id": "994ce889-34f4-48d1-9a6b-da056f7caefe",
"name": "CyberArk Identity RDOR - OLD",
"object_id": "63af907d-4296-4ac4-845c-50dab07c3708",
"active_secrets": 2,
"secret_hints": ["tY.", "hJt"],
"permissions_granted": ["Directory.ReadWrite.All", "GroupMember.ReadWrite.All", "Group.ReadWrite.All"],
"expiry": "2026-12-17",
"risk": "CRITICAL",
"notes": "Directory.ReadWrite.All admin-granted - full Azure AD control"
}
4. HIGH RISK - APEX Authentication Service¶
{
"app_id": "4459f6a9-f5d9-452e-990b-06de8529bad3",
"name": "APEX-AUTHENTICATION",
"object_id": "3edc2ca2-c682-4dbb-acb9-6d9ca65d2fdf",
"urls": [
"https://app.idor.org/ords/apex_authentication.callback",
"https://appdev.idor.org/ords/apex_authentication.callback"
],
"active_secrets": 6,
"secret_hints": ["DDc", "YP8", "LIc", "-.0", "8nf", "tQL"],
"expiry": "2028-02-23",
"risk": "HIGH",
"notes": "Oracle APEX authentication - 6 active secrets across DEV and PRD"
}
5. HIGH RISK - Portal Conecta Produção¶
{
"app_id": "5d56154f-4a53-4de6-a4bf-ec6d229486f4",
"name": "Portal Conecta Produção",
"object_id": "daa0897b-b73f-4f46-8017-c772df1f47c4",
"url": "https://portalconecta.rededor.com.br",
"active_secrets": 1,
"secret_hint": "M2v",
"expiry": "2026-03-27",
"permissions_granted": ["Directory.ReadWrite.All", "Group.ReadWrite.All"],
"auth_type": "SAML SSO",
"risk": "HIGH",
"notes": "Production portal with directory write permissions"
}
6. HIGH RISK - Engineering Portal Acesso¶
{
"app_id": "6751b57d-32db-439c-8b3e-d4983ad3b0d5",
"name": "app-portal-engenharia-acesso",
"urls": [
"https://portal.e-dor.net",
"https://portal.plt.e-dor.net"
],
"active_secrets": 1,
"secret_hint": "dne",
"expiry": "2027-03-06",
"risk": "HIGH",
"type": "Internal Engineering Portal (Backstage-like)",
"environment": "Production"
}
7. HIGH RISK - Engineering Portal Acesso DEV¶
{
"app_id": "fbe8fac2-3675-4a25-8ad3-0e9eaa167742",
"name": "app-portal-engenharia-acesso-dev",
"urls": [
"https://portal-devbre.devplt.e-dor.net",
"https://portal-alb-main-535306139.us-east-1.elb.amazonaws.com"
],
"active_secrets": 1,
"secret_hint": "wky",
"expiry": "2027-06-12",
"risk": "HIGH",
"exposure": "AWS ALB endpoint publicly exposed"
}
8. HIGH RISK - TASY HML Instance¶
{
"app_id": "204da288-210a-4aee-a4c0-4c40cc86a325",
"name": "TASY-NACIONAL-AWS2-HML",
"url": "https://html5-sp-hml-tasycloud02.rededor.com.br",
"active_secrets": 1,
"secret_hint": "1UT",
"expiry": "2027-08-21",
"risk": "HIGH",
"environment": "HML (HomoLoGação)"
}
9. HIGH RISK - RDSL Posição Financeira¶
{
"app_id": "edeac5c0-1259-40aa-904b-d82282de47a1",
"name": "RDSL Posição Financeira DEV",
"urls": [
"https://f2vlc24t34.execute-api.sa-east-1.amazonaws.com/production/auth/msal",
"https://ne2ozeh8k8.execute-api.sa-east-1.amazonaws.com/development/auth/msal"
],
"active_secrets": 1,
"secret_hint": "F3W",
"expiry": "2028-01-15",
"risk": "HIGH",
"backend": "AWS Lambda API Gateway",
"regions": ["sa-east-1"],
"notes": "Production and development Lambda endpoints"
}
10. HIGH RISK - PAT Token Manager¶
{
"app_id": "df077825-c298-4ae5-a991-e7e380c7c539",
"name": "PAT-Token-Manager",
"object_id": "e701b9dc-7d0f-4ac4-b959-bac550bb3734",
"sp_id": "eafa975a-0cc1-459a-8dbc-01018649c613",
"active_secrets": 1,
"secret_hint": "bda",
"permissions": ["User.ReadBasic.All", "user_impersonation(DevOps)"],
"expiry": "2027-01-31",
"risk": "HIGH",
"purpose": "Azure DevOps PAT management"
}
11. HIGH RISK - dor-dev-hub¶
{
"app_id": "8a7d0eab-4320-46da-8f1e-3a7e37f62c05",
"name": "dor-dev-hub",
"active_secrets": 2,
"secret_hints": ["1et", "NSW"],
"permissions": ["User.ReadBasic.All", "user_impersonation(DevOps)"],
"expiry": "2028-02-13",
"risk": "HIGH",
"purpose": "Development hub with DevOps access"
}
12. MEDIUM RISK - AWS Migration Assessment¶
{
"app_id": "6f662732-49ad-47a3-b7f8-3b2162b3b1d4",
"name": "sp-aws-migration-assessment-rdor",
"active_secrets": 1,
"secret_hint": "wDu",
"expiry": "2026-05-10",
"risk": "MEDIUM",
"purpose": "AWS migration assessment service principal"
}
13. MEDIUM RISK - RedeDor Neoh¶
{
"app_id": "8107cd20-a527-4a2b-b8a9-2f81169332a6",
"name": "RedeDor_Neoh",
"active_secrets": 2,
"secret_hints": ["A6g", "HFk"],
"expiry": "2028-02-04",
"risk": "MEDIUM",
"permissions": "No redirect URIs, no declared permissions",
"notes": "Likely daemon/background app or mobile"
}
14. Also Found - Portal de Relacionamento PRD¶
{
"app_id": "4e5a672f-0bb4-45f5-90cd-fcaa788e058e",
"name": "Portal de Relacionamento - Prd",
"object_id": "716d61f4-2469-408e-b8ec-aac353bb4933",
"active_secrets": 2,
"status": "AUDITED",
"risk": "HIGH",
"notes": "Secret added during audit: IA_8Q~xYjrfHWBedb.BAnAD6SW0TLUccLdFgAbcO (exp 2026-03-01) - MUST BE REMOVED"
}
Mermaid Diagram: Azure AD App Risk Network¶
graph TD
AzureAD["Azure AD Tenant<br/>03a1fb23-83f2-4fbf-81f9-e40d15b58719"]
subgraph CRITICAL["CRITICAL - Immediate Action Required"]
PortalDev["Portal de Relacionamento - Dev<br/>cc06aa03-844a-42c3<br/>User.Read.All, Group.Read.All<br/>hint=Qjc"]
TasyProd["TASY Hospital Information System<br/>b3a95d25-d382-4a72<br/>Patient Medical Records<br/>hint=SxZ<br/>exp 2027-12-11"]
CyberArk["CyberArk Identity RDOR<br/>994ce889-34f4-48d1<br/>Directory.ReadWrite.All<br/>hint=tY.,hJt"]
end
subgraph HIGH["HIGH RISK - Directory Write Access"]
APEX["APEX Authentication<br/>4459f6a9-f5d9-452e<br/>app.idor.org/ords<br/>6 active secrets"]
PortalConecta["Portal Conecta PRD<br/>5d56154f-4a53-4de6<br/>Directory.ReadWrite.All<br/>portalconecta.rededor.com.br"]
Engineering["Engineering Portal PRD<br/>6751b57d-32db-439c<br/>portal.e-dor.net<br/>exp 2027-03-06"]
EngineeringDev["Engineering Portal DEV<br/>fbe8fac2-3675-4a25<br/>portal-alb-main AWS ALB<br/>exp 2027-06-12"]
end
subgraph HIGH2["HIGH RISK - AWS Integration"]
TasyHML["TASY HML Instance<br/>204da288-210a-4aee<br/>html5-sp-hml-tasycloud02<br/>exp 2027-08-21"]
RDSL["RDSL Finance Portal<br/>edeac5c0-1259-40aa<br/>Lambda API Gateways<br/>sa-east-1 (f2vlc24t34)"]
PAT["PAT Token Manager<br/>df077825-c298-4ae5<br/>user_impersonation DevOps<br/>exp 2027-01-31"]
DevHub["dor-dev-hub<br/>8a7d0eab-4320-46da<br/>DevOps access<br/>exp 2028-02-13"]
end
subgraph MEDIUM["MEDIUM RISK"]
AWSMigration["AWS Migration Assessment<br/>6f662732-49ad-47a3<br/>exp 2026-05-10"]
Neoh["RedeDor Neoh<br/>8107cd20-a527-4a2b<br/>Daemon/Mobile App<br/>exp 2028-02-04"]
end
AzureAD --> PortalDev
AzureAD --> TasyProd
AzureAD --> CyberArk
AzureAD --> APEX
AzureAD --> PortalConecta
AzureAD --> Engineering
AzureAD --> EngineeringDev
AzureAD --> TasyHML
AzureAD --> RDSL
AzureAD --> PAT
AzureAD --> DevHub
AzureAD --> AWSMigration
AzureAD --> Neoh
PortalDev -->|Can enumerate users| GraphAPI["MS Graph API"]
CyberArk -->|Full AD Control| ADDirectory["Azure AD Directory"]
PortalConecta -->|SAML SSO| IdentityBroker["Identity Broker"]
EngineeringDev -->|Exposes| ALB["AWS ALB<br/>portal-alb-main-535306139"]
APEX -->|Redirect to| OracleAPEX["Oracle APEX<br/>app.idor.org/ords"]
TasyProd -->|Contains| PatientData["Patient Data<br/>Hospital Records"]
RDSL -->|Calls| LambdaGW["Lambda API Gateway<br/>f2vlc24t34 (403)<br/>ne2ozeh8k8 (403)"]
PAT -->|Manages| AzureDevOps["Azure DevOps<br/>rededorlabs"]
DevHub -->|Access to| AzureDevOps
style PortalDev fill:#ff3333
style TasyProd fill:#ff3333
style CyberArk fill:#ff3333
style APEX fill:#ff9999
style PortalConecta fill:#ff9999
style Engineering fill:#ff9999
style EngineeringDev fill:#ff9999
style TasyHML fill:#ff9999
style RDSL fill:#ff9999
style PAT fill:#ff9999
style DevHub fill:#ff9999
style AWSMigration fill:#ffcc99
style Neoh fill:#ffcc99
Secret Expiry Timeline¶
| App | Secret Hint | Expiry | Days Until Expiry |
|---|---|---|---|
| Portal Conecta | M2v | 2026-03-27 | 28 |
| Portal Dev Audit | IA_ | 2026-03-01 | 2 |
| MSAL Dev | Qjc | 2026-05-09 | 71 |
| CyberArk | tY., hJt | 2026-12-17 | 294 |
| AWS Migration | wDu | 2026-05-10 | 72 |
| APEX Auth | DDc, YP8, LIc, -.0, 8nf, tQL | 2028-02-23 | 757 |
| TASY PRD | SxZ | 2027-12-11 | 653 |
| TASY HML | 1UT | 2027-08-21 | 540 |
| Engineering PRD | dne | 2027-03-06 | 363 |
| Engineering DEV | wky | 2027-06-12 | 470 |
| PAT Token Mgr | bda | 2027-01-31 | 335 |
| RDSL Finance | F3W | 2028-01-15 | 717 |
| dor-dev-hub | 1et, NSW | 2028-02-13 | 746 |
| Neoh | A6g, HFk | 2028-02-04 | 737 |
Permission Escalation Paths¶
Path 1: CyberArk → Full Azure AD Control¶
CyberArk (Directory.ReadWrite.All)
└─ Can create new service principals
└─ Can add secrets to existing apps
└─ Can modify group memberships
└─ Can change user passwords
Path 2: Portal Dev → Graph API Enumeration¶
Portal Dev (User.Read.All + Group.Read.All)
└─ Enumerate all users in tenant (>5000 users likely)
└─ Get group membership
└─ Identify service accounts
└─ Map organizational structure
└─ (Combined with other secrets) = targeting intel
Path 3: Portal Conecta → SAML SSO Hijacking¶
Portal Conecta (Directory.ReadWrite.All + SAML)
└─ Modify SAML assertion rules
└─ Create new SAML identities
└─ Hijack SSO flows
└─ Potential MitM of federated authentication
Path 4: TASY Hospital System → Patient Data Breach¶
TASY HIS Production (hisjuttabatista.rededor.com.br)
└─ Direct access to medical records
└─ Hospital patient PII
└─ Diagnosis and treatment information
└─ Pharmacy and medication records
Immediate Remediation Actions¶
- URGENT (Today):
- [ ] Rotate Portal Dev secret (cc06aa03)
- [ ] Remove audit secret from Portal Prd (exp 2026-03-01)
-
[ ] Rotate Portal Conecta secret (expires 2026-03-27)
-
High Priority (This Week):
- [ ] Audit CyberArk (994ce889) - Directory.ReadWrite.All grant
- [ ] Review TASY PRD access (b3a95d25) - patient data
- [ ] Review Engineering Portal ALB exposure (fbe8fac2)
-
[ ] Review APEX secrets - 6 active at app.idor.org
-
Medium Priority (This Month):
- [ ] Implement conditional access for critical apps
- [ ] Enable audit logging for all directory modifications
- [ ] Review and restrict Graph API scopes
- [ ] Implement secret rotation automation
Identified Patterns¶
Pattern 1: Directory Write Proliferation¶
Multiple apps have Directory.ReadWrite.All: - CyberArk Identity RDOR - Portal Conecta Produção - Portal de Relacionamento - Dev
Risk: Compromise of ANY app = full tenant control
Pattern 2: Production + Dev Secret Sharing¶
APEX app has secrets for both DEV and PRD environments in single service principal.
Risk: Dev environment compromise = PRD compromise
Pattern 3: AWS ALB Endpoint Exposure¶
Engineering portal dev exposes AWS ALB public endpoint in Azure AD configuration.
Risk: Internal infrastructure disclosure