Bsure Documentation
back to bsure.io
  • Welcome
  • Installation
    • Overview
    • Prerequisites
    • Installation Instructions
  • Technical Description
    • Design Principles
    • Azure Managed Application
    • Permissions Required
    • Security​
      • Public IP and Storage Account Key considerations
    • Technical Architecture
    • Dataflow and visibility
  • User guides
    • Overview
    • Main Dashboard
    • Users
      • Dashboard
      • Members
      • Guests
      • Data Quality
      • Properties
      • Sign-in Map
      • Sign-in Locations
      • Drilldown
    • Microsoft Licenses
      • Cost Dashboard
      • Licenses Overview
      • Subscription Overview
      • Inactive and Disabled Users
      • Overlapping licenses
      • Cost Allocation
      • Drilldown
      • Price Settings
      • Add Your Own Prices
        • Average SKU Price Calculator
    • Applications
      • Usage
      • Cost
      • Sign-in Locations
        • Successful sign-ins from blocked countries?
    • Groups
    • Security
      • Dashboard
      • Authentiation Methods
      • Entra ID Roles
      • Service Principals
    • Devices
      • Windows Dashboard
      • Windows Inactive Devices
      • Windows OS
      • Windows Management
      • Devices per Person
      • Drilldown
    • Share the Power BI App
      • Share App only
      • Give Access to the Power BI Workspace
      • Share the Storage Account Access Key
      • Share with External Users
    • Update Power BI App
    • Glossary
  • Pricing & Billing
    • Pricing
    • Billing
  • Support
    • Support
    • Frequently Asked Questions
    • Troubleshooting
    • Release Notes
    • New features
      • User purpose property
  • Partners
    • Partner sell an offering including the app to the customers
    • Customer have a strict data protection regime
    • Partner uses the app without customer knowledge
    • General considerations
  • Policies
    • Privacy Policy
    • Terms & Conditions
  • RECOMMENDED ACTIONS
    • Recommended actions
      • Review Entra ID role assignments and create a strategy to offer such roles
      • Review and remove all inactive or unwanted accounts
        • Bulk deletion of users in Entra ID
      • Protect all users with MFA
      • Review and clean up applications with excessive permissions
Powered by GitBook
On this page
  • Problem description:
  • Considerations:
  • Bsure recommendations:
  1. RECOMMENDED ACTIONS
  2. Recommended actions

Review and clean up applications with excessive permissions

PreviousProtect all users with MFA

Last updated 7 months ago

Problem description:

Many software solutions is made to enhance or offer functionality/features on your data in Microsoft 365 cloud. Most organizations does not have a fully functional application governance process.

Entra ID allows organizations to provide single sign-on (SSO) to applications, services and systems, represented as Enterprise Apps and App Registrations.

Prime examples of such enterprise applications are Salesforce and Workday for end-user usage and Keepit (backup), Avepoint Fly (migration tool) or Sharegate teams management for operational purposes.

There are thousands of applications that offers functionality "needed" by your end-users available. End-users is allowed by default to consent to install any of these applications, and if one of your users are compromised they could install an application to copy, delete, manipulate all data in all resources that user have access to.

  • What access does all these software providers possess within your environment?

  • From where is your data processed?

  • What kind of data will be stored or processed in that software?

  • Can all these vendors be trusted? Do they have proper security measures in place, and what about backup/availability?

These questions is important address to avoid security and regulatory breaches.

"If an application is free of charge, they most likely get paid with access to your data"

Read up: Microsoft MVP and MCT Sander Berkouwer have written an article

Considerations:

Decide how you want to onboard new applications. You should establish a process to consider security, risk, compliance and ownership before installing new applications within your environment.

Due to the simplicity and speed of getting a new application installed, you would have to review what exposure you have today and take actions.

Bsure recommendations:

Inform your users of the new process to implement new applications.

Review your current applications:

Start by filtering on security risk critical and high to scope down the list of applications

Click on each application in Focus table and review the need for it and the permissions given. Where is the data processed?

Example:

Why does the printsolution need the permission Sites.ReadWrite.All? That permission "Allows the app to create, read, update, and delete documents and list items in all site collections without a signed in user." Why do you need the permission to delete files in all SharePoint sites in order to print?

Do You trust this vendor? If that vendor has a security breach, your SharePoint data will be exposed as well.

Then remove applications and permissions not needed.

Then review Medium and Low risk as well and delete the apps not needed.

Bsure Insights would give an attacker powerful insights into your environment and the permissions given the Managed Identity is low (read access)

To verify from where your apps are processing your data use the map or the breakdown table to click on each country:

In this example we've filtered on popular operational software "ShareGate Teams management". Sharegate runs their environment in Virginia US according to sign-in logs from the service principal used for that application. This means that ShareGate could process all your SharePoint data with the permission that "Allows the app to have full control of all site collections without a signed in user".

ShareGate states:

A risk and compliance evaluation should be performed on all the applications that access and process your data in their own environment.

What will happen if my application vendor gets a security breach? Do they provide proper safeguards to ensure availability, confidentiality and integrity of my data? Do I have a valid reason to export these data according to laws and regulations that apply to my organization?

Make sure you've .

Bsure Insights - Security - will give you insights into your application environment in Entra ID:

explaining Microsoft Entra ID App Registration and Enterprise App Security
turned off the ability for all users to consent to new applications
Service Principals report