Behind the Code: Uncovering Why App Security in Microsoft Entra ID is Commonly Overlooked

  • Podcasts
  • Petri Dish
  • Behind the Code: Uncovering Why App Security in Microsoft Entra ID is Commonly Overlooked

LISTEN ON:

In this episode of Petri Dish, I speak to Jay Gundotra (CEO and Technical Founder of ENow Software) and Sander Berkouwer (Security Specialist and 15x Microsoft Valuable Professional) about why application security is such a big problem for organizations using Microsoft Entra ID (formerly Azure Active Directory).

Links and resources

Check out ENow’s App Gov Score for free.

📖 Read Sander’s article on Petri.com for more on Microsoft Entra ID app registration and enterprise app security

🚀 And here is Sander’s article on how to properly secure and govern Microsoft Entra ID apps

Transcript

Hello and welcome to Petri Dish. Today we’re joined by two esteemed guests, Jay Gandultra, who’s CEO and technical founder of ENow Software, a long time Microsoft partner, and Sander Bercauer, who’s a 15 time MVP specializing in security.(…)

Welcome to you both.

– Thank you.

– Thank you, Russell.

– Before we get started, Jay, could you tell us a little bit about ENow?

– Absolutely. ENow’s been in the monitoring and analog space for over 19 years. Can’t believe it’s been 19 years. I’m not that old, but it’s been 19 years. So our solutions focus on providing visibility into Entra ID, Microsoft 365 and Active Directory. I spent years as a consultant in the unified collaboration space, also working with Active Directory. I also worked inside IT organizations. And during that time, I really came to understand firsthand(…) how much pressure and stress comes along with supporting those technologies.(…) So I decided to start a company that would make software to simplify those jobs.

– Okay, so let’s get right into it. Why is application security a common, but often overlooked problem today?

– Well, I guess you can say that it’s the tyranny of the defaults. So default settings in Entra ID are wide open for consent. And that means that everybody in your organization, everybody in your Entra ID, tenant your little space, Entra ID is able to add applications to the tenant. And when they do, all their owner access can also be exposed.

– Jay, what scenarios have your clients told you about?

– Well, I think we’re in a day and age where it’s awesome to have so many apps available. So I see a couple of different scenarios that take place.(…) If the default settings are left in place, you have users that talk to another colleague and they say, “Well, hey, I heard about this really cool app that takes notes when you’re in a meeting.”(…) So they get the name of the application, they go up, they download it and they consent.

Now they unknowingly don’t understand that once you give them consent, you’re giving that vendor access to their exchange teams and SharePoint data. That’s one use case. The second use case would be where you have a business owner. Business owner wants an app like a Zendesk, maybe they run a support team.

So they go out, they go through the process internally, they go through the vendor review, security review, they get the application, and then several years go by, they decide I’m not satisfied, I’m gonna switch. I’m not saying anything bad about Zendesk, I’m just using that as an example. Once they switch to another application(…) and the old app is uninstalled, the enterprise app most often lives on. And that enterprise app has credentials and permissions that could be exploited or used by that action. The third scenario is where a company has internal developers, they talk to a business owner, they build something, and very rarely is the business owner specify how to get that data, whether you use graph or use whatever API Microsoft provides.

So the developers, they don’t follow the least privileged model, so they ask for the world. And now you have another app that’s connected to your tenant that has high level permissions. All of that leaves you exposed, and over time the problem gets worse and worse.

– What could go wrong if your tenant has a lot of applications? And why is application security something that administrators should even worry about?

– So what we’re seeing is that as users consent to apps, these apps can perform as these users on behalf of, or ask them. And what you’ll see is that malicious actors commonly use typical factors like CEO fraud, or admin enumeration to take over an entire organization, or at least get some money off it.

– So how does e-Now help with this problem?

– So about two years ago, one of my clients came to me, a systems architect and a large entertainment company. And he introduced this problem to me and he said, Jay, this is a complex problem. Is this something you can make simpler and build a software application around? So once I learned about the problem, I spoke to more and more of my clients. And what I discovered was there’s a lot of confusion around this topic. It’s really hard to get this data. You can get some of this data from the Entra ID portals, but it takes a lot of time. So we went and we decided to go ahead and tackle the problem. And as I spoke to more and more people, I realized this is just really a widespread problem. So we decided to create a free tool or a way for people to be able to quickly understand where they stand. Do you mind if I share my screen and show it to you, just quickly, Russell?

– Yep, sure, yep.

– So if you go to appgovscore.com, you come to a website and what the App Gov Score does is after you consent, it only requires some read-only permissions,(…) it quickly analyzes your tenant and it gives you a score. What the score is based on is we analyze your enterprise applications,(…) your application registrations and your tenant settings, and we compare them to Microsoft recommended practices. So you can quickly see, for example, how many applications you have, what percentage do you not have admin consent. If you’re interested in knowing how many applications might be expiring or already have expired, whether it’s an expired certificate,(…) or if it’s a client secret, we show you that.(…)

If you see something that you don’t understand, like for example, you might not know what a public client flow is, you click on the link, we give you a description, and then you can click over and go to a Microsoft article that elaborates.

And then as you come down to the bottom, we review your tenant settings. And again, we compare them to Microsoft best practice. And then all of this is wrapped up in a score. So you have over 20 checks and you can quickly get, quickly know where your tenant stands and how bad, how much work that’s at, that’s how it might be.

– I’m gonna put a link in the video description below where you can check out the freemium version of the product. So do make sure you check that out. And before you go, there’s also another video on the screen where Sander and Jay talk about the difference between application registration and enterprise apps in entry ID. So that is also worth checking out. That’s it from us today, and we’ll see you next time. (upbeat music)