Azure Active Directory (Azure AD) is the future and is Microsoft’s cloud-based identity and access management service, which helps your users to sign in and access resources.
Azure AD contains a large number of enterprise applications such as the gallery, on-premise, custom-developed, and non-gallery applications.
For more information about Application Management in Azure AD, please refer https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/what-is-application-management
Most of the Enterprise apps with Microsoft as a publisher in the Azure AD comes with the default properties such as Enabled for users to sign-in’ and ‘AppRoleAssignmentRequired’ which will have DLP issues if you don’t closely monitor the application behaviour.
For example, there is an enterprise application called Azure DevOps which is by default enabled with a setting called ‘Enabled for users to sign-in’ and ‘AppRoleAssignmentRequired’ is set to False.
Most of the Microsoft applications have ‘AppRoleAssignmentRequired’ is set to False, what it means is, any user who tries to access the application is allowed and ready to use the app.
When user assignment is required, only those users you explicitly assign to the application (either through direct user assignment or based on group membership) will be able to sign in. They can access the app on their My Apps page or by using a direct link.
When the assignment is not required, either because you've set this option to No or because the application uses another SSO mode, any user will be able to access the application if they have a direct link to the application or the User Access URL in the application’s Properties page.
The setting ‘Enabled for users to sign-in’ is available the GUI in the azure portal and can be altered whereas AppRoleAssignmentRequired is not visible in the UI for all applications and you have to use the PowerShell to make the changes.
Do you really need to allow the Azure DevOps application used by the entire org? Any concerns raised by the security team (DLP issues) on such applications which allow the user to use without any assignment required?
The customer had a requirement from the security team to monitor all the Microsoft applications (Enterprise applications) and get the properties of each application and see if the required settings are acceptable or not.
With this, we have decided to extend this request further to automate the process of monitoring the newly added applications by Microsoft and email if there are any added newly with the help of PowerShell script.
The powershell script will help you to generate the list of all Microsoft applications for you to review them and it also create another csv file for any newly added applications from the last time the script ran.
How do we know if there are any newly added apps by Microsoft?
Well, the first time you try to run the script, it will generate the list of Microsoft apps and save it into a CSV file.
In the next schedule, the PowerShell script generates the list of Microsoft applications and compare this list with its previously generated list and if there are newly added apps by Microsoft, get the properties of each application and send an Email.
This process will repeat hence you can take necessary action on the newly added apps before users start accessing the applications.
The PowerShell script is available in GitHub.
The following are the lines in the script to be edited with your customizations and make it for schedule task.
4,13,14,22,24,84
The PowerShell script does the following.
- Read the credentials that are provided in the script.
- Generate the list of Azure AD Microsoft apps with properties.
- Check if any previous CSV file exists for comparison, if exist, compare the results and create new CSV file for newly added apps.
- If there are any newly added apps, send the CSV file to the recipients as per the script.
Sample output for newly added apps:
Following are the PowerShell command lines to change the setting for ‘Enabled for users to sign-in’ and AppRoleAssignmentRequired.
Set-AzureADServicePrincipal -ObjectId <Replace with App Service Principal ID> -AccountEnabled $false
Set-AzureADServicePrincipal -ObjectId <Replace with App Service Principal ID> -AppRoleAssignmentRequired $true
You can use the above cmdlets to change the settings for the list of applications supplied in CSV file.
For more information, please refer https://docs.microsoft.com/en-us/powershell/module/azuread/set-azureadserviceprincipal?view=azureadps-2.0
2 Comments
Github link is broken
Hi Sam,
the link is updated now, please try https://github.com/eskonr/MEMPowered/blob/master/Scripts/Azure%20Active%20Directory/Monitor-AzureAD-Entperise-Apps.ps1
Thanks,
Eswar