Forum Discussion
Solved
Ensuring Apps have Least Privilege (are not malicious)
Can anyone provide any guidance about how to conduct a security review of applications that were previously authorized by users in AAD? What should we be looking for? How can we easily identify the a...
- There's no easy answer here, as you need to understand what exactly each app is used for before making a call on its permissions. I would flag and review everything that uses application permissions, and when it comes to delegate permissions, things such as impersonation, everything that requires admin consent or if I really want to get thorough, even permissions such as Directory.Read.All.
I published an article/script on this a while back, take a look: https://practical365.com/inventorying-azure-ad-apps-and-their-permissions/
There's no easy answer here, as you need to understand what exactly each app is used for before making a call on its permissions. I would flag and review everything that uses application permissions, and when it comes to delegate permissions, things such as impersonation, everything that requires admin consent or if I really want to get thorough, even permissions such as Directory.Read.All.
I published an article/script on this a while back, take a look: https://practical365.com/inventorying-azure-ad-apps-and-their-permissions/
I published an article/script on this a while back, take a look: https://practical365.com/inventorying-azure-ad-apps-and-their-permissions/