When your organization uses Microsoft 365, employees automatically gain access to so-called 'Enterprise Applications', provided the default settings are active. But what does this entail, and do these applications pose a potential risk to the security of your Microsoft 365 environment and your organization's sensitive data? In this article, we dive deeper into what Enterprise Applications are and offer practical advice to enhance your security.
What are Enterprise Applications?
Enterprise Applications allow Microsoft to enable third-party access to functionalities within the Microsoft 365 environment. Think of an email app developed by an external party that can read and send emails on behalf of the user. When a user grants permission to such an application, it automatically gets added to the Microsoft 365 tenant as an Enterprise Application.
For a user, authorizing a third-party application looks like this:
Source: https://learn.microsoft.com/en-us/purview/media/o365-thirdpartydataconnector-optin1.png
When the ‘Accept’ button is clicked, the user grants the application certain rights within their account. If the default settings are activated, users can grant these rights to virtually any application without any involvement or approval from a security expert.
As an administrator, you can see precisely which applications have access to one or more accounts in the tenant by doing the following:
- Go to Entra ID. Under 'Manage' and 'Enterprise applications', you’ll find a list of all Enterprise Applications in the tenant.
- Select an Enterprise Application. Under 'Security' and 'Permissions', you’ll see the granted permissions. Note the distinction between 'admin consent' and 'user consent'. Here you’ll see which users have authorized the application and with what permissions.
Does This Pose a Security Risk to the Microsoft 365 Tenant?
Yes, external applications can pose a security risk to the Microsoft 365 environment. How so? A malicious third party could use an application to request full access to a user’s account. If the user accepts, this third party has access to the Microsoft 365 environment, including all data and files the user can access.
Furthermore, there's a potential indirect risk. A third-party might not have malicious intents but if their own security is lax and an attacker breaches through them, your Microsoft 365 environment is still at risk. The attacker can gain access to the approved application and infiltrate your organization. Thus, it's crucial to limit access to trusted applications and minimize granted permissions as much as possible.
What Can I Do as an Administrator to Protect the Microsoft 365 Environment?
As an administrator, it is crucial to understand which applications have access to the tenant and their permissions. As previously mentioned, reviewing settings is vital. Default settings can enable users to grant full access to arbitrary applications. To mitigate this risk, you can take several measures.
Blocking Permissions
Firstly, it's possible to completely block users from granting rights to third-party applications. This effectively mitigates the previously mentioned risks. This setting is configured in Azure Portal under Entra ID, "Enterprise applications" → "Security" → "Consent and permissions" → "User consent settings". Here, adjust the following two settings:
- Set "User consent for applications" to "Do not allow user consent".
- Set "Group owner consent" to "Do not allow group owner consent".
This option isn’t suitable for every Microsoft 365 environment. In many organizations, trusted applications are necessary for users’ daily tasks, and these would be blocked as well. Below, we explain how to prevent this issue.
Admin Approval
To permit trusted third-party applications, you can choose to only approve applications authorized by an administrator.
This setting is available in Azure Portal under Entra ID, "Enterprise applications" → "Security" → "Consent and permissions" → "Admin consent settings". Select "Yes" for "Users can request admin consent to apps they are unable to consent to". Then configure details for "Admin consent requests".
Note that these settings only apply to apps users cannot authorize themselves. Steps under “Blocking Permissions” are also needed to enforce administrator approval for all applications.
Allowing Non-sensitive Permissions by Default
As an extension of the previous option, you can allow certain permissions by default for all applications, without an administrator’s involvement. This can apply to applications requiring very limited access, such as reading a user’s email address for Single Sign-On.
This can be configured in Azure Portal under Entra ID, "Enterprise applications" → "Consent and permissions" → "Permission classifications". Microsoft provides recommendations on this page for which commonly used, non-sensitive permissions to set up, including permissions for Single Sign-On.
Next Steps
When consent settings are appropriately configured, it’s also essential to evaluate previously granted permissions. Users might have granted untrusted applications high access in the past.
Computest Security: Your Partner for a Secure Microsoft 365 Environment
Securing your Microsoft 365 environment can be a challenging task. We assist you in configuring and managing your Microsoft 365 environment, ensuring your security settings are always optimal. During a Microsoft 365 security assessment, we work closely with you to review current settings. We examine how the earlier-mentioned consent settings are configured and explore which Enterprise Applications already have access within your environment.
Following this thorough evaluation, we discuss with you the best security measures suited to your organization. There are numerous options to manage and limit Enterprise Applications, and we're here to help you make the right choices. Our goal? Create the safest environment possible, with minimal impact on your employees’ daily use.
Besides Enterprise Applications, we scrutinize the entire setup and use of your Microsoft 365 environment, focusing not on the security of Microsoft services themselves, but on how your organization configures and uses these services.
Who are you gonna call? Computest Security!
Interested in making your Microsoft 365 environment even more secure? Contact us via info@computest.nl or call +31 (0)88 733 13 37 and we'll get back to you promptly.
