Entra app policies

Description

This policy is designed to monitor application registrations with certificates nearing expiration. 

It lists the application's display name, the certificate thumbprint, a description of the app, the key ID, and the certificate's expiration date, focusing on those expiring in the next 30 days. 

This tool helps IT administrators proactively renew certificates and maintain application security and functionality.

Impact on your tenant

App registrations with expiring certificates can lead to service disruptions or security risks if not addressed in time. Regularly reviewing and updating these certificates is essential.

Remediation action

Schedule and send the report to a custom recipient

What you can configure

• Set the policy to target expiring certificates in the next 30, 60, or 90 days
• Type the recipient of the email (custom address)
• Schedule the recurrence of the remediation action

Description

This policy helps you keep track of app registrations with secrets that are about to expire.

It shows the app's name, the secret's name, when it was created, and when it's set to expire. You'll also see the unique application ID. 

This tool is useful for staying on top of your app security, ensuring you renew or update secrets before they cause access issues. This way, you can keep your apps running smoothly and securely.

Impact on your tenant

Expiring secrets in app registrations can cause application failures or security vulnerabilities. Proactive management of these secrets ensures continued operation and security.

Remediation action

Schedule and send the report to a custom recipient

What you can configure

• Set the policy to target expiring secrets in the next 30, 60, or 90 days
• Type the recipient of the email (custom address)
• Schedule the recurrence of the remediation action

Description

This report gathers all service principals assigned with "Application.Read.All" permission.

Impact on your tenant

Assigning service principals with "Application.Read.All" permission allows them to read all application objects within the organization's directory, including highly sensitive and confidential app configurations and metadata. From a security standpoint, this broad level of access could elevate the risk of data exposure and potential breaches if these principals are compromised. Best practices suggest adhering to the principle of least privilege, ensuring that service principals are granted only the permissions necessary for their specific roles, thereby minimizing the attack surface and enhancing the organization's security posture.

Remediation action

Disable service principal.

What you can configure

• Enable/disable the email alert if the workflow fails
• Schedule the recurrence of the remediation action

Description

This report gathers all service principals assigned with "Application.ReadWrite.All" permission.

Impact on your tenant

Assigning service principals the "Application.ReadWrite.All" permission grants them extensive control over application registrations and configurations within an Azure AD environment. This level of access potentially exposes the organization to security risks, such as unauthorized application modifications or data breaches, if these principals are compromised. As a best practice, adhering to the principle of least privilege—only granting permissions as necessary for the required tasks—can mitigate these risks, alongside regular audits and monitoring of service principal activities to ensure compliance and detect anomalies.

Remediation action

Disable service principal.

What you can configure

• Enable/disable the email alert if the workflow fails
• Schedule the recurrence of the remediation action

Description

This report compiles a list of service principals that are granted permission to access calendars, at a minimum.

Impact on your tenant

Allowing enterprise apps to access calendars poses security risks, such as data breaches and privacy violations. To mitigate these, it's crucial to enforce strict access controls, adhere to data protection policies, and regularly review app permissions, ensuring both organizational security and user privacy are maintained.

Remediation action

Disable service principal.

What you can configure

• Enable/disable the email alert if the workflow fails
• Schedule the recurrence of the remediation action

Description

This report compiles a list of service principals that are granted permission to access contacts, at a minimum.

Impact on your tenant

Granting enterprise apps access to contacts raises security concerns, such as data breaches. To counteract this, it's crucial to enforce strict access controls and encrypt data, ensuring sensitive information remains protected.

Remediation action

Disable service principal.

What you can configure

• Enable/disable the email alert if the workflow fails
• Schedule the recurrence of the remediation action

Description

This report compiles a list of service principals that are granted permission to access files, at a minimum.

Impact on your tenant

Granting enterprise apps file access increases security risks, requiring strict access controls, data encryption, and regular permission audits to protect sensitive information and comply with regulations, thereby maintaining data integrity and organizational trust.

Remediation action

Disable service principal.

What you can configure

• Enable/disable the email alert if the workflow fails
• Schedule the recurrence of the remediation action

Description

This report compiles a list of service principals that are granted permission to access email, at a minimum.

Impact on your tenant

Allowing enterprise apps email access raises security concerns, requiring strong authentication, strict access controls, and encryption to prevent data breaches and unauthorized access. Adhering to these best practices ensures the secure integration of email functionalities within enterprise environments.

Remediation action

Disable service principal.

What you can configure

• Enable/disable the email alert if the workflow fails
• Schedule the recurrence of the remediation action

Description

This report compiles all service principals granted access to data with more than five scopes of delegated permissions.

Impact on your tenant

Granting an enterprise application more than five delegated permissions can escalate security risks by unnecessarily broadening its access, potentially exposing sensitive data and systems. Adhering to the principle of least privilege, regularly reviewing permissions, and implementing strict access controls are essential best practices to mitigate these risks.

Remediation action

Disable service principal.

What you can configure

• Enable/disable the email alert if the workflow fails
• Schedule the recurrence of the remediation action

Description

This report compiles a list of service principals that are granted permission to access sites, at a minimum.

Impact on your tenant

Enterprise apps with site access heighten security risks, requiring stringent access controls and encryption to prevent breaches. Adopting best practices such as least privilege access and secure coding, alongside regular security audits, is essential for protecting sensitive data and maintaining a secure operational environment.

Remediation action

Disable service principal.

What you can configure

• Enable/disable the email alert if the workflow fails
• Schedule the recurrence of the remediation action

Description

This policy identifies enterprise applications with unverified publishers in your environment. It provides key information including the application name, service principal display name, publisher, verification status, and whether the app is enabled. 

Additionally, it indicates if the app is a custom registration or built-in. 

This tool helps IT security teams assess and manage potential risks associated with unverified applications, ensuring compliance with organizational security policies and maintaining the integrity of your enterprise app ecosystem.

Impact on your tenant

Enterprise apps with unverified publishers can introduce potential risks. Verifying the publishers of these apps helps maintain a secure environment.

Remediation action

Schedule and send the report to a custom recipient

What you can configure

• Type the recipient of the email (custom address)
• Schedule the recurrence of the remediation action

Description

This policy identifies enterprise applications that currently have no assigned owners. 

It displays information such as the application name, service principal display name, publisher, and enabled status. 

The policy confirms the lack of owners and indicates whether the app is a custom registration or built-in. By highlighting apps without owners, this policy enables prompt assignment of responsibility, ensuring better management and security oversight of enterprise applications.

Impact on your tenant

Enterprise apps without owners can become unmanaged and pose security risks. Assigning owners to all apps ensures proper oversight and governance.

Remediation action

Schedule and send the report to a custom recipient

What you can configure

• Type the recipient of the email (custom address)
• Schedule the recurrence of the remediation action

Description

This policy identifies app registration with certificates that expire beyond a 180-day threshold.

It displays the application name, the thumbprint, the key ID, the creation date, and the expiration date, focusing on apps with certificates expiring in over 180 days.

Impact on your tenant

By flagging these certificates well in advance, you ensure continuous service availability, prevent potential authentication disruptions, and maintain a high standard of security.

Remediation action

Schedule and send the report to a custom recipient

What you can configure

• Type the recipient of the email (custom address)
• Schedule the recurrence of the remediation action

Description

This policy identifies app registration with secrets that expire beyond a 180-day threshold.

It displays the application name, the secret display name, the creation date, and the expiration date, focusing on apps with secrets expiring in over 180 days.

Impact on your tenant

By flagging these secrets well in advance, you ensure continuous service availability, prevent potential authentication disruptions, and maintain a high standard of security.

Remediation action

Schedule and send the report to a custom recipient

What you can configure

• Type the recipient of the email (custom address)
• Schedule the recurrence of the remediation action

Description

This policy identifies app registration certificates that have expired but have not been removed yet.

It displays the application name and ID, the certificate display name, the key ID, the creation date, and the expiration date.

Impact on your tenant

Regularly updating and removing outdated certificates is part of good security hygiene.

Remediation action

Schedule and send the report to a custom recipient

What you can configure

• Type the recipient of the email (custom address)
• Schedule the recurrence of the remediation action

Description

This policy identifies app registration secrets that have expired but have not been removed yet.

It displays the application name and ID, the secret display name, the key ID, the creation date, and the expiration date.

Impact on your tenant

Regularly updating and removing outdated secrets is part of good security hygiene.

Remediation action

Schedule and send the report to a custom recipient

What you can configure

• Type the recipient of the email (custom address)
• Schedule the recurrence of the remediation action

Description

This policy identifies enterprise applications that have not been used recently.

It displays the application name and the service principal display name, and tracks the last sign-in activity, focusing on apps with no sign-ins in the previous 90 days. 

It also provides information about the publisher, confirms whether the app is enabled, and indicates whether it is a registered app or a built-in service.

Impact on your tenant

Unused enterprise apps can create unnecessary security risks or consume resources. Regularly reviewing and decommissioning these apps helps maintain an efficient and secure environment.

Remediation action

Schedule and send the report to a custom recipient

What you can configure

• Set the policy to target apps without sign-ins in the previous 30, 60, 90, 180 days, or ever.
• Type the recipient of the email (custom address)
• Schedule the recurrence of the remediation action