We are excited to announce the general availability of app governance, a security and policy management capability to monitor and govern app behaviors and quickly identify, alert, and protect from risky behaviors. App governance is designed for OAuth-enabled apps that access Microsoft 365 data via Microsoft Graph APIs. To see a Microsoft Mechanics Video on app governance, see this video.
Microsoft’s security and threat research teams have broadly observed an uptick of security incidents involving apps, both in terms of frequency and impact. These incidents span a wide range, including malicious apps engaging in OAuth consent phishing, as well as good but vulnerable apps being exploited by bad actors.
This situation is exasperated by a lack of good app/API hygiene, inadequate governance capabilities, and a lack of oversight on app permissions. Many apps are:
- Over-permissioned – meaning the scope of permission is beyond what is required by the app to accomplish its intended use-
- Highly-permissioned – meaning the type and level of access include sensitive information and high-value users that are not required.
App governance is cloud-based and native to the Microsoft 365 platform, so there is no need to deploy additional infrastructure or services. This provides a simplified onboarding and management experience that can be quickly deployed in customer environments.
Since its public preview announcement on July 14, 2021 app governance has been successfully deployed in several hundred customer environments with raving reviews:
“We found a year ago that Graph API was erroneously enabled in Exchange, which opened up vulnerability to previously user consented apps. App governance provided Graph API usage and permissions activity which helped us identify the error. We are now using app governance to help discover, monitor and remediate over-privileged and high privileged apps and use policies to alert on apps posing high risk levels”
“We had been struggling to get greater visibility across our application landscape for a long time. App governance provides us with deep visibility and insights into how applications are interacting with our O365 data, allowing us to respond quickly to any updates in our application landscape and get a clear picture of our existing applications. The ability to alert on behavioral changes, such as increased traffic flow or permissions is a powerful new addition to our security toolbox”
Managing the Risks from Apps
Currently, customers deploy two broad solution types to control and protect from risks posed by 3rd party and Line of Business (LOB) cloud apps:
- App Access: these are solutions (like Azure Active Directory) that register your apps, manage access rights and permissions for your apps and define which users can access which app.
- App Use: these are solutions (like Microsoft Defender for Cloud Apps, formerly known as Microsoft Cloud App Security) that discover and assess cloud apps, identify risky user behavior in apps, enforce policies to control activity, and detect and remediate threats.
Inappropriate app behaviors can range from security incidents that are categorically identified as bad and need to be addressed immediately to activities that fall within a tolerance level that requires additional review to assess malicious intent. This requires a deep understanding of the App Behavior within the environment – app governance provides this new capability and builds upon the existing app access and app usage solutions.
Figure 1: Addressing cloud app risks from multiple perspectives with Azure Active Directory, Defender for Cloud Apps, and app governance
App governance provides you with:
- Deep visibility & insights: Get deeper visibility into apps that access Microsoft 365 data and actionable insights on how the app is configured and behaving in the environment
- Policy-driven governance: Proactively define and enforce appropriate app behavior with data, users, and other apps, in accordance with your organization’s security and compliance posture for data access
- Comprehensive detection and remediation: Detect anomalous app behavior with machine-learning models, address issues with automated and manual remediation actions.
Deep visibility and insights
App governance provides a deep and intuitive dashboard experience that is familiar to administrators. The tenant summary view provides:
- A high-level summary of the third-party and Line of Business apps in your Microsoft 365 tenant.
- Alerts based on the violation of any pre-configured policy and/or detection of any anomalous app behavior.
- Quick insights into apps that do not use one or more permissions they have been granted (Over-permissioned).
- Apps that have powerful permissions that allow data access or a key setting in the tenant (High privileged).
- Apps that do not have a verified publisher (Unverified).
This approach helps administrators focus on the most important aspects impacting the overall health and security of their app environment and quickly address outstanding issues. This can be seen in the dashboard below, where trends share insights as to the overall usage of apps, for example:
Figure 2: Dashboard view provides at-a-glance insights into deployed apps and app risks
App governance supports comprehensive app review and investigations capabilities with deep details of the app including full app metadata information, users of the app and if they are priority users in key roles, the amount and type of data accessed by the app over time, granted app permissions and level of app access, information on whether the publisher is verified and/or Microsoft Certified and, the latest remediation action taken on the app, as illustrated in the screenshot below.
Figure 3: Data usage view highlights key app behavior trends
This approach can also help simplify the app onboarding approval process by verifying that apps’ behaviors meet expectations before being broadly deployed. This can also provide a rapid review for apps that are updated by the app publisher to ensure that the capabilities provided by the updated app remain consistent with expectations.
Organizations can define proactive policies and establish acceptable app behaviors in their environment. App governance provides three template categories and 5 different starter templates covering typical high risk app behavior patterns including high-volume data access and apps newly added with high-privileged permissions. Policies can be configured to run in Audit (test), Active or Inactive mode and can have automated remediation action to disable the app while in Active mode.
Policy templates provide a simplified starting point to create powerful and flexible app governance that can be configured to meet an organization’s individual app governance enforcement requirements, as seen below.
Figure 4: Using policy templates for rapid policy deployment
In addition, app governance provides sixteen app behavior activity indicators (predicates) that can be used to create custom app governance policies to address specific compliance requirements and/or to enforce low-level risk mitigation controls or even define actions to preempt threats to sensitive apps when a condition occurs that could lead to the exploitation of an app.
Comprehensive Detection and Remediation
App governance offers comprehensive detection of anomalous app behavior that includes machine learning models and policy matching. When an anomalous app behavior pattern is detected, an alert is sent to Microsoft Defender a comprehensive solution that simplifies alert handling and incident response across different security and compliance products from Microsoft.
App governance offers a range of automated and manual remediation actions for common and emerging advanced persistent threat scenarios including:
- Adversaries using apps intended for malicious purposes (consent-based phishing).
- Adversaries taking over apps that are in good standing with high privileges (usually line of business apps developed by citizen developers).
The app governance threat research team and data scientists use a wide variety of data streams and signals, analysis of the known attack vectors and techniques (MITRE ATT&CK and others), machine learning models, and triangulated data insights from a wide variety of sources to build detections of anomalous app behaviors. Microsoft is constantly developing and adding new detection capabilities and improving the efficiency of the existing models built on top of intelligence platforms.
App governance is a security and policy management capability to monitor and govern app behaviors and quickly identify, alert, and protect from risky behaviors. Try app governance for free for 90days.
Microsoft 365 Team