granikos.eu
Open in
urlscan Pro
192.0.78.247
Public Scan
Submitted URL: https://www.enowsoftware.com/e3t/Ctc/OH+113/bM0Z04/VWRk7f6mqd5dW8p6d_W7y5WV3W6mk3Cf57VdkvN3Gk38P3qgyTW8wLKSR6lZ3m9VS1KQ23_hxw...
Effective URL: https://granikos.eu/proper-entra-id-application-governance-phase-1/?utm_campaign=ESE%20Newsletter&utm_medium=email&_...
Submission: On January 04 via api from US — Scanned from DE
Effective URL: https://granikos.eu/proper-entra-id-application-governance-phase-1/?utm_campaign=ESE%20Newsletter&utm_medium=email&_...
Submission: On January 04 via api from US — Scanned from DE
Form analysis 3 forms found in the DOM
<form id="commentform" class="comment-form">
<iframe title="Kommentarformular"
src="https://jetpack.wordpress.com/jetpack-comment/?blogid=200373307&postid=6226&comment_registration=0&require_name_email=1&stc_enabled=1&stb_enabled=1&show_avatars=1&avatar_default=identicon&greeting=Kommentar+verfassen&jetpack_comments_nonce=89c4e3db42&greeting_reply=Schreibe+eine+Antwort+zu+%25s&color_scheme=light&lang=de_DE&jetpack_version=13.0-a.10&show_cookie_consent=10&has_cookie_consent=0&token_key=%3Bnormal%3B&sig=233b6caea1453d41461eb0852517812a52666ab0#parent=https%3A%2F%2Fgranikos.eu%2Fproper-entra-id-application-governance-phase-1%2F%3Futm_campaign%3DESE%2520Newsletter%26utm_medium%3Demail%26_hsmi%3D288662651%26_hsenc%3Dp2ANqtz-_c9aWuTbozon-jvj0qGK_yiUBrVIWTFX6gE2l0b5rLr9k8hk5NSlEoBk626u_sibdEolnMlti9o5RMA3BNJB3PkyjU1A%26utm_content%3D288662651%26utm_source%3Dhs_email"
name="jetpack_remote_comment" style="width: 100%; height: 2px; border: 0px;" class="jetpack_remote_comment" id="jetpack_remote_comment" sandbox="allow-same-origin allow-top-navigation allow-scripts allow-forms allow-popups" scrolling="no">
</iframe>
<!--[if !IE]><!-->
<script>
document.addEventListener('DOMContentLoaded', function() {
var commentForms = document.getElementsByClassName('jetpack_remote_comment');
for (var i = 0; i < commentForms.length; i++) {
commentForms[i].allowTransparency = false;
commentForms[i].scrolling = 'no';
}
});
</script>
<!--<![endif]-->
</form><form class="brlbs-mt-4">
<fieldset><!----><span class="brlbs-sr-only"></span>
<ul class="brlbs-cmpnt-consent-list brlbs-cmpnt-inline-consent-list brlbs-cmpnt-justify-between">
<li class="brlbs-cmpnt-pr-4">
<div data-v-6d35b334="" class="brlbs-flex brlbs-items-center"><input data-v-6d35b334="" id="essential" type="checkbox" name="essential" disabled="" class="brlbs-cmpnt-checkbox">
<div data-v-6d35b334="" class="brlbs-ml-3 brlbs-flex brlbs-items-start brlbs-flex-wrap"><label data-v-6d35b334="" for="essential" class="brlbs-cmpnt-label"><span data-v-6d35b334=""
class="brlbs-inline-block brlbs-align-middle">Essenziell</span> </label><!----></div>
</div>
</li>
<li class="brlbs-cmpnt-pr-4">
<div data-v-6d35b334="" class="brlbs-flex brlbs-items-center"><input data-v-6d35b334="" id="external-media" type="checkbox" name="external-media" class="brlbs-cmpnt-checkbox">
<div data-v-6d35b334="" class="brlbs-ml-3 brlbs-flex brlbs-items-start brlbs-flex-wrap"><label data-v-6d35b334="" for="external-media" class="brlbs-cmpnt-label"><span data-v-6d35b334="" class="brlbs-inline-block brlbs-align-middle">Externe
Medien</span> </label><!----></div>
</div>
</li>
</ul>
</fieldset>
</form><form id="jp-carousel-comment-form">
<label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Verfasse einen Kommentar …</label>
<textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Verfasse einen Kommentar …"></textarea>
<div id="jp-carousel-comment-form-submit-and-info-wrapper">
<div id="jp-carousel-comment-form-commenting-as">
<fieldset>
<label for="jp-carousel-comment-form-email-field">E-Mail (Erforderlich)</label>
<input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-author-field">Name (Erforderlich)</label>
<input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-url-field">Website</label>
<input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
</fieldset>
</div>
<input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Kommentar absenden">
</div>
</form>Text Content
Zum Inhalt wechseln
* Home
* Produkte
* NoSpamProxy
* ENow Solutions
* Beratung
* Blog
* Podcast
* Bücher
* Quick-Links
* Troubleshooting Links
* Produktempfehlungen
* Exchange Coffee Talk
* Kontakt
* Impressum
Menu
* Home
* Produkte
* NoSpamProxy
* ENow Solutions
* Beratung
* Blog
* Podcast
* Bücher
* Quick-Links
* Troubleshooting Links
* Produktempfehlungen
* Exchange Coffee Talk
* Kontakt
* Impressum
PROPER ENTRA ID APPLICATION GOVERNANCE – PHASE 1
* By Thomas Stensitzki | MVP
* 2023-12-18
* English, Governance
Inhalt
Toggle
* The dangers of default settings
* Where application governance comes into play
* Introducing the ENow AppGov Score™
* How it works
* Default Tenant Application Registration Dilemma
Once an organization migrates to the cloud with Microsoft 365, the temptation
and ability for an end-user to access potentially threatening external
applications can become out of hand and snowball quickly on many levels.
Attacks against insecurely configured Microsoft 365 clients have been on the
rise recently. One example from last week is email attacks using OAuth crypto
mining applications. Microsoft explains in a detailed article how this attack
scenario (has) worked. This attack was made possible by an insecure or
permissive configuration for enterprise applications in Entra ID, among other
things. ENow describes how to configure your client more securely in the AppGov
Score™ blog.
Do you know how many of these external applications exist in your Microsoft 365
tenant?
THE DANGERS OF DEFAULT SETTINGS
In a Microsoft 365 tenant with default settings, users can log in to external
applications with their enterprise account. This application usually requires
access to the tenant’s Entra ID directory. For this purpose, the user triggers
an application registration in the tenant. This external application has at
least read access to the Entra ID directory from now on.
There are most likely many enterprise applications and app registrations in your
tenant that users wanted to experiment with and maybe are no longer used but are
still registered. Such applications include Teams apps, Office add-ins, external
application websites, and possibly event websites on which your users register
themselves for attendance. Users being allowed to consent to applications
themselves by default encourages the uncontrolled sprawl of enterprise
applications.
An Entra ID application registration has two important authorization
configurations. Firstly, which user and guest accounts in your tenant are
allowed to use this application? Secondly, which authorizations does the
application in your tenant have for accessing Microsoft 365 resources, such as
Entra ID, SharePoint Online, or Exchange Online?
Depending on the application’s implementation, an enterprise application and an
additional app registration are added to your tenant. This app registration
defines, among other things, the delegated authorization of the application to
access data in your tenant on behalf of the logged-in user account.
Administrators often overlook that a single application adds configurations in
two places.
WHERE APPLICATION GOVERNANCE COMES INTO PLAY
Governance covers the entire life cycle of an application, from registration,
the adaptation of properties, and access authorizations to final deletion at the
end of use.
Some of the most overlooked features of a risky enterprise application and app
registrations are:
* Runtime of access certificates and passwords
* Designation of application owners
* Public tenant flows
* Lack of a comprehensible description
Unfortunately, Entra ID does not provide a quick overview of the current
situation of the existing applications. The enterprise application’s dashboard
overview only provides rudimentary information on the total number of
applications and their status. It is not even the default view when you select
the Enterprise applications menu item.
So, how can identity architects effectively tame this proliferation of risky
enterprise applications in Entra ID?
INTRODUCING THE ENOW APPGOV SCORE™
ENow has developed a free solution that helps identity architects quickly
determine how their tenant stacks up against Microsoft-recommended security
practices. Long-standing security MVPs developed the scoring system’s
methodology with extensive knowledge of Microsoft 365 tenants of various sizes.
HOW IT WORKS
For a quick assessment of your tenants’ application governance estate, you start
by registering with the Freemium version at https://www.appgovscore.com. You
will be up and running in anywhere from 5 minutes to an hour. You can register
with a standard user account for your tenant. Still, you need a Global
Administrator account to consent to the required application permissions.
AppGov Score requires the following permissions to gather information from Entra
ID:
* Directory.Read.All
* EntitlementManagement.Read.All
* Policy.Read.All
* PolicyRead.PermissionsGrant
* RoleManagement.Read.All
After registering and consenting to the application permissions, the
configuration data of the enterprise applications in your tenant is analyzed.
Based on the results, the accelerator calculates the unique AppGov Score for
your tenant, and you receive a full Application Governance Assessment report.
The following example uses an App Governance analysis of my personal demo
tenant.
DEFAULT TENANT APPLICATION REGISTRATION DILEMMA
The analyzed tenant runs primarily on Microsoft 365 default settings, with an
enterprise application default configuration. Microsoft 365 tenants, most of the
time, remain running with default settings. And that is not only a dilemma, but
the dilemma.
You shouldn’t be surprised to see an initial AppGov Score of 53% in the first
screenshot. Having an out-of-box experience (OOBE) Microsoft 365 tenant is far
from the Microsoft recommended best practices for maintaining enterprise
applications in Entra ID.
Initial Assessment Report showing an ENow AppGov Score™ of 53 percent
Initial Assessment Report showing an ENow AppGov Score™ of 53 percent
Initial Assessment Report showing an ENow AppGov Score™ of 53 percent
Your free application governance assessment report provides information about
three important sections of your tenant health:
* Enterprise Application Analysis
* Application Registration Analysis
* Tenant Settings Analysis
Each section contains basic status information on configuration and governance
topics, e.g., how many enterprise applications exist in your tenant with admin
consent. The status for a section ranges from poor to good to excellent. Some
sections are informational, as they show statistical information only. A section
provides additional details on why the information is vital for the application
governance in your tenant. For example, the following screenshot shows the
expanded section of applications lacking admin consent.
As you can see, the lack of administrative consent for 66.67% of the registered
enterprise applications results in a poor governance status. Assuming that the
applications have dedicated users’ consent only, you are right. Each section
description has a link to the official Microsoft documentation that explains the
topic and recommended configurations.
Screenshot showing the poor status of enterprise applications without admin
consent
Screenshot showing the poor status of enterprise applications without admin
consent
Screenshot showing the poor status of enterprise applications without admin
consent
The following list shows the configurations included in your AppGov
Score™ report:
* Enterprise Application Analysis
* Number of registered enterprise applications
* Percentage of enterprise applications lacking administrative consent
* Number of enterprise applications considered high-risk
* Number of enterprise applications created in the last thirty days
* Percentage of enterprise applications without a description
* Percentage of enterprise applications without owners
* Percentage of enterprise applications without role assignments
* Application Registration Analysis
* Number of application registrations with public client flows
* Number of application registrations with expired certificates
* Number of application registrations with certificates expiring in the next
fourteen days
* Number of application registrations with expired client secrets
* Number of application registrations with expiring client secrets in the
next fourteen days
* Percentage of application registrations with client secrets with a time
expiration longer than two years
* Number of application registrations created in the last thirty days
* Number of application registrations without an associated enterprise
application
* Percentage of application registrations with certificates with a time
expiration longer than two years
* Number of application registrations with configured client secrets
* Tenant Sessings Analysis
* Number of user accounts with application administrative privileges
* Configuration of group owner consent
* Configuration of guest users’ access permissions
* Configuration of user consent for applications
* Configuration of allowing users to add gallery applications
* Configuration of requesting administrative consent
Even without providing complete visibility into all AppGov Score™ section
results of my tenant, I’m sure you can grasp how the information provided will
expose apps lurking in your Entra ID tenant. It is a powerful tool that helps
you track enterprise applications and application registrations in your tenant.
Applying good governance to this area of Entra ID helps you secure your
Microsoft 365 pasture.
As mentioned before, Entra ID tolerates end-users registering enterprise
applications by default. Your tenant might contain enterprise applications that
aren’t in use and pose a security risk.
If you are an identity architect looking for a way to automate governance and
develop a Governance strategy for your organization, AppGov Score™ can quickly
provide the information needed.
When you’re ready to unlock features that support your governance tasks related
to enterprise applications and app registrations, you can upgrade to ENow’s App
Governance Accelerator. This support starts with the basic settings for
registration and consent in a Microsoft 365 tenant and includes reporting on the
status of enterprise applications. In the second part of this mini-series, I
discuss the features of the paid version of the App Governance Accelerator and
how the AppGov Score™ helped to enhance governance in my company tenant.
Sie sehen gerade einen Platzhalterinhalt von Facebook. Um auf den eigentlichen
Inhalt zuzugreifen, klicken Sie auf die Schaltfläche unten. Bitte beachten Sie,
dass dabei Daten an Drittanbieter weitergegeben werden.
Mehr Informationen
Inhalt entsperren Erforderlichen Service akzeptieren und Inhalte entsperren
TEILEN MIT:
* Klick, um über Twitter zu teilen (Wird in neuem Fenster geöffnet)
* Klick, um auf Facebook zu teilen (Wird in neuem Fenster geöffnet)
* Klick, um auf LinkedIn zu teilen (Wird in neuem Fenster geöffnet)
* Klicken, um auf Telegram zu teilen (Wird in neuem Fenster geöffnet)
* Klicken, um einem Freund einen Link per E-Mail zu senden (Wird in neuem
Fenster geöffnet)
*
GEFÄLLT MIR:
Gefällt mir Wird geladen …
PrevVorherigerMCT Regional Lead 2024
NächsterEntra ID Application Governance – Phase 1Nächster
KOMMENTAR VERFASSENANTWORT ABBRECHEN
Sie sehen gerade einen Platzhalterinhalt von Facebook. Um auf den eigentlichen
Inhalt zuzugreifen, klicken Sie auf die Schaltfläche unten. Bitte beachten Sie,
dass dabei Daten an Drittanbieter weitergegeben werden.
Mehr Informationen
Inhalt entsperren Erforderlichen Service akzeptieren und Inhalte entsperren
DIENSTLEISTUNGEN
* Beratung
PRODUKTE
* Mailscape
* NoSpamProxy
GRANIKOS
* Datenschutzerklärung
* Blog
* Tech & Community Podcast
* Support
* Fotoreferenzen
SUPPORT
* TeamViewer QuickSupport
FOLLOW US
Link Facebook Linkedin
© Granikos GmbH & Co. KG
Datenschutz-Präferenz
Wir benötigen Ihre Einwilligung, bevor Sie unsere Website weiter besuchen
können.Wenn Sie unter 16 Jahre alt sind und Ihre Einwilligung zu optionalen
Services geben möchten, müssen Sie Ihre Erziehungsberechtigten um Erlaubnis
bitten. Wir verwenden Cookies und andere Technologien auf unserer Website.
Einige von ihnen sind essenziell, während andere uns helfen, diese Website und
Ihre Erfahrung zu verbessern. Personenbezogene Daten können verarbeitet werden
(z. B. IP-Adressen), z. B. für personalisierte Anzeigen und Inhalte oder die
Messung von Anzeigen und Inhalten. Weitere Informationen über die Verwendung
Ihrer Daten finden Sie in unserer Datenschutzerklärung. Es besteht keine
Verpflichtung, in die Verarbeitung Ihrer Daten einzuwilligen, um dieses Angebot
zu nutzen. Sie können Ihre Auswahl jederzeit unter Einstellungen widerrufen oder
anpassen. Bitte beachten Sie, dass aufgrund individueller Einstellungen
möglicherweise nicht alle Funktionen der Website verfügbar sind. Einige Services
verarbeiten personenbezogene Daten in den USA. Mit Ihrer Einwilligung zur
Nutzung dieser Services willigen Sie auch in die Verarbeitung Ihrer Daten in den
USA gemäß Art. 49 (1) lit. a GDPR ein. Der EuGH stuft die USA als ein Land mit
unzureichendem Datenschutz nach EU-Standards ein. Es besteht beispielsweise die
Gefahr, dass US-Behörden personenbezogene Daten in Überwachungsprogrammen
verarbeiten, ohne dass für Europäerinnen und Europäer eine Klagemöglichkeit
besteht.
* Essenziell
* Externe Medien
Einwilligung speichern
Ich akzeptiere alle
Nur essenzielle Cookies akzeptieren
Individuelle Datenschutz-Präferenzen
PräferenzenDatenschutzerklärungImpressum
Lade Kommentare …
Verfasse einen Kommentar …
E-Mail (Erforderlich) Name (Erforderlich) Website
%d