Site icon Windows Active Directory

How to detect illicit applications In Microsoft Entra ID

Microsoft Entra ID is a powerful security platform designed to protect your system or network from malicious applications. It uses advanced threat intelligence and behavioral analytics to identify and block any software that attempts to breach your system’s security. By continuously monitoring network traffic and analyzing user behavior, Entra ID identifies suspicious activities, Detects unauthorized apps and prevents unauthorized access attempts, ensuring that only trusted and secure applications operate on the system.

With Microsoft Entra ID, organizations can strengthen their security posture, reduce risks and protect their critical assets from cyber threats such as malware, ransomware, spyware, and other malicious software.

Spotting illicit applications:

When monitoring application logs for security incidents, watch for the following indicators of potential threats: 

  1. Anomalies in business processes or schedules.
  2. Alterations to application credentials, permissions, or assigned service principals.
  3. Granting privileged permissions to applications.
  4. End-users giving consent to applications.
  5. Adjustments to end-user consent based on risk levels.
  6. Modifications to application configurations, URIs, or owners.
  7. Changes to log-out URLs.

How does security breaches occur through applications:

There are two main approaches:

Why do we need to detect illicit applications in Microsoft Entra ID:

 The need arises from the growing threat landscape surrounding unauthorized access to sensitive data and resources. Illicit applications pose significant security risks to organizations by accessing and manipulating confidential information without proper authorization. 

To find illicit applications within Microsoft Entra IDs, organizations can employ various methods such as continuous monitoring of application permissions, analysing access logs for suspicious activities.

How to detect illicit applications in Microsoft Entra ID:

1. Using the Azure AD portal:

 To locate apps for which “individual users” have granted permissions:

2. Using PowerShell:

Pre-requisites:

Download the Get-AzureADPSPermissions.ps1 script from GitHub to a folder.

Follow the steps below to find illicit applications in Microsoft Entra ID:

  1. Open a PowerShell instance and open the folder where you saved the script.
  2. Connect to your directory using Connect-AzureAD command given below:
Connect-AzureAD -tenantid "ABC" -AccountId "userA@abc.com"
  1. Run this command:

Get-AzureADPSPermissions.ps1 | Export-csv c:\temp\Illicit applications\Permissions.csv -NoTypeInformation
  1. A file named Permissions.csv is created

  2. Open the file, format the data into a table and save as an .xlxs file.

  3. From ConsentType column (G), search for the value AllPrinciples. The client application can view the content of every tenant in the tenancy via the AllPrincipals permission.

  4. The Permission column (F), displays the permissions that each delegated application has. Look for Read and Write permission or *.

  5. The ClientDisplayName column (C), helps you look for apps that seem suspicious, such as:

Additionally, educating users about the risks associated with granting consent to applications and enforcing strict approval processes for new application registrations can help prevent illicit applications within the organization’s environment.

Exit mobile version