The Hidden Risks of Third-Party App Consents in Microsoft 365
As we delve deeper into the intricacies of managing critical SaaS dependencies like Microsoft 365 within the broader context of attack surface management, we've observed a prevalent and concealed security risk. This pitfall emerges from an easily-missed feature within Microsoft 365: the unchecked permission for users to grant third-party apps access to the organization’s data.
By design, Microsoft 365 encourages users to permit third-party apps to access organizational data. On the surface, this appears as a gesture of integration and ease. However, it conceals a latent risk that can weaken an organization's security stance. Notably, these third-party apps and the subsequent dependencies often bypass standard organizational oversight, leaving procurement and security teams in the dark. They embed within the organization's infrastructure, often with an unclear or broad spectrum of access rights.
Where Do Third-Party Apps Come From?
Microsoft fosters an ecosystem that encourages users to optimize their suite by sourcing applications from the Microsoft 365 App Marketplace.
While many of these applications, offered both by Microsoft and external developers, are legitimate and beneficial, the marketplace may also host apps that are less secure or even potential malicious.
Understanding the Microsoft 365 Application User Consent Process
Here’s a typical trajectory:
A user stumbles upon a promising app in the marketplace.
They initiate the integration process, leading to a permissions request page.
The request details the extent of data and functionalities the app seeks – from basic details like emails to more comprehensive permissions.
Unwary users often approve these permissions without grasping the full ramifications.
Tightening the Reins: Admin Consent for Applications
Given the implications, it’s imperative for organizations to be proactive. A prudent approach is for administrators to block user consents to all third-party apps. Instead, a robust review mechanism, like the admin consent workflow, should precede any third-party app integration.
Here's a concise guide:
Access the Azure AD (now labeled Microsoft Entrée ID) Admin Portal.
Navigate to Applications -> Enterprise Applications. Here, you might be taken aback by the sheer volume of third-party apps with access permissions.
Proceed to Consent and permissions.
For User consent settings, it's recommended to disable user consent.
For Admin consent settings, it’s vital to establish an Admin consent workflow.
You may refer to: Configure the admin consent workflows for more details. Moreover, consider leveraging our Microsoft 365 security posture management capability to streamline and automate this process.