Microsoft 365 Security Basics: Enterprise Application Admin Consent Workflows

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

enterprise applications from microsoft office 365 are a great way to extend office 365's functionality and features for your end users this can be something simple as a onenote web clipper or really great features such as boomerang which allows you to recall messages at a scheduled time they're great features to take advantage of however there's some inherent risk with those enterprise applications hackers have figured out that if they create enterprise applications they can trick your end users into requesting and granting access to their own hacker app that can then allow the hacker to access your office 365 with permissions and read people's mailboxes read their onedrive all remotely using shell commands it's a great way to get into someone's environment and the downside of it is it's not blocked by mfa policies if a yen user resets their password the hacker can still maintain access because that oauth app or that enterprise app can still be in there so how do we deal with that what do we how do we fix it hi everyone i'm doug baker and this is justine the basics securing your office 365 environment let's get into it let's show you some features that you can do to prevent end users from agreeing to apps that are unwanted in your organization as well as tricking users from prevent users from being tricked into agreeing to a hacker app so here we are in azure active directory and let's go ahead and put in place the controls that we need to stop end users from agreeing to those consent automatically we'll get set up an admin to get a review option and we'll look at how we can lock down these options for your end users so the first thing that we want to do in this case is go into enterprise applications and user settings the first thing i usually like to do in this case is set up to have admin be able to review this i particularly don't like just an outright deny i like end users given the opportunity who do they reach out to in this the scenario you as an org might not like this you might want to just come in and turn off all you know basically any end users request to get access to apps but i personally like this one because i like the productivity access components of office 365 and i want end users to have a structured way to get the apps so first thing that we do in this case is turn on admin consent requests this will give your on users an additional option of you know when they get a deny it'll come in and say reach out to us have it go to us just gives us a nice option so i like it second thing we need to do is come into here and select the users that are going to be doing our review plenty of options here do what is right for you as an org in my case i'm just going to have it go to a single user in my environment specifically we'll pick allen in this case alan will be doing the review of these apps you can do group you can do rolls i've seen you know every every iteration of this under the sun for each org do what's right for you second thing and i just tend to leave these as the default we want to get email notifications so in this case alan will get that email about the request uh i like to have these things auto expire out if no one's you know approved it just autumn delete it and then you know 30 days i like to do 15 days you know no one's gotten to that approval in 15 it's probably not going to happen but again right size it for you as an org we're going to go ahead and save that in our environment and the second step is actually saying block we'll come in and turn off that this is the big setting that you really need to change and really want to look at so this is the option here so when we come into enterprise applications and consent permission this is where it now is being controlled of denying access to that so you can see here the default from microsoft is a little weak it's allow all consent any user can agree to anything that they want they can give access to everything in their mailbox to every app there is a full impersonate all users option in there it's it's pretty wide open so what we want to do is we need to pick on do we want to just outright block that or do we want to set up low levels of impact in your organization um so this is like things like maybe maybe zix is in use where there's an app uh you're working with your bank they send a zix email to your end users if there's a low level permission that that app like just verify that they're an employee and that they're who they say they are do you want to have that go through you as an admin or do you want that to something that's so low weight and permission you know we can come in and approve that in this case i'm going to pick that one for me as an org but this do not allow user consent at all is pretty good right if this is just saying every request is kind of kind of to you as an admin and end users can't agree to anything on their own either option is great um for me i'm going to go ahead and set this in this case now and then we're going to go ahead and pick what we mean when we say low impact application access so that's going to be under this permission and classification area and in here microsoft has some pre-made recommendations and these are actually really good recommendations so if you're going to take away these options for your end users this low permission and these defaults from microsoft are pretty good for saying these are these are actually pretty low level of access that an app can give this is things like verified that you are who you say you are right so again a zix app or a gmail where it's coming in and wants to authenticate the user and be verified that they are actually are the end user that got invited to that this is going to give them that permission so in this case the app can view user basic information again you view the user's email sign in and read the user profile open the sign in as the user so again all of these things are just the basics of like an oauth app might come in and say i just want to really verify that you're who you are boom we can come in and give this this is not something on the other side of things like a high permission where it's like impersonate everything about the user read all the end users onedrive location there's a ton of things that you could agree to a ton of things that apps can get access to uh you know via this this options in here but the ones that i recommend starting out with again is this low permission and this option so what does it look like when we get these access requests what is the kind of action you need to take as an admin let's go ahead and look at what this admin experience is like and and we'll show you kind of the what you need to do how you can approach this so once your end user comes in and does the request for an app it'll come into this area under admin consent and you'll see i'm not the approver for this i'm not alan in this case but here if i go to all apps that are waiting approval i can see it here here is the app that i wrote which is an example of an oauth attacking instance end users have come in and they've put in this request and i can see the reasons why so here is diego and christine and it says not reviewed and their justification why did they want access to this that's kind of all in written out right there the app details is here so any developer that put in this information this is going to be all of that stuff if there's a reply url that will also be listed here this attack example is like a device-based attack so there's no urls that are in my application where i can just you know continuously make remote calls but you'd be able to see all that information here you're also able to come in and you know kind of review what what microsoft recommends on this and we can come in and then hit review permissions and consent and this will take us into the oauth app so we can view all of the components of it right in this case this app has access to an absolute ton of information that the end user has requested so read the mailbox send message as the end user sign in as user and here is our accept so if this was legitimate app i would need to come in and hit accept here and then away i would go and users can come in and access it but in this case i am not going to do that i am just going to leave it here so i can continue using this as an example but you as an admin if you were the approval you would come in and block this app because we know this one is a hacked one i don't want this available to my end users we're going to go and take that away from them so that's kind of the admin experience you'll also get an email notification since we set that component up you'll be able to see that now the other thing with enterprise apps that you want to do is you do want to continuously review apps that are in your environment because these don't go away so if you were using like proof point at one point and then you switched over to office 365 email security those apps would continuously maintain access in your environment so um typically we will recommend customers come in and do quarterly yearly review of all the apps that have been approved in your organization that can be as simple as coming into the applications here and saying hey do we still need these components you know just go one by one and checking it there's also some really good features in defender for cloud app that give you the option to open that up and kind of review all of those things so um i really like this feature from defender for cloud app so let me just show it to you real quick so once you set up defender for cloud app there is an oauth portal here and there's there's some new features from microsoft all about governance also that came out recently that are are also really nice for managing these oauth apps but you can come into defender for cloud apps go to oauth apps down here and this is a excellent view of all the apps that have been approved denied and you can audit and review these quarterly as it has an easier option of looking at it i really like it because it you know lists out how many users are using it apple internet account this is my iphone that i'm using this is that oauth attack but everything is in here like so you know again dlp alerts things like that all of these kind of custom apps that you want to create you know we can come in show it in here get the list we can deny it we can find out who's using it what apps that have access to it again onenote web clipper and we just see all of the data really nice view so hope this helps um gives you some options for managing oauth apps kind of going forward and some pointers for you know how to continuously have these type of components in your environment if there's questions you have make sure you reach out you

Info

Channel: Doug Does Tech

Views: 1,878

Rating: undefined out of 5

Keywords: Azure AD, Admin Approval, Just do the Basics, Office 365 Security

Id: 3FnNXd_W51M

Channel Id: undefined

Length: 11min 14sec (674 seconds)

Published: Mon Aug 29 2022