Table of Contents
Peering into a Dark Corner of Azure AD
Vasil Michev’s article about creating a Graph-based PowerShell script to generate an inventory of Azure AD integrated apps and their permissions caused me to think about this dark corner of Azure AD. Microsoft’s Philippe Signoret covers some of the same ground with his PowerShell script, used in Microsoft’s documentation for detection and remediation of illicit consent grants, a topic which became more important in the light of the SolarWinds hack last year. As discussed here, you can also interrogate the Office 365 audit log to report events captured when apps receive consent.
In any case, the point is that Azure AD app permissions exist in a tenant and it’s good to know what the apps are, why they have permissions, and if they are still needed. An increasing number of ISV and other apps use the Graph APIs to interact with Microsoft 365 data. Each of these apps needs an OAuth 2.0 consent to interact with the Graph and ends up as an Azure AD integrated app. By running Vasil’s script, I found 58 apps in my tenant. Based on what I see in other tenants, this is not uncommon.
Reviewing Integrated Apps
Although you could review the set of Azure AD integrated apps through the Azure AD admin center (Figure 1), it’s often easier to perform a review using a shared resource like the CSV file generated by the script.
To make the data easier to work with, after running the script to generate the CSV files, I converted the CSV to an Excel worksheet formatted as a table and imported it into Microsoft Lists in Teams. Storing the data in a list accessed through a tab in a channel makes the information very accessible to people who might know what function apps serve (if any). I added a couple of fields to track the apps during the review, including creating a category to classify the apps and a notes field to capture comments made by reviewers. Here are the set of categories I used:
- Microsoft apps.
- Trial apps installed for testing purposes.
- ISV apps still in use.
- Tenant Apps registered to use PowerShell to call Microsoft Graph APIs.
- Apps requiring further investigation.
- Unwanted apps which can be removed.
Figure 2 shows how the list of apps for review appears in Teams.
Looking through the set of apps uncovered some interesting items. For instance, a bunch of apps exist to help with registering users for conferences. If you’ve ever attended a Microsoft event like Ignite, you’ll probably find an app called “Microsoft Events” with permissions to read user profiles. Sessionize.com has an app with the same permissions to help people like me submit sessions to conferences, while the EventPoint sign-in app seems to serve the same purpose while demanding access to users’ email addresses. And finally, the Nubelus app is, I think, used by the European Collaboration Summit, but limits itself to delegated permissions for selected users (me, in this case).
Each app needs careful examination to understand its purpose, who uses the app, and the permissions it holds. Bringing the information about the apps into the list made that review quicker and easier.
Focusing on Problem Apps
The highlighted app (CXP Previews Portal is a good example of a questionable app. Examining details of the app (Figure 3), we discover that its home page is http://bf.net.nz/, located in New Zealand and that its creation date (in the tenant) was 20 December 2016. Access is valid until 18 June 2017, so it is obvious that this app is unused and a prime candidate for renewal. The other information captured for the app makes me think that this app is used to gain access to some Microsoft previews (CXP is a Microsoft acronym for Customer Experience Program). All in all, this app is a great candidate for removal.
In total, the review highlighted 16 unwanted apps which could be removed immediately along with several others which needed more investigation. These apps belong to trials that I had signed up for in the past (like the four apps registered for Office365mon.com), others for services I looked at but never used, like Microsoft FastTrack, and some were old Microsoft pilot apps, like CollabDB, part of the Project Osaka initiative from 2017. I remembered some apps, while others needed an internet search to fill in the gaps. In many cases, several years (going back to 2015) had lapsed since the app was granted permissions.
Removing Apps
To remove an app, go to the Enterprise applications section of the Azure AD admin center and select the app. Click properties in the left-hand pane to reveal the option to delete the app (Figure 4). Click Delete and confirm to remove the app. The Azure AD admin center only lists 50 apps in its UI, so if your tenant has more than 50 apps, you must search using the app id in to view its properties.
If you remove an app in error, it’s easy for an administrator to grant consent to the app and its required permissions the next time the app is needed.
After removing the 16 unwanted apps, my set of Azure AD integrated apps is now down to 42. I’m now gathering information about the seven apps which need further investigation (if I were bold, I would delete the apps to see what happens, but that’s seldom a good plan).
Time for an App Spring Clean
What this exercise proves is that the set of apps integrated with Azure AD tends to grow over time and is not managed in any way by Azure AD. It’s up to administrators to audit the set of apps in their tenant and decide which apps remain useful and which can be discarded. Apart from cleaning out old apps, the purpose of the audit is to ensure that bad actors can’t leave highly permissioned apps behind to use after an initial visit.
The script described in Vasil’s article is a good starting point for an audit. Putting the results of the script into a Microsoft list makes the app more accessible and easier to work with. At the end of the day, humans must decide what apps to keep. Based on my experience, it should be possible to remove between 30-40% from a tenant. Your mileage may vary!
Apart from users and groups, it’s often surprising how little attention the contents of Azure AD receives from tenant administrators. Learn more by subscribing to the Office 365 for IT Pros eBook. We might not cover everything there, but what we do cover is important…
Hi Tony,
Great article,
Any idea on what the “Valid until (delegate)” value holds exactly? How can we use this value to determine candidates for removal? Documentation on this property (expiryTime) is kind of vague in my opinion.
Thanks in advance,
/Kenneth
I don’t know… I have never delved into that detail. There’s always something to research…
Hi Tony. Script is excellent but you can not rely on “Valid until (delegate)” parameter only. You should also check “User Sign-Ins” (interactive/non-interactive), “Service principal sign-ins” and “Managed identity sign-ins” which should be the most important parameter that determines whether a given application can be removed.
I think it’s Vasil’s script… He wrote it; I just report on it. The sign in information that you refer to possibly wasn’t easily available at the time (managed identities certainly were not). But I think that an administrator who’s reviewing a list of apps can highlight ones that need to be checked and that’s what the script sets out to do. How the administrator then performs the checks is up to them.
Tony, any idea why some of the apps, like Fast Track, from Microsoft are not “Verified”?
No idea. Probably some delay in issuing new versions which are verified.
hi
is there a way to list / delete enterprise applications using the python SDK?
i’d like to automate this.
Thanks.
Use the Graph API: https://docs.microsoft.com/en-us/graph/api/application-list?view=graph-rest-1.0&tabs=http