Unveiling the Hidden Dangers: Understanding App Consent Settings in Microsoft Entra ID

  • Podcasts
  • Petri Dish
  • Unveiling the Hidden Dangers: Understanding App Consent Settings in Microsoft Entra ID


In this episode of Petri Dish, I speak to Jay Gundotra (CEO and Technical Founder of ENow Software) and Sander Berkouwer (Security Specialist and 15x Microsoft Valuable Professional) about what Microsoft Entra ID (formerly Azure Active Directory) is and understanding application consent.

Links and resources

🔗 Check out ENow’s App Gov Score for free.
📖 Read Sander’s article on Petri.com for more on Microsoft Entra ID app registration and enterprise app security.
🚀 And here is Sander’s article on how to properly secure and govern Microsoft Entra ID apps.


– Hello and welcome to Petri Dish. Today we’re joined by two esteemed guests, Jay Gandultra, who’s CEO and technical founder of ENow Software, a long time Microsoft partner, and Sander Berkouwer, who’s a 15 time MVP specializing in security. Welcome to you both.

– Thank you.

– Thank you, Russell.

– Before we get started, Jay, could you tell us a little bit about ENow?

– Absolutely. ENow’s been in the monitoring and analog space for over 19 years. Can’t believe it’s been 19 years. I’m not that old, but it’s been 19 years. So our solutions focus on providing visibility into Entra ID, Microsoft 365 and Active Directory. I spent years as a consultant in the unified collaboration space, also working with Active Directory. I also worked inside IT organizations. And during that time, I really came to understand firsthand how much pressure and stress comes along with supporting those technologies. So I decided to start a company that would make software to simplify those jobs. – So Sander, could you provide a bit of an overview about the key fundamental as of how Entra ID works related to applications and application security?

– Yeah, sure. And as Jay already mentioned, Active Directory, let’s start there. So there’s Active Directory on one side and there’s Entra ID on the other side. So what you’ll see is that Active Directory is on premises. So on your organization’s hardware, in your data centers, in your responsibility. And if you look at Entra ID, then it’s a cloud service. It automatically scales.

It runs in Microsoft’s data centers. And instead of one per organization, your organization is just one of the millions of organizations using the service. And if you look in EntraID, then what you’ll see is that there’s default consent settings that you can use as an organization. And the default settings are not that great if you ask me, because with default settings, everyone can add applications to the tenant, even guests.

So that person that you invited over to work on a document together, they can now add applications to your tenant.

And the other one is that everyone can consent to any permission and consent is important because consent provides an application to scope of all the API permissions that they can use.

Okay, Jay, what have you heard from your clients?

When I talk to my clients, everyone resoundingly says this is a problem. But I think if you think of a 10 layer chocolate cake, most people understand the top two or three layers, but then things become quickly confusing. In terms of application governance policy, some organizations have a governance structure and policy, but it’s manual and there’s a lot of work. So every time this topic comes up, there’s a lot of excitement around, oh, we have this problem, but oh, we’re not sure how to solve it. I’m a little confused. There’s just a lot of pain around it.

That’s kind of what I’ve heard from our global customer base. – Yeah, what I hear all the time is that they really don’t know the difference between an app registration and an enterprise app, for instance. And it is, well, if you know it, of course, it’s pretty simple, but an app registration is kind of like the backend of an application. It provides the API permissions towards the data that you want to access. And the enterprise application then, of course, is the front end. And it includes sign-on settings and assignment to specific users, for instance. So that only specific groups or specific users can use these apps instead of, well, everyone by default, including guests.

So when you’re looking at a client’s tenant, what are some of the common problems that you would be looking for?

So what we’re seeing is that these default settings, you can basically compare them to the facet that is completely open. And then we have admins that are trying to clean the floor and mop in the floor and get rid of the water, but the facet is on. So the first thing that I always look at is consent settings. Can users consent to apps? Can group owners consent to apps? Can they consent to what permissions? Is there admin consent? Things like that. And of course, then, if you go to enterprise applications, you want to take a look at those raw assignments and make sure that not everyone can access the application that allow you to, I don’t know, send invoices and approve invoices, because that would be total gaius. And of course, with application registrations, what you really want to know is certificates and client secrets that are about to expire.

Okay, so how does eNow help with this problem? – So as mentioned in the last video, Russell, we really felt we wanted to give back to the community. So we created a free security assessment tool that you quickly can go up to appgovscore.com. You can consent to our app, and then it runs through a 21 checkpoint list and covers a lot of the things that Sandhu just mentioned. Do you mind if I share my screen real quick?

Sure, yeah.

– So as you’ll notice here on the screen, after you consent, and it takes anywhere from five minutes to approximately more than an hour, you’ll get an email when the report is ready. You get this report that runs through 21 checks and you get your App Gov Score, and you’re App Gov Score.

– Sander, you mentioned your tenant settings, so I’ll start there. If you scroll down to the heading tenant settings analysis, it runs through a series of checks of, first of all, telling you how many user accounts you have with application administrative privileges. How was your tenant set up? You’ll notice that this tenant is configured to not allow group owners consent, so that was given a good score. It shows if your tenant is configured for guest user access and if that’s restricted.

And it runs through all the different little checks how you can have consent configured, so that way you’ll know. And if you’re wondering about why that’s important, we enumerate that down here, and then we give you the supporting Microsoft documentation. Another thing that you mentioned was around application registration and credentials. The checkpoints go through and tell you how many application registrations you have with certificates that are gonna expire in the next 14 days, how many have already expired, and then we go one step further and show you how many application registrations with either client secrets or certificates that are configured longer than two years. And that’s a no-no when you look at a Microsoft recommended best practice that’s not secure.

So, we give you these data points, so that way you can quickly know, okay, how much work do I need to do? What is the current state of my tenant? This App Gov Score gives you that information really quickly, and now you know where you stand, and then you can build a plan to go solve those problems.

– Okay, thanks, Jay. So I’m gonna put a link in the description for this video to the freemium version of the product. So do go and check this out. But that’s not all. I’m gonna put a video on the screen now where I’m gonna be talking to Jay and Sounder about application governance policy and how to create one if you don’t have one already in place. But that’s it for us today, and we’ll see you next time.

– Thank you.