AppGov Score Blog

Check out our latest updates!

2024 Top AppGov Score Resources for Application Governance & Security

January 2, 2025 ENow Software

Security ENow Microsoft 365 Governance

2024 AppGov Score Resources

As we start 2025, we wanted to take a moment to highlight some of the greatest AppGov moments of 2024. From blog posts written by Microsoft MVPs to webinars orchestrated by ENow, we have much to celebrate from the year.  

Top 2024 Blogs  

How to Restrict Microsoft Graph API Access to Mailboxes 

This blog was written by MVP Louis Mastelinck, a security consultant at The Collective.  Louis specializes in incident response and the Microsoft Security stack (MDE, MDO, MDI, MDCA, Sentinel, ...), he excels at neutralizing threats and protecting organizations.   

The blog focuses on Microsoft Graph API, a powerful tool that allows developers and IT professionals to interact with various Microsoft 365 services, including OneDrive, Outlook, Teams, and more, through a unified endpoint. Louis demonstrates the importance of securing API access, specifically when applications have broad permissions, such as the ability to send emails on behalf of any user, which can lead to significant security vulnerabilities if compromised.  

He explains the two types of permissions for interacting with the Microsoft Graph API: delegated and application permissions. He stresses the risks of granting excessive permissions and provides methods for managing permissions. He suggests using the ENow App Governance Accelerator for reporting on API permissions and PowerShell scripts to audit app registrations. You can read the blog in its entirety here: How to Restrict Microsoft Graph API Access to Mailboxes.  

Authenticating to the Microsoft Graph API with PowerShell 

The second top blog from 2024 was also written by MVP Louis Mastelinck. Louis talks about the challenges and best practices for authenticating automation scripts and applications with Microsoft services, particularly through Azure and the Graph API.  

He mentions Microsoft’s plan to move away from user-based service accounts in 2025 and instead using MFA.  The blog provides a detailed guide on how to authenticate to the Graph API via PowerShell, covering both client secret and certificate-based authentication methods. Louis demonstrates this by emphasizing the importance of securely storing secrets and certificates and following best practices for managing authentication credentials. Read the full blog here: Authenticating to the Microsoft Graph API with PowerShell 

Insecure App Registrations Breached Microsoft 

In this blog, Thijs Lecomte, a M365 Senior Consultant at The Collective and Security MVP, reviewed Microsoft’s article about the January Midnight Blizzard attack. Based on the article he concludes that:  

  • The legacy environment contained an existing OAuth application that had the permission to create applications and users in the Microsoft production environment.  
  • With a newly created admin account, the threat actor provided admin consent to an application that had full Exchange permissions. 

Thijs goes through step-by-step what happens and then lists missed opportunities that could have prevented the attack. The missed opportunities simultaneously provide organizations with proactive steps to prevent future attacks.  

  • Missed Opportunity #1 - Regularly Audit Application Usage 
  • Missed Opportunity #2 - Rigorously monitor roles that can consent to applications 
  • Missed Opportunity #3 - Audit Full-Access Permissions 
  • Missed Opportunity #4 – Monitor Changes in Usage and Sign-In Activity

He concludes with a list of recommendations to strengthen your security posture including using ENow’s free AppGov Socre tool. Check out the recommendations list in the full blog here: Insecure App Registrations Breached Microsoft. 

Public Client Flows: What You Need to Know 

The next top blog was written by Alistair Pugin, a Microsoft M365 and Security MVP in South Africa and Owner of YMD. He starts by recognizing how IT teams’ responsibilities were clear before the cloud. Today, it is often now the responsibility of Identity management admins to concern themselves with applications registered and deployed into their cloud environment, which in this case is the Azure Cloud. If they are not managed properly attacks can occur. 

Alistair describes public client flow as a feature used in conjunction with a public client application. Public applications are essentially applications that run on devices or desktop machines, or even a single page web application. Attackers can exploit device codes. Once the attacker has a device code, it can use this code to access the application and access resources that the application itself has access to.  

He suggests admins take steps to secure these applications by following Microsoft’s best practices, which include managing Redirect URIs, access tokens, and client secrets. Furthermore, ENow’s AppGov Score tool can assist admins in identifying and addressing applications with insecure public client flows.  To learn about public client flows, read the full blog here: Public Client Flows: What You Need to Know.  

Entra ID Application Consent: What Identity Admins Need to Know - Part Two 

This blog was part of a series written by Matthew Levy, a Security MVP and Principal Architect at NBConsult. In the first blog he explains the principles that apply to Microsoft Entra ID Application Consent. In part two he provides some best practices, tips and recommendations to govern and secure your Microsoft Entra ID application landscape.  

Best practices include: 

  • Configuring user consent settings in Microsoft Entra ID There are three primary consent settings: 
    • Allow user consent for apps 
    • Allow user consent for apps from verified publishers for selected permissions 
    • Disable user consent for apps 
  • Organizations implementing an admins consent workflow 
  • Admins creating packages for pre-consented apps  
  • Admins to review and revoke risky permissions using tools like Microsoft Graph API or ENow’s App Governance Accelerator  

He concludes that managing app consent is a balance between security and productivity, and requires administrators to carefully evaluate consent policies, monitor usage, and educate users on security best practices. Check out the full blog here: Entra ID Application Consent: What Identity Admins Need to Know – Part Two 

The Importance of Application Lifecycle Management (ALM)

Application Lifecycle Management (ALM) is a crucial framework for ensuring your organization's applications remain efficient, secure, and compliant throughout their entire lifecycle. From initial development to retirement, ALM provides a structured approach that aligns IT objectives with business goals.

In this blog post from Microsoft MVP John O'Neill, Sr., he explored the key phases of ALM—governance, development, and operations—and why organizations must invest in tools and strategies to optimize this process. Proper ALM can lead to improved resource allocation, enhanced application security, and better collaboration across teams, ensuring applications meet evolving business needs.

Discover how leveraging ALM can help your organization streamline processes, maintain compliance, and boost overall productivity. Read the full article here: The Importance of Application Lifecycle Management (ALM).

 
Top 2024 Webinars  

Identify and Fix Application Security Vulnerabilities in Microsoft Entra ID

Identify and Fix Application Security Vulnerabilities in MS Entra ID - ODW

In this session, Microsoft MVPs Alistair Pugin and Nicolas Blank explored the top 5 risks associated with application security and more, including:  

  • A breakdown of the "Midnight Blizzard" attack on Microsoft 
  • Injection attacks  
  • Broken authentication and session management  
  • Sensitive data exposure  
  • Security misconfiguration  
  • Insufficient logging and monitoring 

Watch the full recording here: Identify and Fix Application Security Vulnerabilities in Microsoft Entra ID.  

 

Entra ID Governance: Best Practices for Real-World Success

Entra ID Governance - Best Practices for Real World Success - Watch On-Demand

In this session Microsoft MVPs and experts Alistair Pugin and Nicolas Blank cover:  

  • Defining Clear Policies and Roles  
  • Implementing Robust Access Controls  
  • Designing and enforcing access control mechanisms  
  • Harnessing Entra ID features  
  • Monitoring and Auditing Mechanisms  
  • Addressing User and App Lifecycle Management Challenges  
  • Role Mapping and Privileged Access Management  
  • Plus, a plethora or additional insights (as much as we can fit into 60 minutes) 

Watch On-Demand here: Entra ID Governance – Best Practices for Real-World Success.  

 

Zero Trust for Application Security in Entra ID

WBN- AppGov-Oct2024- Recording

In this webinar, Alistair Pugin and Nicolas Blank discussed the key benefits of Zero Trust, including:  

  • A unified strategy: Building a security strategy that includes what you already own.  
  • Enhanced security: Protecting your applications from unauthorized access and data breaches.  
  • Reduced risk: Minimizing the impact of security incidents.  
  • Increased productivity: Enabling secure and seamless access to applications. 

Watch the full webinar here: Zero Trust for Application Security in Entra ID. 

Other Top Application Governance & Security Resources

Black Hat Sessions Highlight Key Challenges in Microsoft Cloud Security 

 

Sander Berkouwer, Eric Woodruff, and Raymond Comvalius discuss Eric’s UnOAuthorized’ session from the Black Hat Sessions. They also talk about the need for community education and support around Entra ID Security & Identities and backup solutions that play a role in Entra application management. They each share their recommendations for IT Pros charged with securing Entra ID and outline resources that will help guide Identity and Security pros toward securing their Microsoft Entra tenant(s).    

Watch the full interview here: UnOAuthorized: Microsoft App Vulnerabilities, Entra ID App Misconfigurations & Community Solutions 

UnplugIT Episode - Unlocking the Secrets of App Security! 

 

Stephen Rose sits down with Sean Hurley and ENow CEO and Technical Founder, Jay Gundotra in this UnplugIT episode. Stephen talks to Sean, who oversees Application Security for the world’s largest iconic media and entertainment company and destination (think products, parks, attractions, superhero and sci-fi movies, wink wink) and we learn all about how he protects and secures Entra ID Applications for over 200k employees, across hundreds of thousands of devices every year.  

Jay Gundotra shares his story about the inception of the product; how ENow collaborated with Sean and his team to co-innovate, making product improvements and advancing the App Governance tool forward to its latest v2.0 iteration with new features that were inspired by Midnight Blizzard. 

 

Closing Out 2024  

We’ve enjoyed sharing this content with you and hope these resources have helped simplify your work! We look forward to sharing more in 2025 and are always open to suggestions! To receive more content like this and hear about our latest updates, subscribe at https://www.appgovscore.com/blog. 

If you have questions about Entra ID, application governance, and security, join our community of MVPs and other tech leaders on our AppGov Community Forum!

If you want to kickstart your Entra ID Enterprise Application Governance in 2025, request your AppGov Score!

Share This:

ENow Software

Written by ENow Software