Event details
If a third-party application, such as HP’s WXP, uses a connector to access and import Entra ID groups, does Entra offer any controls or monitoring capabilities to ensure the process is legitimate, routinely used, and not potentially malicious? Additionally, if the third-party application becomes unused, retired, or uninstalled, can Entra detect this change and provide an overview to help identify and mitigate any unnecessary attack surface?
This appears like it is granting consent for a multi-tenant app to access resources in our tenant as the user who consents (based on this: https://learn.workforceexperience.hp.com/docs/entra-id-groups)
Unfortunately, the controls we have over multi-tenant applications aren't as robust as single-tenant apps. We can definitely monitor usage and access through sign-in logs, and we can monitor deletion of the app in the audit logs. But as far as I know, we don't have controls over the credential types they use on their end or blocking by location if their services were compromised and abused :(