April 26, 2024 •Louis Mastelinck
App registration within Entra ID can be used to manage the permissions granted to specific apps and determine which users within your tenant can use the defined app, as well as many aspects of the authentication involved with an app. These registrations can have many uses: your backup solutions might leverage an app registration, registrations might facilitate Single Sign-On (SSO), custom branding, allow specific users access to your accounting software, or enable your website backend to use the Graph API for sending emails. There are many use cases for why we use app registrations, and each of these app registrations can include a wide range of permissions and access within your tenant. Therefore, it's essential to be vigilant about how these app registrations are created and managed and by whom.
Default Behavior & Associated Risks
All users can register applications.
If you leave your Entra ID tenant settings as default, you will notice that all users can register applications within your tenant.
Figure 1: Default setting allows users to register applications.
Allowing everyone in your organization to register applications is generally not advisable. Most users are unfamiliar with what an app registration entails, and you want to avoid an uncontrolled increase in unknown app registrations within your tenant. Allowing users to register applications could also introduce an additional attack surface if any account is compromised.
Default Ownership
When an unprivileged user creates an app registration without any privileged roles assigned to their account, they automatically become the owner of the app registration by default. Alternatively, if a user with privileged roles assigned to their account creates an app registration, they will create an ownerless app registration and verify the app registration owner.
You can quickly determine the owner of an app registration. In entra.microsoft.com, navigate to Applications > App Registrations. Select an app registration, go to the left-hand blade, and click on the 'Owner' tab.
You can add individual users as owners, but unfortunately, using an Entra ID security group is not supported for this purpose.
Figure 2: Owner tab of an application registration.
Owner vs. Admin
Being an application owner grants you the ability to manage all aspects of that app, including creating and updating properties, generating new secrets, and modifying assigned permissions, among other tasks.
It's crucial to highlight that these owners can only manage the specific app registration they own. This means owners don't require additional permissions within the Entra ID tenant to update, add, or maintain the app registration. Source: Default user permissions - Microsoft Entra | Microsoft Learn
Two admin roles allow IT admins to manage app registrations: Application administrator and Cloud application administrator. The significant difference between the two is that the Cloud admin can't manage application proxies; however, both roles can manage all aspects of app registration, including granting permissions (excluding Microsoft Graph permissions).
If your organization needs someone other than your IT team to manage app registrations, you must determine who will handle these responsibilities. If your company has a development team, you want to avoid being caught in the middle and be responsible for maintaining all those registrations.
At first glance, granting Application Administrator and Cloud Application Administrator roles might seem reasonable. However, from a security standpoint, there are better approaches than this. These administrators would gain the ability to manage all existing app registrations. If you already have highly privileged app registrations, they could create an additional secret that might be abused to perform highly privileged actions within your tenant using the app registration.
Making these developers application owners instead would be a better method of gradually defining their permissions to specific app registrations.
Protect your Owners
From a security point of view, making a user an application owner requires us to also adequately protect these accounts.
Owner = privileged account
Let there be no doubt, I always recommend having separate accounts for administrative tasks within your tenant. There should be a clear distinction between accounts used for emailing, browsing, Teams, or any other app, and the account that possesses privileges within the tenant.
Being an owner of an app grants your account a privileged status. As such, you can change settings that could impact the entire organization, such as creating a new secret or uploading a certificate, which is particularly attractive to threat actors. App registrations can hold numerous permissions, and detecting abuse of an app registration can be challenging. A notable example is the recent Microsoft breach known as Midnight Blizzard.
Conditional Access Can't Scope Owners.
Conditional access can't scope application owners directly. It can scope active role assignments. You can target active Application Administrators and Cloud Application Administrators assignments. Unfortunately, there's no way to consistently target app registration owners in a CA policy unless you can identify them, for example, by using static or dynamic groups.
I recommend leveraging a Conditional Access policy to ensure that every privileged account uses the highest possible authentication strength and has a limitation on its session duration. These strategies lower the chances of success for an 'Adversary-in-the-middle' (AiTM) attack and limit the impact time of a token theft attack.
Can't PIM to an Owner
One of the mechanisms in Privileged Identity Management (PIM) is to elevate permissions just in time. This is perfectly compatible with the Application Administrator and Cloud Application Administrator roles.
However, PIM'ing yourself to an application owner is not a mechanism that exists. Entra ID roles, PIM-enabled security groups, and Azure resources are supported. But we can't use PIM to become the owner of a specific app registration.
Sadly, one of the current limitations is that you can't assign a security group as an app registration owner, which means that using a PIM'able group isn't a mechanism we can use to become an Owner on request/just in time.
Lock Down User Access to Entra ID Admin Center
It is recommended that the default setting in Entra ID be changed to prevent unprivileged users from accessing the Entra admin center. Only users with active Entra ID roles will be granted access to the portal.
Figure 3: Restrict Entra admin center access for regular users.
As an app registration owner, you do not have any Entra ID privileges. If you have this setting enabled and start making regular user accounts application owners, they won't be able to access them via the portal.
This setting highlights that using separate admin accounts, even for an app owner, makes sense.
Recommendations for Application Ownership
To conclude, if you ever need to grant a user permission to manage an app registration, you can use the following logic to determine the best assignment for your use case. Following these rules will ensure you make informed and secure decisions based on your needs.
- If the user only needs to manage a single or limited number of app registrations, assign the user as an app registration owner.
- If the user must perform tenant-wide maintenance for all app registrations, consider assigning the cloud-application administrator role.
- A regular user should never be allowed to be an app registration owner; separate admin accounts should be used for such assignments.
- The role of cloud -administrator is preferably placed behind Privileged Identity Management, which allows for just-in-time privileges, justification, and additional logging.
- All accounts with either an app registration owner or cloud-application administrator assigned must have stricter conditional access policies applied.
- Tenant defaults like "user can register applications" & "Restrict access to Microsoft Entra admin center" should be changed from their default settings.
Figure 4: Summarizing graphic of assignment logic.
Additionally, we have discovered that we cannot assign entire security groups as application owners. This limitation restricts us from managing app registration owners at a larger scale and from placing the assignment of an app registration behind a Privileged Identity Management (PIM) process using PIM-enabled groups.
App registration and application ownership come with great power and responsibility, so protecting their permissions and the access required to manage them is crucial.
ENow App Governance Accelerator evaluates your tenant’s Application Registrations, Enterprise Applications, and Global Tenant Settings, making identifying Application Ownership simple. Using the information in the Ownerless Apps report, for example, an organization can implement and maintain an application management delegation model beyond the built-in administrative roles.
The ENow AppGov Score is a free security assessment tool that provides a comprehensive Application Governance Assessment report that includes each test, your result and why the test matters. Sign up to get your score and assessment report in just a few minutes - Get Your AppGov Score today!
Written by Louis Mastelinck
Louis Mastelinck is a Belgian Soc analyst and security consultant with a passion for keeping the digital world secure. Specializing in incident response and the Microsoft Security stack (MDE, MDO, MDI, MDCA, Sentinel, ...), he excels at neutralizing threats and protecting organizations. As a Microsoft MVP and GCFA-certified professional, Louis brings a wealth of expertise to the table.