granikos.eu
Open in
urlscan Pro
192.0.78.247
Public Scan
Submitted URL: https://www.enowsoftware.com/e3t/Ctc/OH+113/bM0Z04/VWRk7f6mqd5dW8p6d_W7y5WV3W6mk3Cf57VdkvN3Gk38P3qgyTW8wLKSR6lZ3m9VS1KQ23_hxw...
Effective URL: https://granikos.eu/proper-entra-id-application-governance-phase-1/?utm_campaign=ESE%20Newsletter&utm_medium=email&_...
Submission: On January 04 via api from US — Scanned from DE
Effective URL: https://granikos.eu/proper-entra-id-application-governance-phase-1/?utm_campaign=ESE%20Newsletter&utm_medium=email&_...
Submission: On January 04 via api from US — Scanned from DE
Form analysis
3 forms found in the DOM<form id="commentform" class="comment-form">
<iframe title="Kommentarformular"
src="https://jetpack.wordpress.com/jetpack-comment/?blogid=200373307&postid=6226&comment_registration=0&require_name_email=1&stc_enabled=1&stb_enabled=1&show_avatars=1&avatar_default=identicon&greeting=Kommentar+verfassen&jetpack_comments_nonce=89c4e3db42&greeting_reply=Schreibe+eine+Antwort+zu+%25s&color_scheme=light&lang=de_DE&jetpack_version=13.0-a.10&show_cookie_consent=10&has_cookie_consent=0&token_key=%3Bnormal%3B&sig=233b6caea1453d41461eb0852517812a52666ab0#parent=https%3A%2F%2Fgranikos.eu%2Fproper-entra-id-application-governance-phase-1%2F%3Futm_campaign%3DESE%2520Newsletter%26utm_medium%3Demail%26_hsmi%3D288662651%26_hsenc%3Dp2ANqtz-_c9aWuTbozon-jvj0qGK_yiUBrVIWTFX6gE2l0b5rLr9k8hk5NSlEoBk626u_sibdEolnMlti9o5RMA3BNJB3PkyjU1A%26utm_content%3D288662651%26utm_source%3Dhs_email"
name="jetpack_remote_comment" style="width: 100%; height: 2px; border: 0px;" class="jetpack_remote_comment" id="jetpack_remote_comment" sandbox="allow-same-origin allow-top-navigation allow-scripts allow-forms allow-popups" scrolling="no">
</iframe>
<!--[if !IE]><!-->
<script>
document.addEventListener('DOMContentLoaded', function() {
var commentForms = document.getElementsByClassName('jetpack_remote_comment');
for (var i = 0; i < commentForms.length; i++) {
commentForms[i].allowTransparency = false;
commentForms[i].scrolling = 'no';
}
});
</script>
<!--<![endif]-->
</form>
<form class="brlbs-mt-4">
<fieldset><!----><span class="brlbs-sr-only"></span>
<ul class="brlbs-cmpnt-consent-list brlbs-cmpnt-inline-consent-list brlbs-cmpnt-justify-between">
<li class="brlbs-cmpnt-pr-4">
<div data-v-6d35b334="" class="brlbs-flex brlbs-items-center"><input data-v-6d35b334="" id="essential" type="checkbox" name="essential" disabled="" class="brlbs-cmpnt-checkbox">
<div data-v-6d35b334="" class="brlbs-ml-3 brlbs-flex brlbs-items-start brlbs-flex-wrap"><label data-v-6d35b334="" for="essential" class="brlbs-cmpnt-label"><span data-v-6d35b334=""
class="brlbs-inline-block brlbs-align-middle">Essenziell</span> </label><!----></div>
</div>
</li>
<li class="brlbs-cmpnt-pr-4">
<div data-v-6d35b334="" class="brlbs-flex brlbs-items-center"><input data-v-6d35b334="" id="external-media" type="checkbox" name="external-media" class="brlbs-cmpnt-checkbox">
<div data-v-6d35b334="" class="brlbs-ml-3 brlbs-flex brlbs-items-start brlbs-flex-wrap"><label data-v-6d35b334="" for="external-media" class="brlbs-cmpnt-label"><span data-v-6d35b334="" class="brlbs-inline-block brlbs-align-middle">Externe
Medien</span> </label><!----></div>
</div>
</li>
</ul>
</fieldset>
</form>
<form id="jp-carousel-comment-form">
<label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Verfasse einen Kommentar …</label>
<textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Verfasse einen Kommentar …"></textarea>
<div id="jp-carousel-comment-form-submit-and-info-wrapper">
<div id="jp-carousel-comment-form-commenting-as">
<fieldset>
<label for="jp-carousel-comment-form-email-field">E-Mail (Erforderlich)</label>
<input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-author-field">Name (Erforderlich)</label>
<input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-url-field">Website</label>
<input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
</fieldset>
</div>
<input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Kommentar absenden">
</div>
</form>
Text Content
Zum Inhalt wechseln * Home * Produkte * NoSpamProxy * ENow Solutions * Beratung * Blog * Podcast * Bücher * Quick-Links * Troubleshooting Links * Produktempfehlungen * Exchange Coffee Talk * Kontakt * Impressum Menu * Home * Produkte * NoSpamProxy * ENow Solutions * Beratung * Blog * Podcast * Bücher * Quick-Links * Troubleshooting Links * Produktempfehlungen * Exchange Coffee Talk * Kontakt * Impressum PROPER ENTRA ID APPLICATION GOVERNANCE – PHASE 1 * By Thomas Stensitzki | MVP * 2023-12-18 * English, Governance Inhalt Toggle * The dangers of default settings * Where application governance comes into play * Introducing the ENow AppGov Score™ * How it works * Default Tenant Application Registration Dilemma Once an organization migrates to the cloud with Microsoft 365, the temptation and ability for an end-user to access potentially threatening external applications can become out of hand and snowball quickly on many levels. Attacks against insecurely configured Microsoft 365 clients have been on the rise recently. One example from last week is email attacks using OAuth crypto mining applications. Microsoft explains in a detailed article how this attack scenario (has) worked. This attack was made possible by an insecure or permissive configuration for enterprise applications in Entra ID, among other things. ENow describes how to configure your client more securely in the AppGov Score™ blog. Do you know how many of these external applications exist in your Microsoft 365 tenant? THE DANGERS OF DEFAULT SETTINGS In a Microsoft 365 tenant with default settings, users can log in to external applications with their enterprise account. This application usually requires access to the tenant’s Entra ID directory. For this purpose, the user triggers an application registration in the tenant. This external application has at least read access to the Entra ID directory from now on. There are most likely many enterprise applications and app registrations in your tenant that users wanted to experiment with and maybe are no longer used but are still registered. Such applications include Teams apps, Office add-ins, external application websites, and possibly event websites on which your users register themselves for attendance. Users being allowed to consent to applications themselves by default encourages the uncontrolled sprawl of enterprise applications. An Entra ID application registration has two important authorization configurations. Firstly, which user and guest accounts in your tenant are allowed to use this application? Secondly, which authorizations does the application in your tenant have for accessing Microsoft 365 resources, such as Entra ID, SharePoint Online, or Exchange Online? Depending on the application’s implementation, an enterprise application and an additional app registration are added to your tenant. This app registration defines, among other things, the delegated authorization of the application to access data in your tenant on behalf of the logged-in user account. Administrators often overlook that a single application adds configurations in two places. WHERE APPLICATION GOVERNANCE COMES INTO PLAY Governance covers the entire life cycle of an application, from registration, the adaptation of properties, and access authorizations to final deletion at the end of use. Some of the most overlooked features of a risky enterprise application and app registrations are: * Runtime of access certificates and passwords * Designation of application owners * Public tenant flows * Lack of a comprehensible description Unfortunately, Entra ID does not provide a quick overview of the current situation of the existing applications. The enterprise application’s dashboard overview only provides rudimentary information on the total number of applications and their status. It is not even the default view when you select the Enterprise applications menu item. So, how can identity architects effectively tame this proliferation of risky enterprise applications in Entra ID? INTRODUCING THE ENOW APPGOV SCORE™ ENow has developed a free solution that helps identity architects quickly determine how their tenant stacks up against Microsoft-recommended security practices. Long-standing security MVPs developed the scoring system’s methodology with extensive knowledge of Microsoft 365 tenants of various sizes. HOW IT WORKS For a quick assessment of your tenants’ application governance estate, you start by registering with the Freemium version at https://www.appgovscore.com. You will be up and running in anywhere from 5 minutes to an hour. You can register with a standard user account for your tenant. Still, you need a Global Administrator account to consent to the required application permissions. AppGov Score requires the following permissions to gather information from Entra ID: * Directory.Read.All * EntitlementManagement.Read.All * Policy.Read.All * PolicyRead.PermissionsGrant * RoleManagement.Read.All After registering and consenting to the application permissions, the configuration data of the enterprise applications in your tenant is analyzed. Based on the results, the accelerator calculates the unique AppGov Score for your tenant, and you receive a full Application Governance Assessment report. The following example uses an App Governance analysis of my personal demo tenant. DEFAULT TENANT APPLICATION REGISTRATION DILEMMA The analyzed tenant runs primarily on Microsoft 365 default settings, with an enterprise application default configuration. Microsoft 365 tenants, most of the time, remain running with default settings. And that is not only a dilemma, but the dilemma. You shouldn’t be surprised to see an initial AppGov Score of 53% in the first screenshot. Having an out-of-box experience (OOBE) Microsoft 365 tenant is far from the Microsoft recommended best practices for maintaining enterprise applications in Entra ID. Initial Assessment Report showing an ENow AppGov Score™ of 53 percent Initial Assessment Report showing an ENow AppGov Score™ of 53 percent Initial Assessment Report showing an ENow AppGov Score™ of 53 percent Your free application governance assessment report provides information about three important sections of your tenant health: * Enterprise Application Analysis * Application Registration Analysis * Tenant Settings Analysis Each section contains basic status information on configuration and governance topics, e.g., how many enterprise applications exist in your tenant with admin consent. The status for a section ranges from poor to good to excellent. Some sections are informational, as they show statistical information only. A section provides additional details on why the information is vital for the application governance in your tenant. For example, the following screenshot shows the expanded section of applications lacking admin consent. As you can see, the lack of administrative consent for 66.67% of the registered enterprise applications results in a poor governance status. Assuming that the applications have dedicated users’ consent only, you are right. Each section description has a link to the official Microsoft documentation that explains the topic and recommended configurations. Screenshot showing the poor status of enterprise applications without admin consent Screenshot showing the poor status of enterprise applications without admin consent Screenshot showing the poor status of enterprise applications without admin consent The following list shows the configurations included in your AppGov Score™ report: * Enterprise Application Analysis * Number of registered enterprise applications * Percentage of enterprise applications lacking administrative consent * Number of enterprise applications considered high-risk * Number of enterprise applications created in the last thirty days * Percentage of enterprise applications without a description * Percentage of enterprise applications without owners * Percentage of enterprise applications without role assignments * Application Registration Analysis * Number of application registrations with public client flows * Number of application registrations with expired certificates * Number of application registrations with certificates expiring in the next fourteen days * Number of application registrations with expired client secrets * Number of application registrations with expiring client secrets in the next fourteen days * Percentage of application registrations with client secrets with a time expiration longer than two years * Number of application registrations created in the last thirty days * Number of application registrations without an associated enterprise application * Percentage of application registrations with certificates with a time expiration longer than two years * Number of application registrations with configured client secrets * Tenant Sessings Analysis * Number of user accounts with application administrative privileges * Configuration of group owner consent * Configuration of guest users’ access permissions * Configuration of user consent for applications * Configuration of allowing users to add gallery applications * Configuration of requesting administrative consent Even without providing complete visibility into all AppGov Score™ section results of my tenant, I’m sure you can grasp how the information provided will expose apps lurking in your Entra ID tenant. It is a powerful tool that helps you track enterprise applications and application registrations in your tenant. Applying good governance to this area of Entra ID helps you secure your Microsoft 365 pasture. As mentioned before, Entra ID tolerates end-users registering enterprise applications by default. Your tenant might contain enterprise applications that aren’t in use and pose a security risk. If you are an identity architect looking for a way to automate governance and develop a Governance strategy for your organization, AppGov Score™ can quickly provide the information needed. When you’re ready to unlock features that support your governance tasks related to enterprise applications and app registrations, you can upgrade to ENow’s App Governance Accelerator. This support starts with the basic settings for registration and consent in a Microsoft 365 tenant and includes reporting on the status of enterprise applications. In the second part of this mini-series, I discuss the features of the paid version of the App Governance Accelerator and how the AppGov Score™ helped to enhance governance in my company tenant. Sie sehen gerade einen Platzhalterinhalt von Facebook. Um auf den eigentlichen Inhalt zuzugreifen, klicken Sie auf die Schaltfläche unten. Bitte beachten Sie, dass dabei Daten an Drittanbieter weitergegeben werden. Mehr Informationen Inhalt entsperren Erforderlichen Service akzeptieren und Inhalte entsperren TEILEN MIT: * Klick, um über Twitter zu teilen (Wird in neuem Fenster geöffnet) * Klick, um auf Facebook zu teilen (Wird in neuem Fenster geöffnet) * Klick, um auf LinkedIn zu teilen (Wird in neuem Fenster geöffnet) * Klicken, um auf Telegram zu teilen (Wird in neuem Fenster geöffnet) * Klicken, um einem Freund einen Link per E-Mail zu senden (Wird in neuem Fenster geöffnet) * GEFÄLLT MIR: Gefällt mir Wird geladen … PrevVorherigerMCT Regional Lead 2024 NächsterEntra ID Application Governance – Phase 1Nächster KOMMENTAR VERFASSENANTWORT ABBRECHEN Sie sehen gerade einen Platzhalterinhalt von Facebook. Um auf den eigentlichen Inhalt zuzugreifen, klicken Sie auf die Schaltfläche unten. Bitte beachten Sie, dass dabei Daten an Drittanbieter weitergegeben werden. Mehr Informationen Inhalt entsperren Erforderlichen Service akzeptieren und Inhalte entsperren DIENSTLEISTUNGEN * Beratung PRODUKTE * Mailscape * NoSpamProxy GRANIKOS * Datenschutzerklärung * Blog * Tech & Community Podcast * Support * Fotoreferenzen SUPPORT * TeamViewer QuickSupport FOLLOW US Link Facebook Linkedin © Granikos GmbH & Co. KG Datenschutz-Präferenz Wir benötigen Ihre Einwilligung, bevor Sie unsere Website weiter besuchen können.Wenn Sie unter 16 Jahre alt sind und Ihre Einwilligung zu optionalen Services geben möchten, müssen Sie Ihre Erziehungsberechtigten um Erlaubnis bitten. Wir verwenden Cookies und andere Technologien auf unserer Website. Einige von ihnen sind essenziell, während andere uns helfen, diese Website und Ihre Erfahrung zu verbessern. Personenbezogene Daten können verarbeitet werden (z. B. IP-Adressen), z. B. für personalisierte Anzeigen und Inhalte oder die Messung von Anzeigen und Inhalten. Weitere Informationen über die Verwendung Ihrer Daten finden Sie in unserer Datenschutzerklärung. Es besteht keine Verpflichtung, in die Verarbeitung Ihrer Daten einzuwilligen, um dieses Angebot zu nutzen. Sie können Ihre Auswahl jederzeit unter Einstellungen widerrufen oder anpassen. Bitte beachten Sie, dass aufgrund individueller Einstellungen möglicherweise nicht alle Funktionen der Website verfügbar sind. Einige Services verarbeiten personenbezogene Daten in den USA. Mit Ihrer Einwilligung zur Nutzung dieser Services willigen Sie auch in die Verarbeitung Ihrer Daten in den USA gemäß Art. 49 (1) lit. a GDPR ein. Der EuGH stuft die USA als ein Land mit unzureichendem Datenschutz nach EU-Standards ein. Es besteht beispielsweise die Gefahr, dass US-Behörden personenbezogene Daten in Überwachungsprogrammen verarbeiten, ohne dass für Europäerinnen und Europäer eine Klagemöglichkeit besteht. * Essenziell * Externe Medien Einwilligung speichern Ich akzeptiere alle Nur essenzielle Cookies akzeptieren Individuelle Datenschutz-Präferenzen PräferenzenDatenschutzerklärungImpressum Lade Kommentare … Verfasse einen Kommentar … E-Mail (Erforderlich) Name (Erforderlich) Website %d