SOLVED

Ensuring Apps have Least Privilege (are not malicious)

%3CLINGO-SUB%20id%3D%22lingo-sub-2531970%22%20slang%3D%22en-US%22%3EEnsuring%20Apps%20have%20Least%20Privilege%20(are%20not%20malicious)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2531970%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3ECan%20anyone%20provide%20any%20guidance%20about%20how%20to%20conduct%20a%20security%20review%20of%20applications%20that%20were%20previously%20authorized%20by%20users%20in%20AAD%3F%20What%20should%20we%20be%20looking%20for%3F%20How%20can%20we%20easily%20identify%20the%20apps%20with%20the%20most%20worrisome%20permissions%20that%20should%20get%20closer%20scrutiny%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2531970%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2532709%22%20slang%3D%22en-US%22%3ERe%3A%20Ensuring%20Apps%20have%20Least%20Privilege%20(are%20not%20malicious)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2532709%22%20slang%3D%22en-US%22%3EThere's%20no%20easy%20answer%20here%2C%20as%20you%20need%20to%20understand%20what%20exactly%20each%20app%20is%20used%20for%20before%20making%20a%20call%20on%20its%20permissions.%20I%20would%20flag%20and%20review%20everything%20that%20uses%20application%20permissions%2C%20and%20when%20it%20comes%20to%20delegate%20permissions%2C%20things%20such%20as%20impersonation%2C%20everything%20that%20requires%20admin%20consent%20or%20if%20I%20really%20want%20to%20get%20thorough%2C%20even%20permissions%20such%20as%20Directory.Read.All.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20published%20an%20article%2Fscript%20on%20this%20a%20while%20back%2C%20take%20a%20look%3A%20%3CA%20href%3D%22https%3A%2F%2Fpractical365.com%2Finventorying-azure-ad-apps-and-their-permissions%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fpractical365.com%2Finventorying-azure-ad-apps-and-their-permissions%2F%3C%2FA%3E%3C%2FLINGO-BODY%3E
Respected Contributor

Can anyone provide any guidance about how to conduct a security review of applications that were previously authorized by users in AAD? What should we be looking for? How can we easily identify the apps with the most worrisome permissions that should get closer scrutiny?

1 Reply
best response confirmed by Dean Gross (Respected Contributor)
Solution
There's no easy answer here, as you need to understand what exactly each app is used for before making a call on its permissions. I would flag and review everything that uses application permissions, and when it comes to delegate permissions, things such as impersonation, everything that requires admin consent or if I really want to get thorough, even permissions such as Directory.Read.All.

I published an article/script on this a while back, take a look: https://practical365.com/inventorying-azure-ad-apps-and-their-permissions/