Review and clean up applications with excessive permissions

Problem description:

Many software solutions is made to enhance or offer functionality/features on your data in Microsoft 365 cloud. Most organizations does not have a fully functional application governance process.

Entra ID allows organizations to provide single sign-on (SSO) to applications, services and systems, represented as Enterprise Apps and App Registrations.

Prime examples of such enterprise applications are Salesforce and Workday for end-user usage and Keepit (backup), Avepoint Fly (migration tool) or Sharegate teams management for operational purposes.

There are thousands of applications that offers functionality "needed" by your end-users available. End-users is allowed by default to consent to install any of these applications, and if one of your users are compromised they could install an application to copy, delete, manipulate all data in all resources that user have access to.

  • What access does all these software providers possess within your environment?

  • From where is your data processed?

  • What kind of data will be stored or processed in that software?

  • Can all these vendors be trusted? Do they have proper security measures in place, and what about backup/availability?

These questions is important address to avoid security and regulatory breaches.

"If an application is free of charge, they most likely get paid with access to your data"

Read up: Microsoft MVP and MCT Sander Berkouwer have written an article explaining Microsoft Entra ID App Registration and Enterprise App Security

Considerations:

Decide how you want to onboard new applications. You should establish a process to consider security, risk, compliance and ownership before installing new applications within your environment.

Due to the simplicity and speed of getting a new application installed, you would have to review what exposure you have today and take actions.

Bsure recommendations:

Make sure you've turned off the ability for all users to consent to new applications.

Inform your users of the new process to implement new applications.

Review your current applications:

Bsure Insights - Security - Service Principals report will give you insights into your application environment in Entra ID:

Start by filtering on security risk critical and high to scope down the list of applications

Click on each application in Focus table and review the need for it and the permissions given. Where is the data processed?

Example:

Why does the printsolution need the permission Sites.ReadWrite.All? That permission "Allows the app to create, read, update, and delete documents and list items in all site collections without a signed in user." Why do you need the permission to delete files in all SharePoint sites in order to print?

Do You trust this vendor? If that vendor has a security breach, your SharePoint data will be exposed as well.

Then remove applications and permissions not needed.

Then review Medium and Low risk as well and delete the apps not needed.

Bsure Insights would give an attacker powerful insights into your environment and the permissions given the Managed Identity is low (read access)

To verify from where your apps are processing your data use the map or the breakdown table to click on each country:

In this example we've filtered on popular operational software "ShareGate Teams management". Sharegate runs their environment in Virginia US according to sign-in logs from the service principal used for that application. This means that ShareGate could process all your SharePoint data with the permission that "Allows the app to have full control of all site collections without a signed in user".

ShareGate states:

A risk and compliance evaluation should be performed on all the applications that access and process your data in their own environment.

What will happen if my application vendor gets a security breach? Do they provide proper safeguards to ensure availability, confidentiality and integrity of my data? Do I have a valid reason to export these data according to laws and regulations that apply to my organization?

Last updated