Free Tool: Secure Integrated Apps (and Add-Ins) in Microsoft 365

App registrations in Microsoft 365 can jeopardize your tenant

After the Midnight Blizzard cyberattack on Microsoft in January 2024, one thing became clear: integrated apps in Microsoft 365 pose a critical security risk. These third-party and custom apps often request broad privileges and undergo few controls.

Secure Microsoft 365—from the inside out

With the Entra Security Scanner for App Registrations, you can identify integrated apps with too many privileges. Created by 9-time Microsoft MVP Vasil Michev and CTO Ivan Fioravanti, this tool generates:

A Full List of Apps in Your Tenant: See all third-party and custom apps connected to your tenant.

An Analysis of All App Permissions: Understand the permissions each app has, identifying any that are unnecessarily broad or risky.

Security Best Practices for Integrated Apps: Learn how to mitigate these risky apps and ensure your internal apps adhere to security and compliance best practices.

Get my free tool

How does the Entra Security Scanner for App Registrations work?

This tool uses a PowerShell script, AppRegistrationScanner.ps1, to scan all Entra Apps in your tenant. It can identify various apps, including those you've developed, PowerApps, and third-party applications.

How to use

You can customize the script with two options:

SkipExcelOutput: Outputs results as CSV and HTML
ExcessiveIntervalInDays: Set to 180 days by default, this filters for apps with long periods of inactivity or those with extended validities

Scoring system

Each app starts with a 10-point score. Points are deducted for issues detected:

Critical issues (Minus 2 points each):
Apps lacking an assigned owner
Apps granted risky permissions
Apps using insecure or development stage URIs (e.g., local host, http://)
Medium issues (Minus 1 point):

View the grading system table here.

This system helps you quickly identify and address potential security risks within your apps.

Get my free tool