How to Risk Profile Your Entra ID Enterprise Apps

Now that Ignite is over and everyone has managed to recover from all the announcements and end-of-year craziness, it’s time to have a look at what Nicolas Blank and I covered during the webinar that we did in November 2024. 

Throughout the year, ENow has been committed to helping organizations worldwide examine what applications they have in Entra ID. As ‘season 2’ of ENow’s Application Governance & Security webinar series closes, we felt it was the right time to investigate how to weigh enterprise applications adequately. After all, you need to make sure that your applications are governed and secured so that you mitigate the risk of being compromised.  

Let’s start at the beginning:  

Why should you care about Enterprise Apps in Entra ID?  

I can hear people saying “Well we are fine. We know what applications we have in our organization. We have worked through the Microsoft Secure Score, and we are in the upper 80%, so we are good!” 

I applaud customers for doing that. It’s vitally important and it’s a great start, but over the last year, Nic and I have been talking about everything that lives in Entra ID. Your Microsoft Secure Score is quite broad. In addition to the Identity piece, it covers other categories such as Device, Data, and Apps. While this can offer some valuable insights, often organizations need to dig deeper in the Identity space. Why? Because applications live in Entra ID. Identities access these applications and more importantly, not just user accounts, but service principals and managed identities. Why? Because they all live in Entra ID.  

Current state of cybersecurity trends 

Figure 1: Al’s unofficial view on the current state of security 

As much as Microsoft is doing in the space, with the announcement of: 

•  “Zero Day Quest” – A bounty award program for security research to discover and report high-impact vulnerabilities.  

• “Windows Resiliency Initiative” - On the back of the global CrowdStrike outage of 2024, Microsoft has introduced this initiative to making sure that “Windows remains the most reliable and resilient open platform for our customers.”  

The single biggest issue today is still phishing attacks. Why? Because humans are behind identities, and they are fallible. This means that we can also make mistakes around what our applications do inside of our environment.  

So, how do you prepare yourself, equip yourself, and most importantly, protect yourself against these threat actors (well, protect your environment from threat actors)? It's simple really, we must start at the beginning. We must understand what those tricky nefarious characters do. We need to get inside the mind of a threat actor.  

Understanding The Cyber Kill Chain 

Figure 2: The Cyber Kill Chain (CyCraft Technology Corp, 2021, Creative Commons) 

Before a hacker does anything with your environment, once they’ve compromised an account or identity, they spend a lot of time understanding your environment. According to IBM, it takes organizations an average of 204 days to identify a cyber breach, with an additional 73 days to contain a breach. That’s more than half a year!!! 

That means hackers have been “living” inside of your environment, monitoring, watching what happens. And quite frankly, that’s scary.  

And it's because of that we have decided to give you a simple method to follow, when working through those applications that live inside of Entra ID.  

Now, we haven’t just randomly made these things up. For those that are familiar with the MITRE ATT&CK®; it’s a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.  

What this framework gives you is a blow-by-blow approach to not only understanding the tactics of hackers, but also how to go up against them, using their methodology.  

We took their recommendations and distilled it into 4 components.  

Profiling Enterprise Application Risk Using R.E.A.D 

Figure 3: R.E.A.D. Discovery 

R – Reconnaissance 

This process involves looking at what sort of possible scanning a threat actor could perform against your environment, and what information they would be able to extract from your tenant. Doing this will give you a view of the possible data an actor can access. You want to prohibit that. Think of it as a maze that you are tracking to see if you get to the exit.  

E- Execution/Exfil 

For those actors that want to destroy and not just exfil your data, it becomes vitally important that you are able to recover from any malicious intent the actor may have. Think “Disaster Recovery” but for the modern age, using traditional methods. Considerations include making sure that you have a “break glass” account, a backup that is not accessible by any identities so that you can in fact protect it properly, should you need to recover from a catastrophic failure. Ergo, your entire estate has been deleted.  

A - Access 

This is exactly like the board game “Cluedo.” Who has access to what, how much access they have, across how much of your environment. E.g. If an account has access to a managed identity, it means that whatever that identity has access to, so does that account. Heaven forbid, the account that has been compromised has privileged access, because that is an entirely different problem you will have.  

D - Defense/Discovery 

If an actor had to get into your environment, do you have the necessary records in place to detect him/her as well as being able to make sure that he is trackable? Yes, logs. Logs, lots of logs. Logs become your friend. Not only will you be able to find out how they got in, so that you can close that door, but also what they have done, while they squatted in your environment.  

For a comprehensive list of tactics that actors use, head over to the Enterprise Tactics page over at the MITRE ATT&CK® site.  

Figure 4: Enterprise Tactics from MITRE ATT&CK® site. 

Once you have mapped out what this “attack surface” looks like, it will give you a birds-eye view of what your world looks like to a threat actor. And with that view, we’ve used the same R.E.A.D. symbols, to help you assemble “turrets” like we all did in Warcraft, so that we can protect our world.  

Strengthen Your Application Security Posture Using R.E.A.D. 

Figure 5: R.E.A.D. Actions 

In very much the same way as the discovery phase, once you “know your bases,” you can start closing all the possible holes in your environment. Like Nic always says, “Assume Breach” and “Prepare for Breach” should be what you are focusing on, all the time.  

R – Restrict  

It's in the word. This is where you start focusing on restricting access to resources in your environment. Whether at a network layer level or restricting access to privileged accounts through Privileged Identity Management or Just-In-Time/Just-Enough-Access Management.  

E – Encrypt 

What we have seen in Europe mostly is that threat actors would exfil your data, stick it in a storage account, and then encrypt it while charging you 4% of your annual turnover to decrypt and hand your data back to you (GDPR 101). So, ensure that your data and backups are encrypted so that even if an actor gets in, they cannot encrypt your data.   

A - Access Control  

Access and Access Control are two different things. Nic and I have mapped out Authentication and Authorization in one of our previous episodes, but what this means is that you should be looking into locking down access and authorization to your estate. MFA, please people, everyone. 2024 was the year for us to say that. We will no longer be saying it in 2025. It is a fundamental thing. Please do not make us go there. Embrace Conditional Access. This is, after all, your biggest risk evaluation engine.  

D – Defense  

Telemetry data, like in Formula 1, is equally important here. Your Security Operations Center should be monitoring every event happening in your environment, from day 1. Spend time understanding what signals are good and bad. Then build up your defenses to combat any attacks that may occur.  

Again, we did not make this up; we just made it easier to understand. Head to the “Enterprise Mitigations” page on the MITRE ATT&CK® site. 

 Figure 6: Enterprise Mitigations.  

And that is it, my friends. That is how we close off Season 2 of ENow’s ongoing passion for helping people, communities, and organizations across the globe improve their overall identity and application security posture. They are relentless. If they must go door-to-door to get you to start taking these things seriously, they will.  

Takeaways from ‘How to Risk Profile Your Entra ID Enterprise Apps’ 

In closing, our thoughts on the matter.  

Figure 7: Closing thoughts 

1. Highest Risk First – Red, Yellow, Green your applications and start with the ones that are “RED.”  

1. MFA – ‘Nuff Said. 

1. No Global Admins – Yes, this is important. Implement PIM and monitor what happens when privileges are elevated.  

1. Identity before Firewall – Nobody, well, not since before the advent of the public cloud, is hacking firewalls anymore, so fix your identity first because THAT identity will have access to THAT firewall, so they are going to make changes anyway.  

1. Apply, Remediate, Evolve – Rome wasn’t built in a day. It's impossible to switch everything off. Start small, evolve your approach over time, continuously make incremental changes until you are secure.  

Resources

Applying the R.E.A.D Discovery method to govern and secure your applications mitigates the risk of being compromised. Using the R.E.A.D action steps are a great start to protect your environment from threat actors. For more information, you can watch the full webinar How to Risk Profile Your Entra ID Enterprise Apps on-demand. 

If you're looking for an easy button to identify Enterprise Application risks in your Entra ID tenant, request your free AppGov Score here. And get ready for Season 3 of AppGov Webinar Wednesdays; we have a lot more info and guidance to share.