Addressing Entra ID Application Governance Challenges
October 19, 2023 •ENow Software
For most organizations, Microsoft Entra ID (formerly Azure Active Directory) applications are a ticking time bomb, a security risk that is now forcing CISOs to view these vulnerabilities under a magnifying glass. Whether your internal developers are creating applications or employees are purchasing 3rd party shadow IT solutions, most organizations are integrating these apps into Entra ID despite the ramifications.
Entra ID apps pose the following challenges to organizations, managers, and Identity administrators:
- Deprecated services may leave behind endpoint URLs that can be reregistered by attackers.
- Apps may be incorrectly configured, i.e., public client flows – these applications are not trusted to safely keep application secrets and should be remediated with high priority.
- Permissions for apps may be overly permissioned and/or incorrectly permissioned, allowing a supplier attack to escalate.
- Apps use certificates and secrets that expire automatically but provide access indefinitely; with sufficient network packets monitored, an adversary could successfully launch a collision attack.
- Unsanctioned apps can potentially be used by any person in the organization.
The fact is, it only takes one compromised Entra ID user account to consent to a rogue app that siphons all the user’s Microsoft 365 data or to take over their mailbox. Business Email Compromise (BEC) amounts to $8 million in losses on a daily basis globally. Fortunately, we have tackled this problem head-on and developed a free security assessment tool that will examine your tenant’s applications security exposure and compares the results to Microsoft’s best practices. The tool produces a comprehensive and customized Application Governance Assessment report and gives you a score (AppGov Score) that quantifies your application governance state. The ENow AppGov Score was created because ENow’s clients requested help solving the challenges associated with implementing an application governance process.
“We quickly realized that application governance was a huge blind spot for most organizations and that since it was such a common problem, we wanted to provide a free tool that would help organizations better understand their current state” -Jay Gundotra, CEO and technical founder of ENow.
The ENow AppGov Score assessment tool is an enterprise app that can be used quickly by anyone with the Entra ID admin rights to consent to the permissions it requests. Admins can quickly obtain complete insight and control over Entra ID applications with the ENow AppGov Score, a free security assessment tool that quantifies your application governance state in just three easy steps so you can properly secure and govern the Entra ID application estate for your organization.
- Go directly to the application at: https://portal.appgovscore.com/
- Review required permissions and consent
- Click the Sign-in button in the upper right corner
With only graph read permissions required, our scoring system considers Microsoft recommended identity practices and was developed with the input of Microsoft security MVPs. With a quick glance, admins can determine the state of their tenant from an application point of view:
Figure 1: The Application Governance Assessment Report
Our ENow Application Governance Assessment Report runs over 24 different checks against your tenant and then gives you a quantifiable AppGov score. The report provides tenant-specific information on the following key areas:
- Enterprise applications)
- App registrations
- Tenant settings
The Enterprise application section of our report analyzes all the enterprise applications. It can quickly reveal how many Enterprise Applications your tenant contains. Additionally, it provides visibility around the number of enterprise applications created without admin consent and shows the number of enterprise applications without role assignments. The report can also expose enterprise applications that are considered high-risk or have an elevated set of permissions.
The next section of our report analyzes all the application registrations in the tenant. Our assessment tool runs 10 different checks for this area.
This includes showing you how many app registrations have expired certificates or client secrets. It will also show you which application certificates expire in the next 14 days, and which ones have an expiration dates greater than 2 years. Microsoft recommends a validity period of 2 years or less since certificates enable application registrations to identify themselves to Microsoft Entra ID. This is important, because the longer a certificate is valid, the more opportunity an adversary has to successfully perform this type of attack and abuse the certificate.
The final section of the report analyzes the tenant-wide settings and compares them to Microsoft recommended practices, running 6 different checks for this area. This provides further clarity around accounts with application administrative privileges for your organization.
Our goal for this site is to help organizations improve their application security posture and accelerate the creation of an application governance strategy and policy. This site will also feature a blog and steady stream of high-quality content written by Microsoft security MVPs so where you can find answers and improve your application security posture. We have also created a forum on our site where you can share recommended practices and receive constructive feedback for the community, including Microsoft security MVPs.
Understandably, with the spectrum of Entra ID application governance there is a wide variety of different types of organizations and configuration possibilities, where some challenges and scenarios are subjective. Therefore, we encourage user insights within this forum that can provide opportunities for improvement, as ENow continues to nurture product development in a direction with wide application that benefits more than just one organization.
We believe our new AppGov Score, coupled with the community engagement and support through our application governance forum - will provide the tools that can elevate admins to a power position of being proactive vs. reactive, and able to implement a successful application governance strategy for their organization. Welcome to the new era of application security!
If you have a question about Entra ID application governance, let our experts help by asking a question on our Community Forum.
The AppGov Community Forum is moderated by Microsoft Security & Identity MVPs and subject-matter experts to answer your questions around Entra ID, managing Enterprise Applications, Application Registrations, and the impact of Tenant Settings on an application's lifecycle.