How to detect illicit applications In Microsoft Entra ID

Microsoft Entra ID is a powerful security platform designed to protect your system or network from malicious applications. It uses advanced threat intelligence and behavioral analytics to identify and block any software that attempts to breach your system’s security. By continuously monitoring network traffic and analyzing user behavior, Entra ID identifies suspicious activities, Detects unauthorized apps and prevents unauthorized access attempts, ensuring that only trusted and secure applications operate on the system.

With Microsoft Entra ID, organizations can strengthen their security posture, reduce risks and protect their critical assets from cyber threats such as malware, ransomware, spyware, and other malicious software.

Spotting illicit applications:

When monitoring application logs for security incidents, watch for the following indicators of potential threats: 

1. Anomalies in business processes or schedules.
2. Alterations to application credentials, permissions, or assigned service principals.
3. Granting privileged permissions to applications.
4. End-users giving consent to applications.
5. Adjustments to end-user consent based on risk levels.
6. Modifications to application configurations, URIs, or owners.
7. Changes to log-out URLs.

How does security breaches occur through applications:

There are two main approaches:

• An application receives consent from an administrator or user, typically facilitated by a phishing attack. This tactic serves as the initial entry point into a system and is commonly known as “consent phishing.”
• The second method involves a rogue administrator account generating a new application. For instance, a compromised administrator might craft an OAuth app with an innocuous name to remain inconspicuous and maintain prolonged access to data without requiring an account.

Why do we need to detect illicit applications in Microsoft Entra ID:

 The need arises from the growing threat landscape surrounding unauthorized access to sensitive data and resources. Illicit applications pose significant security risks to organizations by accessing and manipulating confidential information without proper authorization. 

• Identifying and removing unauthorized applications in Microsoft Entra ID helps safeguard against security breaches and ransomware attacks to your financial records or proprietary intellectual property.
• Detecting and removing illicit applications helps organizations remain compliant with relevant regulations such as GDPR, HIPAA, or PCI DSS.
• Removing Illicit applications prevents threat actors from access to data. It reduces the attack surface and safeguards your organization’s infrastructure
• To protect customers and uphold their trust is paramount for any organization.  Unauthorized applications can compromise data integrity or privacy, damaging the organization’s reputation.
• Illicit applications may consume computing resources, network bandwidth, or storage without providing any legitimate business value, messing up resource allocation.

To find illicit applications within Microsoft Entra IDs, organizations can employ various methods such as continuous monitoring of application permissions, analysing access logs for suspicious activities.

How to detect illicit applications in Microsoft Entra ID:

1. Using the Azure AD portal:

• Log in to your Azure Portal and choose Monitoring
• In Monitoring→Audit Logs.
• From the ‘Category’ column select “Application Management” to filter the report. It will now show only application-related events.The Target(s) column will displays the application name.
• The Details tab at the bottom of the page shows event details.

 To locate apps for which “individual users” have granted permissions:

•  Login to the Azure portal using your administrator credentials.
• Click on the Microsoft Entra ID icon → Users.
• Select the user to be reviewed.
• Select Applications.
• You can see the list of apps that are assigned to the user and their permissions

2. Using PowerShell:

Pre-requisites:

Download the Get-AzureADPSPermissions.ps1 script from GitHub to a folder.

Follow the steps below to find illicit applications in Microsoft Entra ID:

1. Open a PowerShell instance and open the folder where you saved the script.
2. Connect to your directory using Connect-AzureAD command given below:

Connect-AzureAD -tenantid "ABC" -AccountId "userA@abc.com"

3. Run this command:

Get-AzureADPSPermissions.ps1 | Export-csv c:\temp\Illicit applications\Permissions.csv -NoTypeInformation

4. A file named Permissions.csv is created

5. Open the file, format the data into a table and save as an .xlxs file.

6. From ConsentType column (G), search for the value AllPrinciples. The client application can view the content of every tenant in the tenancy via the AllPrincipals permission.

7. The Permission column (F), displays the permissions that each delegated application has. Look for Read and Write permission or *.

8. The ClientDisplayName column (C), helps you look for apps that seem suspicious, such as:

• Apps with misspelt names
• Bland names
• Hacker-sounding names

Additionally, educating users about the risks associated with granting consent to applications and enforcing strict approval processes for new application registrations can help prevent illicit applications within the organization’s environment.