Entra ID Application Security - Did You Know?

Leading up to the webinar I will be co-hosting on Wed, Jan 31^st which is focused on security vulnerabilities within Microsoft Entra ID, I thought I’d review beforehand a few “gotchas/did you knows” regarding applications that “live” inside of Entra. Remember, these applications are not hosted inside of Entra ID, they are associated with Entra so that you can provide the proper authentication and authorization for accessibility using the identity and access management components in Entra.

Now, for a lot of Active Directory (Identity Management) administrators, the concept of application registrations is completely foreign as it has traditionally been the domain of the application and security teams inside of the organization, and admins never had to care about these things. In the past, the app team would probably approach you to create some form of service account with a role assigned to it, so they could provision the application on top of the virtual machine they’d been assigned.

And that was most likely where your responsibility ended. Fast-forward to the cloud and Entra ID, where the landscape is vastly different, and applications are not built differently. Web apps, containers, Kubernetes, headless databases are where it’s at, and even product vendors are porting their applications to be “serverless.” Which is why you are now exposed to, and in some cases, responsible for application security.

Yes, you still need to attend the webinar because we will be providing more practical advice and better optics around the big picture; but in the meantime I thought I'd give a glimpse into what we’ll be discussing so you can prime yourself prior.

It is possible to publish an application with zero authentication and/or security.

When registering an application, the option to use an authentication provider is optional. You can literally just click the “Register” button. Ergo, the onus is on you to ensure that authentication configuration is done correctly.

Figure 1. Application Registration in Entra ID

Owned Apps are different from All Apps

Owned applications are the ones that you physically deploy. It is vitally important that you also look at the All applications tab because when you click on App registrations, it defaults to Owned applications.

Figure 2. App registrations portal in Entra ID

Enterprise Applications vs Application Registrations

Enterprise Applications are preconfigured applications that exist in the Entra Gallery that you can deploy into your tenant, with minimal configuration required. Think of it as an .exe that you would usually run to deploy an application in a Windows Virtual Machine.

Enterprise Applications represent the instances of applications that users can access, while Application Registrations represent the definitions of applications that developers can integrate with Entra ID. Again, think of Application registrations as configuring your web server to host an application where you must do everything manually.

Figure 3. Entra Gallery

*Note: You can “create” your own application from the gallery, which makes it an Enterprise Application so it will not appear under the application registrations tab. It’s deployed as an Enterprise Application.

There are differences between the functionalities of these apps.

Azure ships with various security features like Conditional Access. However, Conditional Access policies are not available for app registrations, as these applications are typically either a Public client app, a web app, or a Single-page application.

Figure 4. Conditional Access for Enterprise Applications

Applications can be deployed without you knowing about them.

That’s right, they can just magically show up as an application registration in Entra. These are usually 3rd party applications that get deployed into your environment, such as the Teams apps right out of the Team app store. Naturally, the account deploying the app would need permissions or would have been granted admin consent permissions to do this, but it is still frightening that this is possible.

So, there you have it – food for thought, topics to digest prior to attending the webinar at the end of the month. I look forward to everyone’s attendance, sharing my knowledge and best practices, as well as answering any burning questions from the audience.

Are you an Identity administrator responsible for Entra ID? Check out ENow's latest webinar where Microsoft MVPs Nicolas Blank & Alistair Pugin gave a breakdown of the Midnight Blizzard attack on Microsoft, and how to prevent attacks like that from happening to  your organization. CLICK HERE for the recorded session on how to "Identify & Fix Application Security Vulnerabilities in Microsoft Entra ID"

Do you know what apps are lurking in your tenant? The ENow AppGov Score is a free security assessment tool that will quantify your application governance state quickly.  In addition to providing your AppGov Score, the tool will provide a comprehensive Application Governance Assessment report that includes each test, your result and why the test matters. Sign up to get your score and assessment report in just a few minutes - Get Your AppGov Score today!