July 31, 2024
|
3
min read
Ivan Fioravanti
Ivan Fioravanti, Co-founder and CTO for CoreView, uses his system engineer and .NET development skills to lead CoreView’s technology team. He’s passionate about AI, automation and all things Microsoft 365.
Entra Security: App Permissions Threats in Microsoft 365

Microsoft Entra facilitates the configuration of software applications. If not managed properly, app permissions and misconfigurations result in security gaps.

Inside this article:

Identity Management Risks in Microsoft Entra

Microsoft Entra, an Identity and Access Management (IAM) system, emerges as a centralized repository for digital identities, facilitating the configuration of software applications to utilize it for user information storage.  

The Microsoft identity platform, supporting authentication across various modern app architectures, adheres to industry-standard protocols such as OAuth 2.0 and OpenID Connect. This platform accommodates a wide range of application types including Single-page apps (SPAs), Web apps, Web APIs, mobile and native apps, and services, daemons, and scripts. Applications devoid of user interaction, particularly those with long-running processes, leverage the OAuth 2.0 client credentials flow to authenticate and access secured resources using the app's identity.  

The Importance of Application Management in Entra

Proper management of applications within Microsoft Entra is crucial for maintaining the integrity and security of digital identities, as it serves as the central repository for all user information utilized by various applications. By adhering to industry-standard protocols and managing applications effectively, organizations can ensure secure and seamless authentication processes across diverse app architectures, thereby safeguarding access to critical resources.  

Additionally, application management in Entra enables the secure operation of applications, especially those operating autonomously without user interaction, by preventing unauthorized access and potential security breaches through the careful control of app identities and permissions.

High-Risk App Permissions and Threats

Industry research reveals that 39% of apps request high-risk permissions from Microsoft 365, a significant figure, especially considering that even "medium risk" permissions can be exploited. With companies of various sizes integrating thousands of SaaS applications into Microsoft 365, often without the security team's knowledge, the potential for unauthorized access and data breaches increases, as evidenced by 15% of third-party apps having the ability to read, create, update, and delete files, and 12% the ability to manage email content.

These findings, coupled with a Gartner survey indicating that almost 60% of respondents view oversharing, data loss, and content sprawl as major risks, prompted the CoreView team to develop the Entra Security Scanner for App Registrations, a free tool designed by Vasil Michev and Ivan Fioravanti to help IT teams identify and address elevated custom app permissions that could lead to non-compliance and security gaps.

Free Entra Security Tool: From Vulnerability to Vigilance  

The free tool was created in response to the Midnight Blizzard attack on Microsoft’s tenant, where an application with excessively high and risky privileges was exploited. This incident highlighted a broader issue: applications, regardless of their permissions, can pose significant security risks, especially those developed in-house or through less secure methods, such as using Power Apps or tenant administrators creating custom scripts via Graph Explorer. These applications appear differently in the Entra portal, prompting a need for more stringent management and oversight.

The Entra Security Scanner for App Registrations offers a comprehensive assessment of application permissions, identifying critical issues such as applications without owners and those with risky access. It also evaluates medium-severity issues, such as expired credentials and excessive validity, providing a detailed report that facilitates immediate corrective action.  

This proactive approach to security, leveraging policies and severity levels, aligns with CoreView's commitment to maintaining a secure and compliant Microsoft 365 environment.

Download the Entra Security Scanner for App Registrations today.

A Tactical Guide to Using the Entra Security Scanner

For organizations seeking to enhance their security posture, the tool offers a granular analysis, enabling users to customize the evaluation criteria and dive deeper into potential vulnerabilities. The inclusion of an Excel file alongside the report simplifies the analysis, allowing for a focused investigation of flagged issues.  

Here are the issues the tools reviews and flags:  

1. Applications with Risky Access

To address these concerns, the team developed a preliminary tool offering a glance at six baseline policies, including identifying applications without owners—a critical compliance issue—and tracking applications with risky access. This approach stems from the realization that applications, especially those developed internally, often lack rigorous security checks compared to third-party applications vetted by vendors like CoreView.

Entra Security Scanner for App Registrations report

2. Expired Credentials

The tool also tackles medium severity issues, such as expired credentials, by allowing customization of the script parameters to suit different organizational needs. This capability provides a more nuanced understanding of an application's security posture than the high-level information typically shown in the Microsoft portal. Additionally, the tool checks for excessive validity of certificates and the usage of apps within your tenant, highlighting unused apps that may still pose a security risk.

Dynamic Security Grading

By focusing on securing fundamental aspects such as Directory ReadWrite access, and access to calendars, contacts, mails, files, and sites, this tool grades each application from A to F (skipping E) based on the severity of issues detected. This dynamic grading system, coupled with the ability to adapt the script, offers a detailed and actionable insight into the security health of applications within a tenant.

Furthermore, the tool provides detailed reports and an Excel file for deeper analysis, encouraging users to explore and address security issues directly from the portal. This proactive approach to application management and security monitoring is crucial for maintaining compliance and safeguarding against potential breaches.

Download the Entra Security Scanner for App Registrations today.

Continuous App Security and Compliance

Our free tool, the Entra Security Scanner for App Registrations, is an easy way to identify and fix Entra applications connected to your tenant. But it requires running the report on a recurring basis.

For continuous, ongoing Entra app security, consider using CoreView. With CoreView, you can:

  • See unused enterprise apps and apps without owners
  • Report on apps with unverified publishers
  • See apps with long-term certificates and secrets
  • Report on service principles and app registrations in Entra​

Learn how to discover, secure, and manage your Entra Apps​ with CoreView.

Get a personalized demo today

Created by M365 experts, for M365 experts.