Do not allow users to grant consent to unmanaged applications

Reading Time: 4 minutes

In this blog post I will go through the process of preventing users in your organisation from allowing third party apps to access their Office 365 information, and require future consent operations to be performed by an administrator.

This is a recommended Microsoft action and you may come across an alert within the secure score section of your Azure Portal. The message is as follows:

Tighten the security of your services by regulating the access of third-party integrated apps. Only allow access to necessary apps that support robust security controls. Third-party applications are not created by Microsoft, so there is a possibility they could be used for malicious purposes like exfiltrating data from your tenancy. Attackers can maintain persistent access to your services through these integrated apps, without relying on compromised accounts. Policy in place: false.

  1. Login to your Azure Portal (portal.azure.com)
  2. Locate and click Azure Active Directory
  3. Click Enterprise applications

4. Click User Settings

5. Switch Users can consent to apps accessing company data on their behalf to No


Users can consent to apps accessing company data on their behalf
If this option is set to yes, then users may consent to allow applications which are not published by Microsoft to access your organisation’s data, if the user also has access to the data. This also means that the users will see these apps on their Access Panels. If this option is set to no, then admins must consent to these applications before users may use them.

6. After selecting No, the following message appears with instructions on managing LinkedIn account connections if required.

There is also a further warning that users can still consent to apps accessing the groups they own. I’ll cover this in step 7 below.

7. Further down you may also wish to disable Users can consent to apps accessing company data for the groups they own or limit to a certain group as show in the second screenshot below

Users can consent to apps accessing company data for the groups they own
If this option is set to yes, then all users who are owners of a group may consent to allow third-party multi-tenant applications to access the data of the groups they own.If this option is set to no, then no user can consent to those application to access the data of the groups they own.If this option is set to limited, then only the members of the group selected can consent to those applications to access the data of the groups they own.

8. After disabling user access, you may wish to setup Admin consent. If this option is set to yes, then users request admin consent to any app that requires access to data they do not have the permission to grant.
If this option is set to no, then users must contact their admin to request to consent in order to use the apps they need.

Users can request admin consent to apps they are unable to consent to:
If this option is set to yes, then users request admin consent to any app that requires access to data they do not have the permission to grant.
If this option is set to no, then users must contact their admin to request to consent in order to use the apps they need.


Select users to review admin consent:
The selected users can review and act on new admin consent requests. Only users with the Global, Application, or Cloud application administrator role can grant admin consent, so only those users will be available for selection. Removing a user from the list of reviewers will not remove their role, so they will retain their admin privileges until their role is explicitly changed.

9. When ready, don’t forget to click the save button

Configure mailbox permission alert Microsoft 365

Reading Time: 2 minutes

In this blog post I will go through the process of configuring an alert within the Microsoft 365 Compliance portal which will trigger an email whenever permissions are assigned to a mailbox.

  1. From the 365 Admin Center locate and click Compliance or visit the Compliance Admin Center directly via Security & Compliance (compliance.microsoft.com)

2. Click Policies

3. Expand Alert and click Office 365 alert

4. Click New Alert Policy

5. Complete details as required (Demo info below). Click Next

6. There are a number of activities to choose from. For the purpose of this demo, I have selected Granted Mailbox Permission

7. You could also add a condition based on IP address and username. For example, if you want to be alerted when a particular group of users assign permissions, you can do so here. Ignore the conditions box if you would like an alert to be triggered when any user in the organisation performs the action.

8. Click next and select your notification groups or emails. Click Next, review settings and click finish

That’s your mailbox permissions alert configured

How to create a dynamic group in Azure AD

Reading Time: 3 minutes

Dynamic group memberships reduce the administrative overhead of adding and removing users from a group as the process is automated and driven by attribute changes. For example, a user with a department attribute of Sales within AD could be automatically added to a dynamic group named Sales, and removed automatically if the user moved roles. For example, the user department attribute in AD was amended from Sales to Marketing. In this case, the user would be automatically removed from the Sales group and moved to the Marketing group if a dynamic group existed for Marketing.

In this blog post I will go through the process of creating a dynamic group within Azure AD and add a dynamic query/condition so staff from Sales UK are automatically added to a dynamic group.

  1. Access Azure AD
  2. Click Groups located in the left pane

3. Click + New group

4. Complete the fields for your group (Example below)

Group Type: Security
Group Name: CloudBuild_Sales
Group Description: Dynamic group for staff working in Sales UK
Membership Type: Dynamic User
Owner: I have assigned myself as an owner

The next step involved adding a dynamic query

5. Click Add dynamic query

6. Input details for your query, see example below

Property: department (This is the field located within the users Azure AD account properties)
Operator: Equals
Value: Sales UK (I want all users with a department of Sales UK to be added into my new dynamic group)

7. Click save

8. Click create

The result, all users with Sales UK included within the department field will automatically be added to your dynamic group. When the department field is changed, such as, the user moves departments, the process will automatically remove the user from the dynamic group.


Notes:

1. You can not manually add or remove a member of a dynamic group

2. You can create a dynamic group for devices or for users, but you can’t create a rule that contains both users and devices

3. This feature requires an Azure AD Premium P1 licence for each unique user that is a member of one or more dynamic groups. You don’t have to assign licences to users for them to be members of dynamic groups, but you must have the minimum number of licenses in the Azure AD organisation to cover all such users. For example, if you had a total of 300 unique users in all dynamic groups in your organisation, you would need at least 300 licences for Azure AD Premium P1 to meet the licence requirement. No licence is required for devices that are members of a dynamic device group.