Securing and implementing enterprise applications

Did you know your users can grant third-party apps consent to your Microsoft 365 tenant? By default, all users can grant third-party apps access to your company data that they have access to. Enterprise applications are a fantastic way for you and your users to extend your Microsoft 365 tenant to third-party apps, but it can leave your company vulnerable. First, let's jump in and consent to a third-party app the way a user would.

Granting third-party app access to your Microsoft 365 tenant

1. Go to https://techcommunity.microsoft.com/ 

2. Click Sign in found in the top right corner.

3. Sign in using your Microsoft 365 credentials.

4. Next, you’ll see the permissions requested page. From here you see the permissions the app would like to access in your Microsoft 365 user account.

If you’re an admin you’ll also see a Consent on behalf of your organization.

5. Click Accept.

3rd party app consenting request

That’s it. Now Microsoft’s Tech Community can sign in as your user and read your user’s profile. Now, Microsoft’s Tech community is obviously run by Microsoft so it’s a safe app to grant access to your tenant to but what about other apps?

A malicious individual could trick your users into granting apps access to your tenant that they shouldn’t have. So, we’ll need to manage and restrict what apps users can grant access to. Before we lock down the access let’s look at the apps that already have access to your tenant.

How to view third party app access to your Microsoft 365 tenant

1. Go to Azure AD admin center > Enterprise applications

2. Find and click the Microsoft Tech Community app.

Review app access

3. By clicking Users and groups you can review who has given permissions to the app.

4. By clicking Permissions > User consent you can review what permissions have been given to the app.

Enterprise app permissions in Azure AD

Block users from granting access to any apps

The best way to protect your tenant is to require admins to approve any third-party applications before a user can consent. That way users can't grant malicious apps access to your Microsoft 365 data or tenant.

1. Go to Azure AD admin center > Enterprise applications > User settings

2. Click No in Users can consent to apps accessing company data on their behalf.

3. Click No in Users can consent to apps accessing company data for the groups they own.

4. Click Yes next to Users can request admin consent to apps they are unable to consent to.

5. Click Add roles. Search for global. Click Select.

6. Click Save.

Disable user consent and require an admin to approve

Now, users can request access to apps and a notification will go to your global admins. Let’s look at how that would work.

Require admin approval to allow an app access to Microsoft 365

1. Go to https://www.zoho.com/signup.html 

2. Click the Office button.

Zoho Office login

3. Login with a regular user account.

4. Enter a justification reason and click Request approval.

App requesting access to Microsoft 365

At this point, the admins will receive an email saying they need to review the consent. 

1. Click Review request.

Admins receiving notification user wants app access

2. Click the app that requests approval.

Review app access requests

3. Click Review permissions and consent.

Review 3rd party app access request

4. Click Accept.

Approve access to third-party app

Once you click to accept the user will receive an email saying the access has been approved. Then the user can go back to the third-party app and gain access using their Microsoft 365 tenant account.

third-party app approved

Auto-approval

Now you may be wondering how many requests you’ll receive. If you are in a smaller organization then chances are you won’t receive too many and you’ll be fine. If you’re in a larger organization, you may receive a lot of requests. That’s not good. You’ll be constantly approving apps even though they may not need many permissions. Let’s set up auto-approval for verified publishers that request a few permissions.

1. Go to Azure AD admin center > Enterprise applications > Consent and permissions .

2. Click Allow user consent for apps from verified publishers, for selected permissions. Click Save

3. Click Select permissions to classify as minimal impact.

auto-approve apps with minimal impact

4. Click the permissions you want to auto-approve. Click Yes, add selected permissions.

Select permissions to auto-approve