Identifying OAuth Apps Without Role Assignments in Your Microsoft Tenant

Why it’s important for Identity admins to pinpoint, manage, and secure Entra ID applications without role assignments to ensure proper Application Governance.

Application Governance is the practice of managing access, identity, and security for your cloud native applications. The purpose of application governance is to improve data security, risk management, and application performance, which also includes monitoring and controlling the access, usage, and sharing of data by OAuth-enabled apps registered on Microsoft Entra ID.

Application governance has historically been the responsibility of the application owners, but sooner than later Microsoft Entra ID administrators will find themselves in a position where they will have to assign or review app roles for users wanting to access certain applications.

Enter: Entra ID

Entra ID Apps are applications that use Entra ID as an identity provider to authenticate and authorize users. However, without proper role assignments, these apps pose a significant risk to the security and compliance of an organization. Do you know how many Enterprise Apps exist in your Entra ID tenant? And more importantly, what percentage of those pose a threat because they lack proper role assignments!?

So, what's the big deal?

When an app has no role assignments, it means that all users in the directory, both members and guests, can access the application. This can be a security concern if the application contains sensitive data that should only be available to specific users or groups. Without the proper role assignments delineated for an app, that means that all users in the organization could potentially access sensitive data or perform unauthorized actions.

For example, let’s say a compromised user is able to access an application that has permissions to read and write all users’ data. Even if the user doesn’t have these permissions on their own account, the attacker could use the application to perform these actions, effectively escalating their privileges. Therefore, it is essential to identify the Entra ID Apps that are without role assignments and then ensure that all Entra ID Apps have appropriate role assignments.

As an Identity and Security subject matter expert, (and not an application developer or app owner) in this post I will provide clarity around applications without role assignments, and the risks associated with them. From an Entra ID administrator’s perspective, I’ll demonstrate how application governance can strengthen your organization’s security posture.

If you’re a Microsoft Entra ID administrator, chances are you’ll have to manage app access in your organization at some point, so let’s dive into the matter at hand so you can improve your organization’s security posture with regular reviews and role assignment updates.

Authentication vs Authorization

Now, a blog post about Application roles and permissions just wouldn’t be complete without an obligatory introductory paragraph explaining the difference between Authentication and Authorization, would it? Here’s an analogy I like to use:

Authentication and authorization are two terms that sound very similar, but they mean very different things. Authentication is the process of verifying who you are; authorization is the process of verifying what you can do. For example, authentication is like showing your ID card at the entrance of a club, while authorization is like showing your VIP wristband at the VIP bar. Authentication lets you in, but authorization lets you drink champagne. Authentication proves your identity, but authorization grants your permissions. This blog will provide insights around the Authorization side of things.

When working with Microsoft Entra ID Enterprise Applications, you will encounter different types of authorization mechanisms that control access to resources and operations, including:

• Role Assignments
• API Permissions
• Roles and Administrators

Figure 1: Three types of authorization mechanisms

Role Assignments

App-role assignments are a way of granting users or groups access to specific roles or permissions within an app. App-role assignments can help you implement role-based access control (RBAC) or attribute-based access control (ABAC) scenarios for your apps and simplify the ongoing access management process. The application defines and publishes the app roles and interprets them as permissions during authorization.

To use app-role assignments, you need to have an app that is configured in Microsoft Entra ID and supports app roles. These can either be apps that are developed in-house, using the Microsoft identity platform; or third-party apps that are integrated with Microsoft Entra ID.

Developers can use app roles to control whether a user can sign into an app, or an app can obtain an access token for a web API:

Figure 2: App roles are defined on an application registration

App roles are popular with SaaS apps because they allow the SaaS app to be provisioned in multiple tenants.

Entra ID admins or application owners can assign users or groups to those roles using the Microsoft Entra admin center, or PowerShell:

Figure 3: Assign Users and groups in Entra ID Enterprise applications

When a user or group* is assigned to an app role, they receive a claim in their token indicating their role when they sign into the app. You can also use dynamic groups to automatically assign users based on their attributes, such as department, location, or job title.

*Note: Nested group memberships are not supported for group-based assignment to applications.

API Permissions

Application Programming Interface (API) permissions are rules that define what an application can do or access on behalf of a user or itself. For example, an application might need permission to read the user's profile, send emails, or access SharePoint files.

There are two types of permissions: delegated and application. Delegated permissions are used when an application acts on behalf of a signed-in user, such as a web app or a mobile app. Application permissions are used when an application acts on its own, without a user, such as a background service or a daemon.

To access a protected resource, such as email or calendar data, your application needs the resource owner's authorization. This is where consent comes in, but that’s a topic for my next blog.

Figure 4: API Permissions in App registration

Are you an Identity administrator responsible for Entra ID? Check out ENow's latest webinar where Microsoft MVPs Nicolas Blank & Alistair Pugin gave a breakdown of the Midnight Blizzard attack on Microsoft, and how to prevent attacks like that from happening to  your organization. CLICK HERE for the recorded session on how to "Identify & Fix Application Security Vulnerabilities in Microsoft Entra ID"

Roles and Administrators

Roles and Administrators are quite simple if you already understand the concept of Entra ID Roles such as Global Administrator or Security Administrator. As an administrator, you can use Microsoft Entra roles to delegate management tasks for your enterprise applications. Such as creating, configuring, assigning, and monitoring them. You can use built-in roles that are relevant for enterprise applications, such as Application Administrator, Application Developer, and Cloud Application Administrator.

You can also create custom roles to suit your needs and assign the custom role to the users who will need to manage those enterprise applications. For example, you can create a custom role that allows a user to view and edit the properties of a specific enterprise application, but not to delete it or assign it to other users.

Figure 5: Permissions enforced through Role assignments

To summarize authorization in Entra ID apps:- Role assignments say “who” can access an app. API Permissions say “what” rights the app has to data, either directly or on behalf of a user, and Admin roles say “which” admin types can modify the application itself.

Requiring user assignment

Now that we’ve covered all the application authorization options in Entra ID, let's concern ourselves over proper application governance for Enterprise applications without role assignments.

Why should we care?

Well, Microsoft’s Threat Intelligence blog warns us that Threat actors misuse OAuth applications to automate financially driven attacks, even if the threat actors lose access to the initially compromised account. Storm-1283, a known threat actor, has been observed exploiting a breached user account. This account was used to establish an OAuth application and set up virtual machines specifically for the purpose of crypto mining.

Figure 6: OAuth Applications used for cryptocurrency mining attack

In an Enterprise Application, there’s a tiny little setting or property called “Assignment Required?” and you have the option to toggle between Yes or No. By default, applications registered in Entra ID don’t require user assignment (“Assignment Required” setting is set to No). Therefore, the app is available to all users of the tenant.

Figure 7: Assignment required setting and explanation

When set to Yes, users and services attempting to access the application or services must first be assigned for this application (using our Role Assignments setting discussed earlier) or they won’t be able to sign-in or obtain an access token.

When the “Assignment Required” setting is set to No, all users are authorized to sign in, and other applications and services can obtain an access token to the application. This can lead to security concerns as it allows unauthorized access to the application.

As in the case of the Marriot data leak due to a compromised third-party app. Attackers compromised a few employees’ credentials and logged into a third-party application which had access to 5.2 million Marriot guest records. These records included passport data, contact data, and other personal information.

By assigning users only the roles they need to perform their tasks, you can minimize the potential damage if a user account is compromised.

Some applications, like Teams apps purchased through Microsoft AppSource[1] or the Microsoft Teams admin center, may require user assignment, which means that only users who are explicitly assigned to the application can access it. Paid for apps require users to authenticate to prevent unwarranted access and to check for entitlement. This can help control costs, and help with compliance for applications that have licensing requirements.

After enabling user assignment, you can assign users or groups to the application either individually or in bulk. You can also use dynamic groups or self-service group management to automate the assignment process. Users who are not assigned to the application will see an error message when they try to access it from the My Apps portal or the app launcher.

For some applications, the option to require user assignment isn't available in the application's properties. In these cases, you can use PowerShell to set the appRoleAssignmentRequired property on the service principal.

[1] An online store that contains thousands of business applications and services built by leading software providers

"Gotchas"

So, at this point you are probably thinking: “Right, let’s go and set all my apps to require assignment and secure the tenant.” However, you should be aware that there are some ‘gotchas’ to setting “Assignment required” property to Yes, such as:

• Unassigned users can’t access the app, obviously!
• When assigning groups to an app, bear in mind that nested groups are not supported, so you may have to create groups for app assignments that only contain the users directly and no other groups. Groups must be security groups or Microsoft 365 groups.
• An Administrator needs to consent tenant-wide to all the permissions requested by the application even if they are permissions that users could consent to themselves otherwise.
• In some instances, other apps need to get an access token allowing it to call the API of the app (where you wish to enable Assignment required) but as I mentioned in Role Assignments, you can assign Users and Groups, not another app. An app can be assigned a custom role but must request permission and have an admin consent to the permission request. (See this Stack Overflow answer for direction on how to do this.)

Conclusion

It should be clear now that Entra ID App registrations and SaaS applications, without proper role assignments, pose a significant risk to the security and compliance of your organization. Therefore it is essential that Identity admins take a proactive stance when it comes to Application Governance, and identify those Entra ID Enterprise Apps without role assignments in your tenant, remediate, and manage so that all Entra ID Apps have appropriate role assignments moving forward.

This is quickly achievable with ENow’s AppGov Score, a free security assessment tool which provides you with a detailed report on the apps in your tenant without role assignments, in mere minutes. From there, you can easily assess which apps you should set to require assignment and finally assign roles according to your organization's needs and security policies.

Do you know what apps are lurking in your tenant? The ENow AppGov Score is a free security assessment tool that will quantify your application governance state quickly.  In addition to providing your AppGov Score, the tool will provide a comprehensive Application Governance Assessment report that includes each test, your result and why the test matters. Sign up to get your score and assessment report in just a few minutes - Get Your AppGov Score today!