Proper Entra ID Application Governance – Phase 1

Once an organization migrates to the cloud with Microsoft 365, the temptation and ability for an end-user to access potentially threatening external applications can become out of hand and snowball quickly on many levels.

Attacks against insecurely configured Microsoft 365 clients have been on the rise recently. One example from last week is email attacks using OAuth crypto mining applications. Microsoft explains in a detailed article how this attack scenario (has) worked. This attack was made possible by an insecure or permissive configuration for enterprise applications in Entra ID, among other things. ENow describes how to configure your client more securely in the AppGov Score™ blog.

Do you know how many of these external applications exist in your Microsoft 365 tenant?

The dangers of default settings

In a Microsoft 365 tenant with default settings, users can log in to external applications with their enterprise account. This application usually requires access to the tenant’s Entra ID directory. For this purpose, the user triggers an application registration in the tenant. This external application has at least read access to the Entra ID directory from now on.

There are most likely many enterprise applications and app registrations in your tenant that users wanted to experiment with and maybe are no longer used but are still registered. Such applications include Teams apps, Office add-ins, external application websites, and possibly event websites on which your users register themselves for attendance. Users being allowed to consent to applications themselves by default encourages the uncontrolled sprawl of enterprise applications.

An Entra ID application registration has two important authorization configurations. Firstly, which user and guest accounts in your tenant are allowed to use this application? Secondly, which authorizations does the application in your tenant have for accessing Microsoft 365 resources, such as Entra ID, SharePoint Online, or Exchange Online?

Depending on the application’s implementation, an enterprise application and an additional app registration are added to your tenant. This app registration defines, among other things, the delegated authorization of the application to access data in your tenant on behalf of the logged-in user account. Administrators often overlook that a single application adds configurations in two places.

Where application governance comes into play

Governance covers the entire life cycle of an application, from registration, the adaptation of properties, and access authorizations to final deletion at the end of use.

Some of the most overlooked features of a risky enterprise application and app registrations are:

• Runtime of access certificates and passwords
• Designation of application owners
• Public tenant flows
• Lack of a comprehensible description

Unfortunately, Entra ID does not provide a quick overview of the current situation of the existing applications. The enterprise application’s dashboard overview only provides rudimentary information on the total number of applications and their status. It is not even the default view when you select the Enterprise applications menu item.

So, how can identity architects effectively tame this proliferation of risky enterprise applications in Entra ID?

Introducing the ENow AppGov Score™

ENow has developed a free solution that helps identity architects quickly determine how their tenant stacks up against Microsoft-recommended security practices. Long-standing security MVPs developed the scoring system’s methodology with extensive knowledge of Microsoft 365 tenants of various sizes.

How it works

For a quick assessment of your tenants’ application governance estate, you start by registering with the Freemium version at https://www.appgovscore.com. You will be up and running in anywhere from 5 minutes to an hour. You can register with a standard user account for your tenant. Still, you need a Global Administrator account to consent to the required application permissions.

AppGov Score requires the following permissions to gather information from Entra ID:

• Directory.Read.All
• EntitlementManagement.Read.All
• Policy.Read.All
• PolicyRead.PermissionsGrant
• RoleManagement.Read.All

After registering and consenting to the application permissions, the configuration data of the enterprise applications in your tenant is analyzed. Based on the results, the accelerator calculates the unique AppGov Score for your tenant, and you receive a full Application Governance Assessment report.

The following example uses an App Governance analysis of my personal demo tenant.

Default Tenant Application Registration Dilemma

The analyzed tenant runs primarily on Microsoft 365 default settings, with an enterprise application default configuration. Microsoft 365 tenants, most of the time, remain running with default settings. And that is not only a dilemma, but the dilemma.

You shouldn’t be surprised to see an initial AppGov Score of 53% in the first screenshot. Having an out-of-box experience (OOBE) Microsoft 365 tenant is far from the Microsoft recommended best practices for maintaining enterprise applications in Entra ID.

Your free application governance assessment report provides information about three important sections of your tenant health:

• Enterprise Application Analysis
• Application Registration Analysis
• Tenant Settings Analysis

Each section contains basic status information on configuration and governance topics, e.g., how many enterprise applications exist in your tenant with admin consent. The status for a section ranges from poor to good to excellent. Some sections are informational, as they show statistical information only. A section provides additional details on why the information is vital for the application governance in your tenant. For example, the following screenshot shows the expanded section of applications lacking admin consent.

As you can see, the lack of administrative consent for 66.67% of the registered enterprise applications results in a poor governance status. Assuming that the applications have dedicated users’ consent only, you are right. Each section description has a link to the official Microsoft documentation that explains the topic and recommended configurations.

The following list shows the configurations  included in your AppGov Score™ report:

• Enterprise Application Analysis
  • Number of registered enterprise applications
  • Percentage of enterprise applications lacking administrative consent
  • Number of enterprise applications considered high-risk
  • Number of enterprise applications created in the last thirty days
  • Percentage of enterprise applications without a description
  • Percentage of enterprise applications without owners
  • Percentage of enterprise applications without role assignments

• Application Registration Analysis
  • Number of application registrations with public client flows
  • Number of application registrations with expired certificates
  • Number of application registrations with certificates expiring in the next fourteen days
  • Number of application registrations with expired client secrets
  • Number of application registrations with expiring client secrets in the next fourteen days
  • Percentage of application registrations with client secrets with a time expiration longer than two years
  • Number of application registrations created in the last thirty days
  • Number of application registrations without an associated enterprise application
  • Percentage of application registrations with certificates with a time expiration longer than two years
  • Number of application registrations with configured client secrets

• Tenant Sessings Analysis
  • Number of user accounts with application administrative privileges
  • Configuration of group owner consent
  • Configuration of guest users’ access permissions
  • Configuration of user consent for applications
  • Configuration of allowing users to add gallery applications
  • Configuration of requesting administrative consent

Even without providing complete visibility into all AppGov Score™ section results of my tenant, I’m sure you can grasp how the information provided will expose apps lurking in your Entra ID tenant. It is a powerful tool that helps you track enterprise applications and application registrations in your tenant. Applying good governance to this area of Entra ID helps you secure your Microsoft 365 pasture.

As mentioned before, Entra ID tolerates end-users registering enterprise applications by default. Your tenant might contain enterprise applications that aren’t in use and pose a security risk.

If you are an identity architect looking for a way to automate governance and develop a Governance strategy for your organization, AppGov Score™ can quickly provide the information needed.

When you’re ready to unlock features that support your governance tasks related to enterprise applications and app registrations, you can upgrade to ENow’s App Governance Accelerator. This support starts with the basic settings for registration and consent in a Microsoft 365 tenant and includes reporting on the status of enterprise applications. In the second part of this mini-series, I discuss the features of the paid version of the App Governance Accelerator and how the AppGov Score™ helped to enhance governance in my company tenant.