Do something useful with risky applications data #1695
Labels
enhancement
This issue or pull request will add new or improve existing functionality
epic
A high-level objective issue encompassing multiple issues instead of a specific unit of work
Comments
gdasher
added
the
enhancement
buidav
added
the
epic
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Prerequisites
💡 Summary
Filing this issue so that we don't forget these ideas. Now that we have data on risky apps in the raw scuba gear data, we should do an investigation to figure out what useful new baseline statements can be made based on this data. Example ideas:
No test apps have risky permissions with admin consent. Could pattern match based on display name looking for ("Dev", "Test", "Nonprod", etc) to find apps in a production tenant with high levels of access.
API Keys are regularly rotated--could flag "Password Credentials" are no older than 120 days (say). Could allow key creds (which are still risky but could be baked with more secure storage options) and federated auth to not have this requirement.
Preference for key credentials and federated credentials vs. API keys (potential should policy or flagged list).
Report with list of apps with risky permissions for admin review, like CAP table.
Motivation and context
TAs are targeting M365 tenants based on exploiting over privileged service principals and apps with admin consented permissions.
Implementation notes
These could be implemented with the data we already are extracting.
Acceptance criteria
The text was updated successfully, but these errors were encountered: