When operating Office 365 and Azure Active Directory in a large enterprise, the security team may be hesitant to permit third-party applications to access enterprise data. For instance, enabling the “Users may add integrated applications” option in the “configure” tab of Azure AD’s “integrated applications” section could result in numerous applications appearing in the Azure AD applications section. This indicates that users are utilizing third-party applications and using their work accounts as the identity, which may raise concerns for the security team.
To enhance the security of your services, it is recommended to only permit third-party integrated applications that offer clear value and have strong security controls in place. Malicious actors may exploit breached accounts to allow unauthorized access to third-party applications, resulting in data exfiltration from your tenancy without the need to maintain the compromised account.
Implementing this policy change may affect both end users and administrators. End users may not be able to integrate certain third-party applications they rely on, and administrators may receive requests to authorize necessary third-party applications.
As per Microsoft: Currently, the only method for an administrator to authorize an application for the entire tenant is by sending an interactive sign-in request using the query parameter “?prompt=admin_consent.” Typically, the app developer is asked to include this request within their application, although it is also possible for an administrator to create the request as a link and manually prompt an admin to click on it. Detailed instructions for creating a sign-in request can be found at http://aka.ms/aaddev. However, we are in the process of integrating this capability directly into our portal, which will eliminate the need for manual link creation.
You can use SmartProfiler for Office 365 Assessment to verify whether any third-party applications are currently integrated with your Office 365 services. This tool enables you to quickly check for any unauthorized integrations and generate a report. Additionally, you can refer to this article for a PowerShell script that can be used to perform the same check.
$Error.Clear()
$ModProcess = "Yes"
$TotNo = ""
IF ($ModProcess -eq "Yes")
{
$ThisTestName = "Ensure third party integrated applications are not allowed"
$TestCat = "Application Permissions"
$TestCSVFile = "C:\Temp\TestCSV.CSV"
IF (Test-Path $TestCSVFile) { Remove-Item $TestCSVFile -ErrorAction SilentlyContinue }
$DataFileLocation = "C:\Temp\TestCSV" + $ThisTestName + $ThisADForestNow + "_DATA.CSV"
IF (Test-Path $DataFileLocation) { IF (Test-Path $DataFileLocation) { IF (Test-Path $DataFileLocation) { Remove-Item $DataFileLocation -ErrorAction SilentlyContinue } } }
$STR = "Executing: " + $ThisTestName
Add-Content $PackExecuteLog $STR
$STR = $TestCat + "," + $ThisTestName + ",Executing"
Add-Content $OfficeStatusFile $STR
$TotLicensed = 0
$TotNotLicensed = 0
$AnyGap = "No"
$TestStatus = ""
$SumVal = ""
$TestText = ""
$ThisString = "ThirdParty App Integration Status,"
Add-Content $TestCSVFile $ThisString
[string]$ThidPartyIntegratedAppAllowed = ""
$Tenant = Get-AzureADTenantDetail
$tenantid = $tenant.ObjectId
$Companyinfo = Get-MsolCompanyInformation -TenantId $ID.TenantId
if ($Companyinfo.UsersPermissionToCreateLOBAppsEnabled -eq $true)
{
$ThidPartyIntegratedAppAllowed = "Yes"
$AnyGap = "Yes"
$TotNo = "Enabled"
}
else
{
$ThidPartyIntegratedAppAllowed = "No"
$AnyGap = "No"
$TotNo = "Disabled"
}
$ThisSTR = $ThidPartyIntegratedAppAllowed.ToString()
Add-Content "$TestCSVFile" $ThisStr
$STR = $TestCat + "," + $ThisTestName + "," + $TestStatus
Add-Content $OfficeStatusFile $STR
$STR = "Processed: " + $ThisTestName
Add-Content $TotalProcessedFile $STR
}
IF ($AnyGap -eq "Yes")
{
$TestStatus = "High"
}
else
{
$TestStatus = "Passed"
}
$TestStatus
SmartProfiler is a tool that has been specifically developed to support CIS Standards for Office 365 Foundation (M365) and Microsoft Azure. It is worth noting that SmartProfiler provides a more comprehensive set of tests than the CIS Benchmark for Office 365 Foundation, offering a total of 138 tests across all relevant categories. While the CIS benchmark provides only 87 tests, SmartProfiler’s additional 51 tests are specifically designed by DynamicPacks Technologies Office 365 team to ensure that every aspect of Office 365 is covered.
As an experienced provider of Office 365 services, we have worked with clients across the globe to develop tests that address Office 365 misconfigurations and other common issues. With SmartProfiler, our clients can rest assured that they are receiving the most comprehensive suite of tests available for Office 365 environments.
The PowerShell script provided as part of this article is also included in SmartProfiler for Office 365 Assessment Tool.