Best Practices for Application Governance in Your Microsoft Environment

We all must face facts; the cloud is better. Its faster, easier, more scalable, and extremely resilient. Customers have and are moving to the cloud every single day. And these customers are modernizing their applications or using cloud native applications in the cloud. These applications no longer live inside of a Windows or Linux virtual machine. The are no longer accessed via a VPN or a perimeter network. They are no longer governed and managed within a DMZ, behind a traditional firewall.

They are cloud native.

The cloud does things differently. We authenticate differently. We authorize differently. Everything has an API. Everything has an endpoint. We protect and secure differently. No longer are our perimeters being compromised/hacked. The new attack vector is identities. Your identity is your vulnerability. And yes, MFA does in fact solve 99.9% of your problems according to Microsoft, but applications do not ask for a second factor of authentication when connecting to a database or running in a container.

In this new world, we use things like authentication and authorization, tokens, and cookies, etc.- to establish access into applications and its corresponding data. Yes, there were remnants of this when we used on-premises datacenters, but it was only in its infancy back then. Today, it’s the de-facto standard for applications being hosted within cloud native services like containers, headless web applications and server-less functions.

Now that the scene is set, let’s have a look at what Microsoft does to help organizations secure their applications.

Since we are talking about how environments get accessed, all roads start with Microsoft Entra ID. The platform formally known as Azure Active Directory.

This is where users are created and managed. Added to that, all applications that are deployed that require access, either internally or via a public endpoint, will end up as a custom app under App registrations or as a 3rd party application deployed under Enterprise applications.

Access to these applications is managed in a myriad of ways, which I’m not going to get into in this post. Microsoft does provide various mechanisms for managing access to these applications. They also provide tools to manage and monitor access to these applications:

• Microsoft Entra ID Privileged Identity Management
• Microsoft Entra ID Conditional Access
• Microsoft Entra ID Identity Governance
• Microsoft Entra ID Identity Protection
• Microsoft Entra Verified ID, Workload ID and External ID
• Application Governance in Microsoft Defender for Cloud Apps

These products work with Microsoft Entra ID (It’s in the name) to provide organizations with the facilities that they need to lock down applications, how applications talk to each other and how users interact with these applications but there is no simple way to identify possible holes in the configuration of these products. And most administrators get overwhelmed with all these admin consoles they have to troll through. Just look at the list of all of Microsoft’s admin portals created by Adam Fowler. https://msportals.io/

So, where do you start?

What do you look for when starting your Entra ID security journey? What should you consider as a standard for enforcing stringent controls over the application landscape? To see how well you stack up in the following 14 areas in addition to others, access your free AppGov Score Report. Read on to learn about my 14 things to look for when you want to set a good baseline for application governance in your Microsoft Entra ID tenant:

1. Apps without descriptive notes
   This is not really a control but more of a prescriptive suggestion so that you know what the application is about.
2. Apps without role assignments
   Apps without role assignments are applications that do not have any predefined roles for users or groups to access them. Users can still access these apps if they have the appropriate permissions, such as being an administrator, a member of a group that has access, or having self-service application access enabled.
3. Apps without owners
   Its vitally important that applications have service owners inside of the organization for various reasons, including tracking. Applications can belong to users/groups that have been orphaned. e.g., A user deploys an application which is associated to his/her account and then leaves the organization.
4. Application registrations without associated enterprise applications
   Enterprise applications are service principals underneath. Service principals contain the security principal for that application. Application registrations can exist without clearly defined role-based access controls.
5. Application registrations with public client flows
   Application registrations with public client flows are a way of configuring an app in Microsoft Entra ID that allows it to access web APIs on behalf of the user. These apps are also known as public client applications or native applications. Public client applications are apps that run on devices, desktop computers or in a web browser. They’re not trusted to safely keep application secrets, so they only access web APIs on behalf of the user. They also only support public client flows. Public clients can’t hold configuration-time secrets, so they cannot have client secrets.
6. Application registrations with outdated version of MSAL
   MSAL stands for Microsoft Authentication Library, a set of libraries that enable applications to authenticate and access Microsoft identity platform 1. MSAL is the recommended way to use the latest identity features in Microsoft platform, such as password less and conditional access. However, some applications may still use ADAL, which stands for Azure Active Directory Authentication Library, an older version of MSAL that is no longer supported by Microsoft. These applications may face issues with authentication, security, and performance, and may not be able to access the latest capabilities of Microsoft Graph API. Therefore, it is advisable to update your applications from ADAL to MSAL as soon as possible, before the end of support date of June 30th, 2023.
7. Certificates with a validity period over 2 years
   Certificates with a validity period over 2 years are no longer accepted by some major web browsers, such as Chrome and Safari, as of September 1, 2020. This means that any certificates issued on or after that date must have a maximum validity of 398 days (or 397 days for some certificate authorities). Certificates issued before that date with a longer validity period will still work until they expire. The reason for this change is to improve the security and privacy of the web, as shorter certificate lifetimes reduce the risk of compromised or mis issued certificates. However, this also means that website owners and administrators need to renew their certificates more frequently and ensure that they comply with the new requirements.
8. Do not allow group owners consent
   Group owner consent is a feature that allows group owners to approve applications that request access to their groups or teams’ data, such as calendars, files, conversations, and so on. However, some organizations may want to restrict this ability to only administrators or certain users who meet specific criteria.
9. Guest users have limited access to properties and memberships of directory objects
   Your tenant is configured so Guest users have limited access to properties and memberships of directory objects is a setting in Microsoft Entra that controls how much information guest users can see in your directory. This setting is the default option, and it blocks guests from certain tasks, such as listing all the users, groups, or other resources in your directory. Guests can only see the membership of non-hidden groups and their own profile information.
10. Allow user consent for apps
    User consent is a feature that allows users to grant permissions to applications that request access to their data or resources. By default, all users can consent to applications for permissions that don’t require administrator consent. However, this can pose a security risk if malicious applications try to trick users into granting them access to sensitive or confidential information.
11. Do not allow users to add gallery apps
    Gallery apps are third-party applications that can be integrated with Azure AD for single sign-on and identity management. However, some administrators may want to restrict the use of these apps for security or compliance reasons. Therefore, they can set the option “Users can add gallery apps to their Access Panel” to “No” in the user settings of Microsoft Entra ID.
12. Users cannot request admin consent to apps they are unable to consent to
    This feature allows administrators to explicitly lock down application deployment by end users. Its aggressive but it provides 100% control of what applications get deployed in your environment.
13. Users cannot request admin consent to apps
    Admin consent helps to protect the organization’s data and resources from unauthorized or malicious access by third-party applications. It also reduces the burden on users to decide whether to trust an application or not, and simplifies the sign-in experience for applications that have been pre-approved by the administrator. Again, having this feature enabled talks to the item above. Its gives admins explicit control of what applications get deployed.
14. User accounts with application administrative privileges
    User accounts with application administrative privileges are those that have been assigned one or more roles or permissions that allow them to manage directory resources, modify credentials, authentication or authorization policies, or access restricted data in Microsoft Entra ID. These roles and permissions are identified as privileged and can lead to elevation of privilege if not used in a secure and intended manner.

There you have it. My top 14 tips on making sure that your application landscape is managed better than it was before you read this blog. Please watch the webinar we did for more opinions on why Application Governance is essential and how you can ensure you are equipped with the necessary information to lock those apps down.

ENow has a new tool that can help make sense of Entra ID application risks and also identify opportunities where you can further secure your Entra ID tenant - get your free AppGov Score today!