Tracking changes in user consented applications with Microsoft M365 E3
After taking a couple weeks off Detexian’s CTO Adrian Kitto is back to talk to you about the Allure of User-Consented Applications that your organization relies on. These applications will have access to data that will be business and customer sensitive.
In case you missed it last time, please check out:
Part 1: Who / What / Why does the mid-market all have Microsoft M365 E3 licenses
Part 2: How does Microsoft M365 E3 work with the non-Microsoft ecosystem applications?
Part 3: Discovering user consented apps with Microsoft M365 E3
Part 4: Identifying and removing inactive users with Microsoft M365 E3
Part 5: Calculating inferred or effective MFA for non-Microsoft applications
Part 6: Privileged Access Management in non-SCIM apps with Microsoft M365 E3
Part 7: Identifying, Evaluating, and Tracking Open Shares for External Users with Microsoft M365 E3
Part 9: Discovering and Reporting on DLP Alerts Older than 7 Days with Microsoft M365 E3
Part 10: Identifying, Evaluating, and Tracking Open Shares for External Users with Microsoft M365 E3
Introduction
In today's interconnected digital landscape, user consented applications have become an integral part of our work environments. These applications often enhance productivity and functionality by integrating with platforms like Microsoft 365 (M365). However, beneath the convenience lies a potential security minefield. This blog post will explore the importance of tracking changes in user-consented applications within the M365 ecosystem. We will dive into the risks posed by these applications, focusing on consent phishing attacks and malicious insider threats. We will also discuss how Microsoft M365 E3 can help organizations maintain control and security over their app ecosystem.
The Allure and Risks of User-Consented Applications
User-consented applications, also known as third-party applications, are those that users authorize to access their accounts and data within an integrated ecosystem. These applications offer features that users find valuable, such as email tracking, calendar synchronization, or document collaboration. However, these conveniences come at a cost:
Consent Phishing Attacks:
The Deceptive Nature: Malicious actors often use consent phishing to trick users into granting access to their accounts unknowingly. These phishing attempts mimic legitimate app authorization requests, making it challenging for users to discern between genuine and fraudulent requests.
Data Access and Control: Once an attacker gains access, they can potentially access sensitive data, exfiltrate it, or even take control of the user's account, causing significant damage to both individuals and organizations.
Malicious Insider Threats:
Unauthorized App Usage: Insiders with malicious intent can exploit user-consented applications to exfiltrate data or sabotage systems. By granting unauthorized access to third-party apps, insiders can bypass traditional security controls and operate under the radar.
Data Exfiltration: Insiders can use these applications to leak sensitive information to external entities, posing a significant risk to data security and compliance.
The Critical Role of Monitoring and Control
To mitigate the risks associated with user-consented applications, organizations must prioritize monitoring and control. Microsoft M365 E3 provides several tools and capabilities that can help organizations achieve this:
App Permissions Reports:
M365 E3 offers reports that provide insights into the permissions granted to user-consented applications. These reports help administrators identify potentially risky apps and assess their impact on security.
Conditional Access Policies:
Organizations can set up conditional access policies that control the conditions under which user-consented applications can access M365 data. These policies can enforce strict security requirements, such as multi-factor authentication, before granting access.
App Review and Approval Processes:
Implementing a review and approval process for user-consented applications ensures that only trusted and vetted apps can access M365 data. Administrators can validate the legitimacy and security of apps before granting access.
Security Defaults and Baselines:
M365 E3 includes security defaults and baseline policies that provide a foundational level of protection against common threats, including those related to user-consented applications.
User Education and Awareness:
Educating users about the risks associated with third-party app consent and providing guidelines for safe app usage can help prevent consent phishing attacks.
Detecting and Responding to Changes
Tracking changes in user-consented applications is essential to maintaining security. Here's how organizations can effectively monitor and respond to changes:
Regular Audits:
Conduct regular audits of app permissions and access. Review the list of authorized apps and ensure that they are still relevant and trustworthy.
Third-Party Alerts:
Use third party tools such as SIEM or posture manager to generate automated alerts to notify administrators of any changes in user-consented applications. Suspicious changes, such as increased permissions or a surge in app authorizations, can trigger an immediate investigation.
Incident Response Plans:
Develop incident response plans that outline steps to take in the event of a security incident involving user-consented applications. These plans should include procedures for revoking app access and mitigating risks.
An Example of Monitoring Changes in User-Consented Applications
Let's consider an example of how an organization can use PowerShell to monitor changes in user-consented applications:
# Connect to Microsoft 365
Connect-MsolService
# Get a list of user-consented applications
$consentedApps = Get-MsolServicePrincipal
# Create an array to store the app details
$appDetails = @()
# Loop through the list and retrieve app details
foreach ($app in $consentedApps) {
$appId = $app.AppPrincipalId
$appDisplayName = $app.DisplayName
# Add app details to the array
$appDetails += New-Object PSObject -Property @{
"AppPrincipalId" = $appId
"DisplayName" = $appDisplayName
}
}
# Export app details to a CSV file
$appDetails | Export-Csv -Path "UserConsentedApps.csv" -NoTypeInformation
# Disconnect from Microsoft 365
Disconnect-MsolService
This PowerShell script connects to Microsoft 365, retrieves a list of user-consented applications, and then checks for changes in their settings compared to a baseline. When changes are detected, appropriate actions can be taken.
Conclusion: Balancing Convenience with Security
User-consented applications play a significant role in our modern work environments, offering convenience and functionality. However, organizations must strike a balance between convenience and security. By actively monitoring and controlling user-consented applications, leveraging tools like Microsoft M365 E3, and implementing robust security measures, organizations can mitigate the risks associated with consent phishing attacks and malicious insider threats, ensuring the safety of their data and systems.
Security thought for the week
The great wall of China is the biggest security boundary on the planet.
The Great Wall of China, one of the most iconic architectural wonders in the world, was originally built not just as a symbol of power and prestige but also as a massive physical security barrier. While the construction of various sections of the wall began as early as the 7th century BC, it was during the Ming Dynasty (1368-1644) that the wall was extensively rebuilt and expanded.
The primary purpose of the Great Wall was to protect the Chinese states and empires from invasions and raids by various nomadic groups and military incursions from the north, particularly by the Mongols and Xiongnu tribes. The wall's strategic location and imposing height served as a formidable deterrent to potential invaders, making it challenging for large armies to breach and traverse the vast expanse of the wall.
Till then, stay secure.
Adrian
