In the first part of this mini-series, I discussed the security risks enterprise applications and app registrations pose to proper Entra ID application governance and how ENow Software has created a very valuable free tool that quantifies your tenant’s application security and governance posture with a measurement called AppGov score. This free tool can quickly get you and your organization on the right path to securing your Entra ID estate. I had the opportunity to play with the paid version of their tool, App Governance Accelerator, and will share my experience with you.
A Microsoft 365 tenant using the default configuration supports the self-registration of enterprise applications to Entra ID by end-users. These apps often remain unmonitored, posing a security risk to the tenant.
To clarify things, I will show the development of the AppGov Score in my productive Microsoft 365 tenant. You must register App Governance Accelerator as an enterprise application in Entra ID so the solution can determine the AppGov Score, as described in the Getting Started section in part one.
Initial Situation
The starting point of the solution is the Application Governance Dashboard, which provides me with an easy-to-read overview of the essential information in the dashboard view and, in addition to the current score value, also shows the score development over time.
After setting up the application in my tenant for the first time, I was shocked that the rating was poor at 53%, as shown in the screenshot below:
This score best describes a Microsoft 365 tenant that is operated, more or less, with Microsoft’s default settings. I already had the independent registration of applications, and user consent switched off. But as we will see, more application-specific settings specifically have gone unnoticed so far.
As you can see in the screenshot, the ENow App Governance Accelerator uses the following reporting areas.
- Activity
- Application Registrations
- Enterprise Applications
- Global Tenant Settings
- Users and Privileges
So, what could be more evident than first checking and adjusting the tenant settings? I was amazed by the report on the accounts with administrative application authorizations. Please forgive me for not sharing details about customizing the configurations in the tenant in this article.
So how do you improve your score?
I set to work and followed the recommendations of the individual evaluations to improve the tenant’s AppGov score. A tenant that has been in operation for more than ten years requires special attention and intensive application testing.
The application calculates the AppGov Score daily, and after my changes were synced, I could see the results of my configuration work. I find that using AppGov Score is the ideal tool for learning about Enterprise Applications, and the score did increase for that area of my tenant. Overall, my score increased from 53% to 66%. For traceability, the dashboard shows me each measurement point change that led to this score adjustment in detail, but for data protection reasons, some information has been made unrecognizable:
The most significant adjustments that led to this improvement were:
- Deletion of unused enterprise applications
- First allocation round of application owners
- Customization of tenant settings for the approval of applications
- Deletion of obsolete user accounts with administrative authorization, e.g., old Entra ID Connect accounts
The subsequent adjustments in the tenant led to an improvement from 66% to 68%, as configuration changes in Entra ID have a different impact on the AppGov score. ENow provides information on the rationale behind each score, a system developed by the AppGov Score Committee comprised of Microsoft Security MVPs, leading industry experts, and security professionals. Additionally, the report with your score supplies you with links to the corresponding Microsoft Learn web page so you can easily extrapolate and educate yourself.
The information I found on the Microsoft Learn page that ENow pointed me to provide the detail I needed around Public Client Flows and how to adapt the configuration about application security. As mentioned before, when we add an application to Entra ID, our primary focus is on the application permissions that we agree to with the Global Administrator role and perhaps which accounts are allowed to use the approved application. But an application configures so much more when you add the application to your tenant, which often goes unnoticed.
Adjusting the Public Tenant Flow configurations gave me eight additional points and increased the score to 76%. I was able to take a deep breath and felt good. That was a plateau where I could take a break.
The AppGov Score also considers whether you register new applications in the tenant. And this is what happened, as I registered PnP PowerShell. As the following screenshot shows, I was initially disillusioned. The score collapsed to below average (orange arrow). But what was the reason?
The AppGov score drop was due to adding PnP-PowerShell enrollment with device authentication. Shockingly, a self-signed authentication certificate is created during enrollment with a ten-year lifetime. The example given in the PnP online documentation for PowerShell authentication does not indicate that You can control the certificate’s validity period via the ValidYears parameter and assign a certificate password. The default value of the certificate is ten years. The registration process creates an automatically generated certificate without a password, resulting in an enormous security risk. In addition, the application also registers with a public tenant flow.
After customizing the settings of the PnP PowerShell application and adding purpose descriptions to each application, I was able to raise the AppGov score to 85%.
But the configuration is not over yet. Over the next few weeks, I will make further adjustments to the configurations of the enterprise applications and app registrations because the goal is to achieve an excellent application governance rating.
Summary
When you come across the term governance, you immediately recoil, as you have a complicated organizational construct in mind. The context of application governance brings with it an additional moment of deterrence.
I have tried out several well-known solutions that deal with governance in the past. They focus on evaluating configuration policies and how they are applied to accounts. These solutions leave out the critical area of corporate applications.
Operating a Microsoft 365 tenant requires a particular focus on enterprise applications, essential for the productive and secure use of solutions in a SaaS world. They also pose a risk of unauthorized access to personal and enterprise data if you do not configure the applications correctly and check their validity regularly. As the recent case of the Midnight Blizzard/OAuth attack has shown.
ENow has achieved something special with the App Governance Accelerator. They offer an easy-to-read and easy-to-use governance solution for a very complex topic that is not just for experts. Even an administrator who only occasionally visits the enterprise applications area in Entra ID can configure a tenant more comprehensively and securely.
The AppGov Score not only helps large enterprises get a grip on the diversity of application registrations but is also a helpful tool for medium-sized companies.
For me, AppGov Score is an indispensable tool in my Microsoft 365 toolbox, and given that it is free, it is a tool that every identity admin should try. The paid version of this tool accelerates improving your security posture and staying on top of it.
