Forum Discussion
alert on O365 admins- whenever they try to integrate third party applications
Hello Everyone,
DO anyone have suggestion on how to create a alert on O365 admins whenever they try to integrate third party applications with the tenant? This is one of the security concern to manage O365 admins capability. Because it is very hard to find out what kind of application is accessed/ integrated with a tenant by a admin.
That's a good question, it does look like https://support.office.com/en-us/article/manage-app-permissions-using-office-365-cloud-app-security-2062c312-b1e4-4ce7-8cb2-ea39bc0dfdad might help at least somewhat, if that's not overkill -
https://docs.microsoft.com/en-us/cloud-app-security/connect-office-365-to-microsoft-cloud-app-security
"After connecting Office 365, you will see data from a week back including any third-party applications connected to Office 365 that are pulling APIs."
https://docs.microsoft.com/en-us/cloud-app-security/manage-app-permissions
"Many third-party productivity apps that might be installed by business users in your organization request permission to access user information and data and sign in on behalf of the user in other cloud apps, such as Office 365, G Suite and Salesforce. When users install these apps, they often click accept without closely reviewing the details in the prompt, including granting permissions to the app. This problem is compounded by the fact that IT may not have enough insight to weigh the security risk of an application against the productivity benefit that it provides."
It goes on to say:
"Because accepting third-party app permissions is a potential security risk to your organization, monitoring the app permissions your users grant gives you the necessary visibility and control to protect your users and your applications. The Cloud App Security app permissions enable you to see which user-installed applications have access to Office 365 data, G Suite data and Salesforce data, what permissions the apps have, and which users granted these apps access to their Office 365, G Suite and Salesforce accounts. App permissions help you decide which apps you allow your users access to, and which ones you want to ban."
All this functionality does come at a cost - "Get Microsoft Cloud App Security as part of Enterprise Mobility + Security E5 or as a standalone service. Cloud App Security is available at $3.50 per user per month estimated retail price".
4 Replies
That's a good question, it does look like https://support.office.com/en-us/article/manage-app-permissions-using-office-365-cloud-app-security-2062c312-b1e4-4ce7-8cb2-ea39bc0dfdad might help at least somewhat, if that's not overkill -
https://docs.microsoft.com/en-us/cloud-app-security/connect-office-365-to-microsoft-cloud-app-security
"After connecting Office 365, you will see data from a week back including any third-party applications connected to Office 365 that are pulling APIs."
https://docs.microsoft.com/en-us/cloud-app-security/manage-app-permissions
"Many third-party productivity apps that might be installed by business users in your organization request permission to access user information and data and sign in on behalf of the user in other cloud apps, such as Office 365, G Suite and Salesforce. When users install these apps, they often click accept without closely reviewing the details in the prompt, including granting permissions to the app. This problem is compounded by the fact that IT may not have enough insight to weigh the security risk of an application against the productivity benefit that it provides."
It goes on to say:
"Because accepting third-party app permissions is a potential security risk to your organization, monitoring the app permissions your users grant gives you the necessary visibility and control to protect your users and your applications. The Cloud App Security app permissions enable you to see which user-installed applications have access to Office 365 data, G Suite data and Salesforce data, what permissions the apps have, and which users granted these apps access to their Office 365, G Suite and Salesforce accounts. App permissions help you decide which apps you allow your users access to, and which ones you want to ban."
All this functionality does come at a cost - "Get Microsoft Cloud App Security as part of Enterprise Mobility + Security E5 or as a standalone service. Cloud App Security is available at $3.50 per user per month estimated retail price".
CAS/ASM is definitely the best option, however the price associated might be prohibitive in many cases. As an alternative, you can also look into the "basic" alerting functionality: https://support.office.com/en-us/article/create-activity-alerts-in-the-office-365-security-compliance-center-72bbad69-035b-4d33-b8f4-549a2743e97d?ui=en-US&rs=en-US&ad=US
The corresponding events are listed here: https://support.office.com/en-us/article/Search-the-audit-log-in-the-Office-365-Security-Compliance-Center-0d4d0f35-390b-4518-800e-0c7ec95e946c#appadminactivities
Alternatively, there are some 3rd party products that do the same, but cheaper compared to what Microsoft offers with CAS/ASM.
HI Vasil,
Security and compliance have several events but it doesn't have the functionality to create alert for third party apps access. I might need to look for other options here. Through cloud app security we can "BAN" a app however, I don't see a option to create a alert while a user tried to login/integrate to third party app.
