Welcome to the TCB Graph Explorer
This tool visualizes service-to-service dependencies and their relationship to the Trusted Computing Base (TCB) security boundary. Below are the key concepts used throughout the application. Please visit aka.ms/TCB to know more.
Node Service
A Node represents a single service in the dependency graph, identified by its ServiceTree ID. Each node has properties like organization, division, and whether it is classified as Intended TCB.
💡 Green nodes are Intended TCB services. Blue nodes are Unintended TCB or No TCB Impact services.
Edge Permission / Role
An Edge is a single directional dependency from one service to another. It represents one specific permission type — such as an MS Graph Permission, a Critical RBAC Role, or an AAD Graph TaskSet.
💡 Each edge carries a specific edge type (e.g., MS Graph Permission, Critical RBAC Role) describing how one service depends on another.
Edge Set Bundle of Edges
An Edge Set is the collection of all edges (permissions/roles) from one specific source service to one specific target service. If Service A has 3 different permission types granting access to Service B, those 3 edges form one Edge Set.
Intended TCB Security Boundary
The Trusted Computing Base (TCB) is the set of critical services that form the security boundary. Intended TCB services are those that should be inside this security perimeter. The goal is to minimize the number of Unintended TCB services that have dependency paths reaching into the TCB. Please visit aka.ms/TCB to know more.
Shortest Path To Intended TCB Min Hops
Finds the minimum number of hops (edges) from any Unintended TCB service to reach an Intended TCB service. This is the fastest attack path an adversary could exploit — each hop represents one permission or trust relationship that must be traversed.
💡 Fewer hops = higher risk. A service at Hop 1 is directly connected to TCB and is a priority for edge removal.
Outbound Paths All Routes
Shows all possible outbound paths from a selected service — not just the shortest route, but every path that eventually reaches an Intended TCB service. This reveals the full scope of how a service can transitively reach the TCB boundary through multiple different chains of dependencies.
💡 Unlike shortest path, outbound paths reveals all routes — a service may reach TCB through many different chains. Each path is a potential attack vector.
Inbound Paths Who Reaches Me
Shows all services that have paths leading into the selected service. This answers: "Who depends on me?" and "If these upstream services are compromised, can they reach me?" Useful for understanding the inbound attack surface.
💡 Services with many inbound paths have a large inbound attack surface.
Explorer Starting Point
The Explorer is your starting point to explore the graph. Search or browse all services, filter by organization, division, or TCB status, then click any service to see its shortest paths to TCB, outbound paths, and inbound paths. It also shows the hop distance to the nearest Intended TCB service.
💡 Start here: find a service, then explore its paths, edges, and dependencies.
The TCB Graph maps service-to-service dependencies to identify which Unintended TCB services have paths into the Trusted Computing Base (TCB) security boundary. Visit aka.ms/TCB to learn more about TCB. By analyzing the shortest path distance from every service to the nearest Intended TCB service, it enables teams to prioritize edge removal, reduce blast radius, and harden the TCB perimeter. (More metrics are coming soon..)
Graph Metrics
Services with Shortest Path to Intended TCB Services
TCB - Impacting Services
A TCB-impacting service is one that can reach at least 50% of all other services in the graph within 6 hops through exhaustive traversal. After 6 hops, the accuracy of the graph degrades.
Explore the TCB graph. Services — individual services and their shortest path to Intended TCB.
Edge sets ranked by Betweenness Centrality - edges that carry the most shortest paths to TCB. High centrality = many services depend on this edge for their shortest route to TCB. Removing these 500 recommended edge sets will reduce the unintended TCB count from … to ….
Services ranked by the hop at which they become TCB-impacting (reaching ≥50% of all services within 6 hops). Use filters to explore.
What is an Edge?
An Edge represents a directional dependency from one service to another — it describes how one service depends on or has access to another. Each edge is classified by its Edge Type, which identifies the kind of permission or role assignment (e.g., MS Graph App Role Assignment, Critical RBAC Role, AAD Graph Permission Grant).
Edge types are extracted from the graph’s edge type dictionary. Each edge set between two services may contain one or more edge types. The distinct types listed below represent all unique permission/role categories observed across the entire graph.