OAuth apps are still an important target for attackers to misuse in organizations. Since the MFA baseline is improved with number matching and additional controls attackers are finding new ways to gain access to environments/ and collect data. One of the upcoming identity attacks is based on tokens and OAuth apps. With the use of the token/ OAuth apps, it is possible to gain access without any MFA. One example of such attacks, where applications are leveraged, is the ‘OAuth consent grant’ attack.

Securing the OAuth apps with a good design/ lifecycle management and approval flow is important.

App Governance is since June 1, 2023, included in Microsoft Defender for Cloud Apps at no additional cost. Before it was available as an add-on license on top of Defender for Cloud Apps. With the new change, App Governance can be used without additional cost and part of the current license when Defender for Cloud Apps is included. All the App Governance feature must be enabled in the Defender XDR portal to view and use App Governance.

What is App Governance

SaaS applications are increasingly popular; with the move to more and more cloud services, there is a potential security threat against potential abuse and malicious activity around OAuth applications.

OAuth applications can be vulnerable due to insecure implementation/ leaked secrets/misconfigured permissions and more – that can lead to lateral movement and phishing. For OAuth protection, there are many preventions available including app consent restrictions and permission management. With the new App Governance product there is more in-depth visibility into suspicious app activities and the app compliance posture of cloud apps. This blog is all about App Governance products and how to use/configure and view the data to protect OAuth apps.

App governance is a feature in Microsoft Defender for Cloud Apps. It is expanding visibility and control over apps that have access to Microsoft 365 data. In comparison with Defender for Cloud Apps there is more focus on the OAuth apps and definition of policies.

Using Microsoft E5/ Defender for Cloud Apps and not enabling the App Governance product? Keep reading and check how to enable, it since it allows customers to enable more insights without additional cost.

App governance is based on 4 important features:

  • Insights
  • Governance
  • Detection
  • Remediation

All of the features will be explained in this blog with more in-depth technical details.

What types of apps are part of app governance?

App governance tracks non-Microsoft apps that use OAuth to authenticate against the Azure Active Directory, Google Workspace, or Salesforce.

Licenses

App governance is available when a Defender for Cloud App license is included in the licensing. The products include Defender for Cloud Apps:

Some time ago it was a separate add-on, all App Governance is now included in Defender for Cloud Apps.

  • Microsoft Defender for Cloud Apps (standalone)
  • Enterprise Mobility & Security E5/A5
  • Microsoft 365 Security E5/A5/F5
  • Microsoft 365 E5/A5/F5
  • Microsoft Purview E5/A5/F5
  • Microsoft 365 F5 Security & Compliance

Permissions

A specific role is required to enable app governance capabilities. For the permission model and table with all the governance capabilities check the following documentation: Turn on app governance for Microsoft Defender for Cloud Apps | Microsoft Learn

Turn on app governance

The enablement of app governance is possible via the Defender XDR portal. Go to  Microsoft Defender XDR > Settings > Cloud Apps > App governance and select Use App governance/ turn on app governance

After the configuration, it can take up to 10 hours to see the relevant data of app governance in the portal. Important: App governance is not available in all regions. See prerequisites | Microsoft learn

After the enablement; App governance is available via the App governance blade under cloud apps. The main page provides information and a general view of the apps/ incidents and insights related to the discovered apps, more on this later in the blog.

Insights

Cyberattacks have changed rapidly and use more apps as part of the on-premises and cloud infrastructures. OAuth apps become a good starting point for privilege escalation/ lateral movement and exfiltration of data. A good example is the recent Microsoft attack related to OAuth apps from the threat actor group; Midnight Blizzard

See my earlier published blog related to Midnight Blizzard here: Pivot via OAuth applications across tenants and how to protect/detect with Microsoft technology? (Midnight blizzard)

With the reason OAuth apps become more used during attacks, it is critical to monitor application behaviors in the cloud environment. A good example of such attacks is the Application grant/ Illicit consent grant attack.

A couple more examples of app-based attacks with a huge impact:

  • App approval grants unlimited access to emails and documents
  • Trusted app becomes attack vector in critical environments
  • OAuth apps used in consent phishing attacks

All of the app-based attacks can be used to “bypass” MFA, since the app is granted with permissions.

App Governance brings more in comparison with the default features as part of Defender for Cloud. In Defender for Cloud App, there is visibility in the used applications; with App Governance it is possible to show more data on the usage and monitor behaviors.

Microsoft uses the insights from multiple data sources. Data is collected from different data sets such as EntraID & Defender for Cloud Apps

In the dashboard there is a clear view of the overview including apps found/ overprivileged apps and highly privileged apps:

When clicking on “AzureAD” there is a full view of all the apps including the permissions usage/ data usage and last modified.

When clicking directly on the app it will show more details, including the permissions. This view will show the permission summary and granted Graph API permissions:

Useful is the permission usage filter “Some unused” – this view will directly show all overprivileged apps linked to the environment. .

When opening the app it will show the “In Use” value. Yes means the permission is detected as active.

Policies

Defender for Cloud Apps App Governance has a couple of different ways to use policies. Microsoft defined pre-set policies with defined use cases for general organizations.

Default policies

Microsoft includes a couple of predefined out-of-the-box policies to detect anomalous app behaviors. From experience, not all policies are always enabled. I recommended enabling and reviewing the box policies. The policies are useful for anomalous app behaviors. The following app policies are predefined:

To view available predefined policies, go to Microsoft Defender XDR > App governance > Overview and select View predefined policies in the Predefined policies section. Or click directly on Policies to open the policy overview.

The following policies are included and predefined. Tip: Make sure to review the policies and try to enable when the policies are disabled:

  • Unusual activity from an app with priority account consent
  • New app with low consent rate
  • App created numerous inbox rules
  • Increase in data usage by an overprivileged or highly privileged app
  • Increase in app API calls to EWS
  • Increase in app activity on SharePoint
  • Suspicious app with access to multiple M365 services
  • Access to sensitive data
  • Increase in app activity on Exchange
  • App sent Exchange email numerous times
  • Increase in app activity on OneDrive
  • App searched Exchange content numerous times

Create new policy

It is possible to create new custom policies based on own app-related conditions. In the main view, Microsoft gives suggested policy recommendations. The example above (Secure app permissions and regulate app use)

With the wizard of custom policy, it is possible to define the specific decisions:

The first setup is the configuration of the description severity and policy name:

When needed the policy can be scoped on a select set of apps. Policy scope is available on all apps, specific apps, and all apps except selected apps.

Important is the policy condition, in this view you can specify the policy configuration. The policy will evaluate each condition separately, and then generate alerts for apps that match all the conditions.

Examples are application permissions/ delegated permissions/ services accessed or based on usage and data trends.

An example is application permissions; when the read and write privileged access is added as part of the Graph API permissions, you can generate alerts and initiate automated actions. This can be useful to alert when specific permissions are part of new apps, since apps with high permissions can be abused in the lateral movement/ initial attack path.

More information related to custom app policies and the available conditions are available here: Create app governance policies – Microsoft Defender for Cloud Apps | Microsoft Learn

Based on the scope and conditions it is possible to configure automated actions to disable the app directly in EntraID.

Policy for the overprivileged can be used to alert when apps are overprivileged with permissions. When the app is detected as overprivileged; These apps have been granted permissions that could be unnecessary for regular use. This is detected based on behaviors and insights.

It is recommended to follow the Microsoft explained process to avoid duplicates/ false positives and too many alerts in Defender XDR.

  1. Create the new policy with severity, apps, conditions, and actions set to initial values and the status set to Audit mode.
  2. Check for expected behavior, such as alerts generated.
  3. If the behavior isn’t expected, edit the policy apps, conditions, and action settings as needed and go back to step 2.
  4. If the behavior is expected, edit the policy and change its status to Active.

Alerts

Alerts are natively integrated into Defender XDR and visible in the alerts/ incident section. To view all App Governance-related incidents, filter on a specific source. The service detection source is App governance – for all related incidents scoped to App Governance.

Summary

App Governance is a good solution/ additional tool to monitor OAuth-enabled apps and check malicious activities. It is recommended to check that the pre-defined policies are enabled and the App Governance feature is enabled in the Defender XDR portal.

For any environment it is recommended to view and check the current permissions, in many environments, OAuth apps are overprivileged or not used.

The following is important in the first line of defense related to OAuth apps:

  • Disable consent for normal user accounts
  • Configure app consent
  • Train admins to learn how to view bad consent applications (only well-trained admins can consent) following a good flow

Good to follow the latest recommendations related to OAuth protection, since OAuth apps will be used in more attacks.

Blog tip: Pivot via OAuth applications across tenants and how to protect/detect with Microsoft technology? (Midnight blizzard)

Sources

Microsoft: App governance in Microsoft Defender for Cloud Apps and Microsoft Defender XDR – Microsoft Defender for Cloud Apps | Microsoft Learn