Ivan Fioravanti, Co-founder and CTO for CoreView, uses his system engineer and .NET development skills to lead CoreView’s technology team. He’s passionate about AI, automation and all things Microsoft 365.
39% of third-party apps connecting to Entra request high levels of permission. And often, organizations often have thousands of these apps with privileged access, but they have limited visibility and control to keep these apps secure.
Nearly every Microsoft 365 organization will have Entra Apps and nearly all of them will lack proper visibility of them.
There are 2 different types of apps that fall into this category:
Internal Entra Apps that have been created by the business or potentially by an individual user
Third-Party Entra Apps that require privileged access to your Entra ID directory in order to function
Entra App Security Vulnerabilities and Permissions Cyberattacks Exploit
Before we jump into examples of recent cyberattacks, it’s important to understand the different types of permissions.
Entra App Permission Types: Delegated vs. Application Entra Permissions
The main difference between delegated and application permissions is that delegated permissions require a user to sign in and consent, while application permissions do not. It is important to understand this distinction.
Delegated Permissions
Also called scopes, these permissions allow an application to act on behalf of a signed-in user. The application can only access data that the user can access. For example, if an app has the delegated permission Files.Read.All, it can only read files that the user can access.
Application Permissions
Also called app roles, these permissions allow an application to access data on its own, without a signed-in user. For example, if an app has the application permission Files.Read.All, it can read any file in the tenant. Application permissions carry the most privacy risks because they allow access to data without a user's consent. Only an administrator or owner of an API's service principal can grant application permissions.
Examples of Dangerous Entra App Permissions
Microsoft Graph Permission
What this permission does
Directory.Read.All
Grants the app access to read the entire directory, including user profiles, groups, and other directory information.
Directory.ReadWrite.All
Allows reading directory data but also modifying it. An attacker could alter user profiles, groups, or other directory data.
Group.ReadWrite.All
An attacker with this permission could modify group memberships, add or remove users from groups, or create and delete groups.
Files.ReadWrite.All
This permission provides access to all files that a user can access, enabling potential data theft, alteration, or deletion of critical documents and files.
Mail.ReadWrite
Allows an app to access and modify all emails in a user's mailbox and the ability to send unauthorized emails.
Misconfigured Third-Party Apps: The Midnight Blizzard Attack
The Midnight Blizzard data breach involved cybercriminals taking advantage of misconfigured third-party apps in Microsoft’s own environment.
The attackers got access to Microsoft's Test environment (a tenant that is used for tests as opposed to their live production tenant). This environment had applications with very high levels of privilege. The attackers used these privileges to do a few critical things:
Create new apps with more privileges
Elevate into the more sensitive production environment
Did you know? 63% of Microsoft 365 tenants fail to implement the principle of least privilege.
Using Entra Apps to Create Perpetual Privileged Access
Account takeovers and phishing attacks are a constant concern for Microsoft 365 organizations.
Despite most businesses using MFA and other zero-trust authentication processes, it is still possible for attackers to take control of admin accounts using sophisticated hacker tech like Evil-Jinx.
These tools allow attackers to steal the session cookies that are generated when users successfully log in using MFA. Regardless of how they do it, attackers will always try to outsmart the authentication processes to get their hands on powerful admin accounts.
However, when they get access, they may only have a short period of time to ensure they either set themselves up to evade detection or to set things up so they can maintain perpetual access—even when they are kicked from the account.
There are many ways they can do this, but one of the most powerful is to create an Entra App.
Although it is relatively likely their account takeover will be detected, it is less likely that a newly created Entra App will be.
The problem is that once they have created this app they can use it to get back into the tenant even if they are permanently removed from the admin account they used to create it.
These applications could have incredibly powerful permissions that could allow the attacker to easily fulfill their objectives without needing to perform another account takeover.
For clear examples of the powerful permissions these Entra Apps can have, jump to examples of dangerous permissions that Apps can have.
Best Practices to Secure and Manage Entra App Registrations
If you have Entra Apps in your environment then cybercriminals can use these to accelerate their attack. Therefore, it is critical that organizations answer these important questions about their Entra applications:
Question
Explained
How many apps are connected to Entra?
This is often the first question in the discovery and analysis process is to get a sense of the scale of what you need to do. Finding the number of internal Entra apps and third-party apps requesting Entra privileges is your first step.
What permissions do these Entra apps use?
You can determine the risk level of the apps you have by looking at the permissions they have. See below for examples.
Are these Entra permissions delegated or application-level permissions?
Delegated permissions rely on a single user and therefore only have the scope associated with that user. Application-level permissions are not restricted this way and therefore have MUCH broader powers.
Which Entra apps have very powerful read/write permissions?
Some permissions are very powerful, some are not so powerful. In your analysis, you will want to prioritize securing applications that have powerful Read/Write.All permissions.
Which Entra apps can we de-provision?
There will be some apps that have been created that are no longer being used. Being able to detect these and de-provision them is really helpful. Not only will this reduce the attack surface, but it will make management easier.
Which Entra apps have expiring secrets/certificates?
Apps with expiring secrets or certificates could lead to outages. If some of your apps are mission critical for your daily operations, then this is a risk you will want to avoid.
Are there Entra apps that are unmanaged?
Some apps will lack clear owners, making governance challenging. For example, if an app needs to have it's secret refreshed, who should you delegate this task to? This highlights the importance of ownership for effective governance.
How do we set up reporting for Entra Apps?
Moving forward, you want to have a reporting process in place that ensures you have continuous visibility of all of the above issues.
How do we enable continuous remediation for Entra applications?
Ideally, you can set up processes that help you to immediately take action whenever high-risk Entra apps are identified. Where possible you should leverage automation to reduce the time-to-action and take the pressure off of your team.
Microsoft's information on all of this is inconsistent and hard to understand. Microsoft did not detect these apps in their environment and did not detect the creation of new apps either, showing that it is incredibly hard to do it with their own technology!
Entra App Security Best Practices
Based on the information outlined above, we’ve created a list of best practices to help you secure third-party and internal apps connected to Entra.
Conduct an App Inventory: Begin by identifying and cataloging all internal and third-party apps connected to Entra. Understanding the scale of the apps in use is crucial for effective management and security.
Assess Permissions: Review the permissions assigned to each Entra app. This helps in determining the risk level associated with each app and informs your security strategy.
Differentiate Permission Types: Understand the distinction between delegated permissions and application-level permissions. Focus on the implications of each type, as application-level permissions carry broader capabilities and potential risks.
Prioritize Powerful Permissions: Identify and prioritize securing apps with powerful Read/Write.All permissions, as these pose the highest risk if compromised.
De-provision Unused Apps: Regularly review and identify apps that are no longer in use. De-provisioning these applications reduces the attack surface and simplifies management efforts.
Monitor for Expiring Secrets/Certificates: Track apps with expiring secrets or certificates to prevent potential outages. Implement a process to renew these credentials in a timely manner, especially for mission-critical applications.
Establish Clear Ownership: Ensure that every app has a designated owner. Clear ownership facilitates better governance and accountability, particularly for tasks like secret management and compliance.
Implement Reporting Mechanisms: Set up a reporting process that provides continuous visibility into the status and security of Entra apps. Regular reporting helps in identifying issues early and tracking improvements.
Enable Continuous Remediation: Develop processes for immediate action when high-risk apps are identified. Leverage automation where possible to streamline remediation efforts and reduce the burden on your team.
Best Practice Security Checklist
Download the complete list of Security Best Practices for Entra App Registration here.
Navigate to the App registration section within Entra ID under Applications.
Select All Applications.
Click on New Registration.
Name your application. For example, “AwesomeTestApp”.
Choose the supported account types that suit your needs. For this guide, we'll select the first option.
Once all choices have been made, click on “Register”.
Step 2: Add API Permissions
Now that we created our test app, we can add additional API Permissions to this app.
Here's how to proceed:
Go to API Permissions.
Click on “Add permissions”
For this guide, we'll select Microsoft Graph as the API to grant permissions to.
Next, let's search for and select user.readwrite.all, then click “Add permissions”:
Step 3: Assign user permissions
Next, let's assign permission to a specific user, enabling them to utilize this application. Here's the process:
Navigate to “Enterprise Applications” and select “All applications”.
Find and click on the app you just created.
Choose Assign users and groups.
Select “Add user/group”
Search for and select the user you wish to give permission to, then click “Select”.
Confirm by clicking “Assign”.
Step 4: restrict access to assigned users
The following step involves configuring the application to ensure that only the users we've specifically assigned can access it. Here's how to proceed with this adjustment:
Click on “Properties”:
Toggle “Assignment required” to Yes and click “Save”.
How to View Entra App Changes in Microsoft Purview
To effectively review the changes made during the app creation and configuration process in Entra ID, and to verify these adjustments through Microsoft Purview, follow this step-by-step guide:
In the Activities section, add the following events to track app registration activities:
Add app role assignment grant to user
Add delegated permission grant
Add service principal
Click on “Search”.
Step 2: Review the Audit log
Microsoft Purview will now begin compiling the information requested. This process may take between 5 to 20 minutes, varying with the activity level on your tenant.
Once this is complete, we’ll show you how to review app details (using “Added service principal”), view which users the app has been assigned to (with the “Added app role assignment grant to user” function), and examine the app permissions (using “Added delegated permission grant”)
Here's the process:
Click on the Audit Log to explore the details:
Review every event associated with our recent Entra app creation, including the delegation of permissions and other related activities:
(Optional) Select the “Added service principal” entry for detailed information about the app, including its display name:
(Optional) Click on the “Added app role assignment grant to user” line to see which users have been assigned to the app:
(Optional) Selecting the “Added delegated permission grant” entry to see the specific permissions that have been granted to the app.
By following these steps, you will have not only successfully created and configured an application in Entra ID, but you’ll have also verified and reviewed all related changes through Microsoft Purview's audit log feature.
How to Generate a Report of all Entra App Registration (Free Tool)
Identify elevated custom and third-party app permissions that lead to non-compliance and security gaps cyberattacks target.
The tool, created by 9-time MVP Vasil Michev and CTO Ivan Fioravanti, generates:
An analysis of how your Entra apps manage: Evaluate how your internal apps manage credentials, highlighting any that may be expired or non-compliant.
Actionable, tailored recommendations to mitigate app risks: Get advice for mitigating the identified risks, tightening your security posture, and ensure your internal apps adhere to best practices for security and compliance.
The Alternative Way to Secure and Manage Entra App Registrations
CoreView gives you tools to find and secure internal and third-party applications connected to Entra and your Microsoft environment. You can save yourself hours and hours of painful PowerShell, Excel, and Power BI work trying to understand the landscape of your Entra apps and their permissions with.
With CoreView, you get complete visibility into your Entra apps. These 10+ out-of-the-box Entra app reports cover everything from service principals and permission types to expiring app secrets, app registration owners, and more. Read the full list of CoreView's Entra App reports.
