Hello and welcome to let's Talk Azure. Podcast with your host Sam Foote and Alan Armstrong. If you're new here, we're a pair of Azure and Microsoft 365 focused IT security professionals.
It's episode 37 of season five. Sam and I had a recent discussion around OAuth applications and their risks. OAuth applications provide third party services, access to an organizational's data. Here are a few things we covered. What are OAuth apps? What are they typically used for? Why is it important to monitor them? And how can app governance help monitor and protect from OAuth app attacks?
We've noticed that a large number of you aren't subscribed. If you do enjoy our podcast, please do consider subscribing. It would mean a lot to us for you to show support to the show. It's a really great episode. So let's dive in. Hey Alan, how are you doing this week? Hey Sam, not doing too bad. How are you?
Yeah, really good, thank you. It's the run up to Ignite. I. I'm feeling, yep, some buzz in the community around Ignite. I see lots of different people are going. It feels like it's gonna be a popular event. Yeah, definitely. And I've now got. I'm now proctoring a cup of the lapse. So that's good. Nice. What's the content of your labs that you're doing? So the labs are around Defender for cloud. Nice.
During your assets and things like that. So I think I'm doing. I think it's two labs but twice if that makes sense. There's two, there's one each day I'm sort of proctoring so. Yeah, that'd be good. So great. Yeah, yeah. It's gonna be really interesting to see because you know they're bringing the partner event alongside Ignite. Be really interesting to see because I think there's gonna be a lot more commercial drive to be there, you know, with the partner ecosystem.
Right, yeah, definitely. And there's. There seems to be a lot of content and that. So yeah, it's just gonna be. It's gonna be a good one, I think. Yeah, really good. Yeah. I feel like it's slowly just creeping up to back to quotes. Normality, right? 100 like not 100. Yeah, yeah, yeah. Really good. Anything else in the cyber security space we need to talk about? Any random things that have come up?
No, don't think so. I've been pretty. Work's been pretty busy so it's been head down and cracking on with the work that we've got. Anything I've been seeing on the, I'm gonna still call it the Twitter sphere is that I didn't know if you saw, but people are saying that there's been a gap in Sentinel logs. I don't know if you've seen that.
No, I haven't seen anything around that. I don't know if there was. Maybe there was some. I did read something about some potentially Microsoft losing some customer data.
I think that's around the same thing. Yeah, I haven't really, I haven't seen like an official, you know, post about it, but I've seen some people doing breakdowns of like their, you know, I don't know, customers that they look after things like, you know, no actual customer information, but just looking at the statistics and I, but I, I believe the period is just after the crowd strike outage. You know, I don't know whether those two things are connected in any way. I know Microsoft had some outage around that time in one region, didn't they? That overlapped the crowdstrike outage. So I don't know if it's all just to follow on from that, but I haven't heard anything from, you know, this side of the pond, so to speak, on it. I just didn't know if you, you would you attract it at all.
No, I've not heard anyone complaining about it even from like the MVP community. Yeah, I heard anyone saying around, you know, data being lost in Sentinel and things like that. But yeah. No. Okay. Might just be just localized incident or. Yeah. Or whatnot. But yeah. Cool. What we, what we learning about this week, Alan?
Yeah, so we're going to talk about OAuth apps and how the features within Defender cloud apps, app governance can help sort of monitor and protect against potential attacks or data leakage from applications. Yeah, I think it's a bit we haven't recovered at governance side of things. Used to be a paid add on for MDA and then I think a year, maybe two years ago now that Microsoft sort of brought it in as a, as I sort of include in some of the license SKUs now. So yeah, I think we should talk about it because OAuth apps are widely used everywhere and yeah, there may be someone there that maybe need to be checked as we've seen OAuth attacks where people consent to the apps and gain access to data.
So yeah, definitely. Yeah. Okay, should we start from the sort of the beginning with, you know, what do you mean by an OAuth app and you know what's the typical usage for them?
Yeah, sure. So OAuth applications or consents and things like that really is a method for a service to authenticate with an identity provider to then gain access to certain resources within that that service. In the context before we use most of the time here is that is using Microsoft Entra as the identity provider and then applications requesting access to Office 365 near Microsoft Graph data. So requesting access to mail or to SharePoint, Outlook etc. To perform a task that might also just be just to authenticate. So you know, to collect user information, you know, basic user information like their, their username, their name, things like that to populate, you know, the, the other side. So oauth applications effectively perform that authentication allows you to slightly outside of sort of single sign on it kind of is and isn't I guess in some way it's not using SAML SAML2 authentication at this point to sort of feed back. But in effect when you use a third party service or an application and you request, you know, you want it, you want to connect it to your office365 data to maybe help you write. You know, it might be a generative AI maybe that can write, help write an email if you're not using Copilot for security. Copilot for 365 or it might be just to manage your, your, your emails, maybe to help auto tag things like that. There might be some, some form of that sort of integration. So that's kind of what they're mainly used is to help, you know, provide access to some of that data. Now within and again like this is kind of that sort of typical use and you know, beforehand probably, I don't know, two, three, maybe three years ago there was no true controls maybe within Entra I think it's fair to say that users could consent to any application. So one might be to do authentication actually on an iPhone and the Apple Mail app. So to be able to get your email in there and authenticate you had to do a consent to the app. Same thing with things like Samsung Mail and then you know, various other ones. So people would consent, you know, allow access to their mail. So they could, you know, use the apps and it could be across anything. You know, just this prompt that says we need access to, you know, to your services. It'd give you a list of what, you know, what data it might might need. But probably from the typical user. They may not read that to go yeah, except I need, you know, I want to do it and then it sort of goes through. Probably Maybe a year, 18 months ago, it kind of changed to being able to add in effectively by default blocking, you know, that authorization so that you had to go, you know, an admin had to approve it at that point. So, so preventing, you know, potential attacks then of malicious, you know, OAuth apps, you know, gaining access to data because it would be in the what they in effect impersonates the user that's authenticating, you're consenting, you're delegating its access based on the user's access in effect. So they have to, you know, access the app itself to be able to then use that, that sort of access. But potentially, you know, data could then be accessed and then pulled out. And then I think there was a period of time when you know, o apps were quite, being used quite a lot to in fact, you know, gain access to the, to the, you know, to a365 environment or to any SaaS application, you know, any sort of data there to then, you know, pull, pull data out. And it would be partially unseen, I guess in some way at that time. But yeah, so that's generally what they use. They're probably used for everything that you can think of. It's probably, it's not something everyone will be using an OAuth application of some form for various, you know, applications and things like that. It's just, you know, working out then why making sure, you know, they're monitored and you know, removed because probably one of the key things that's quite difficult is understanding their usage and which ones you can remove what, you know, what users are accessing them. It's quite hard to drill down into them because an organization might have 100, 200 of these OAuth applications and then, you know, it's a, it's a task in itself to try and work out which one should and shouldn't be used at that point.
What's, what's the, what's the default for a new tenant on that? Is it, is it to allow users to consent to their own applications now? I believe so because you have to specify who the admins are for the auto consent side of things. Yeah. So I think even, yeah, out of the box, you know, an effective user can consent to their own app SaaS application or to their own OAuth apps and things like that. So yeah, it's quite, can be quite dangerous if you didn't know to configure that other config.
Yeah, because I most, I think most of the time, I say most of the time. No, not most of the time, a chunk of the time. The conversation usually goes down. Oh yeah, we turn that off like three months ago or oh, I didn't even know people could do that. You know, and I think it is quite a open default, if that makes sense. You know, I know there's obviously a balance between, you know, user security, security and usability. Right. But you know, in most organizations we want to, you know, keep people sort of on the straight and narrow, so to speak. But allowing people just to give access to like, you know, their user profile at a minimum or even like something like their mailbox seems, seems quite dangerous really nowadays, especially with, you know, the types of attacks we see and sort of manipulation we see of users, you know, sort of getting somebody to consent to an application is probably as easy or if maybe even easier than phishing somebody for their credentials. Right. And you bypass all of that at that point, don't you?
Yeah. And, and you know, this isn't necessarily saying, you know, I talked about, you know, malicious apps, things like that. This could be third party services that are, you know, legitimately, you know, valid and well known and you know, you know, respected, you know, within, you know, you know, trusted sort of applications. But you know, if they get compromised then you know, the, the bad actors that are there can then potentially, you know, jump into the, into a customer's data from there. So yeah, so it's just, it's just, yeah, there's a lot of risk, that's all. And it's, it's always going to be there. It's not, you know, it's not something to say you shouldn't use third party applications, not at all. But it's just working around how you can reduce that risk.
Yeah. And you know, our, our perimeter is ever changing, isn't it? And I think, you know, third party SaaS applications, I, my gut is, is that is going to be more and more true risk there as, as we go on. You know, I think the, the lucrative nature of breaching like a third party application by a threat actor is probably more lucrative than actually hitting each individual organization. You know, because a lot of these applications do get, you know, some sort of permission over a user's identity, if that makes sense with these types of integrations. I think you mentioned mail apps is the big one. Right. You know, and unfortunately when you use those third party mail apps, you lose out on a lot of the Microsoft functionality that you can get from Outlook. Right. On mobile especially. So yeah, I Think it's definitely important to, you know, I assume that's essentially, you know, the, I don't know, defining criteria of defender for cloud apps really is understanding that usage and, you know, and making good, positive change in your organization to make it more secure. Right. So it's all about knowledge, I suppose. Um, I think you've probably talked, talked to this but, you know, are there any other key areas that you think it's of why it's important to monitor OAuth applications? I think we've, we've touched on that a little bit already.
Yeah. I mean, like you said, it's, it's more, it's understanding what data is maybe leaving your organization through those, you know, OAuth applications because, you know, some of it might be, you know, light touch, slow level, but if you're starting to see like heavy new gigs of data going at us, you know, an OAuth application, you know, that might raise concern and traditionally or previously, I guess you'd never be able to see that data. It'd be very hard to understand what data was leaving through the, through the OAuth applications. Not, you know, quite. I think there'd be ways around it, but it was never really sort of centralized, if that makes sense. It was always quite hard and monitoring them also to see whether they've got, they're using all their permissions. You know, we're looking at, you know, permissions creep at some in some form. You know, it says it needs all this permission, but actually, you know, 90, 99 of the time it only needs no X permission kind of thing. So you can then see if they're over, you know, looking for over. Over provisioned, you know, applications. Yeah, that's kind of the key areas I think is making sure one, it's being used and if it's not, then you can shut it down. Because that's a crack in the armor, isn't it? It's an opening in the armor if you are or aren't using it anymore. Understanding what, you know, information's, you know, leaving or how much data or what information is leaving via that, that OAuth application and then what permissions it has and whether, what risks are involved in them having those apps. Because like I said, you know, and a user potentially wouldn't understand at the time of consenting themselves what it means that, you know, it can send email on behalf of you. Because there might, you know, there might be apps to do that for you. You might do. There are apps that are probably legitimately used to Send email on behalf of you. I mean, I guess kind of like the Outlook, the Apple Mail and things like that potentially. But you know, those being compromised means that they can just use your mail to spam out, you know, potentially. So it's definitely a lot of risk to be monitored there.
Okay, could you just give us an overview of you know, Defender for Cloud apps and what it's aiming to achieve?
Yeah, sure. So Defender for Cloud Apps has been around for quite some time now. It used to be called Cloud App Security before it's its grand rename into the Defender world. But yeah, originally it kind of started off as a CASB solution so monitoring activity within Office 365 Azure and other SaaS applications and be able to create alerts and in effect on user activity, unusual activity within those SaaS applications. It's kind of evolved a lot more now to kind of show those, bring those identities from those SaaS applications into, into the Defender XDR portal so you can see, you know, how they all sort of map together. But also now you've got this part kind of what, what used to be sort of a paid service on top of Defender Cloud apps called App Governance which primarily looks at in effect sort of the A application side of things as well as bringing in what they call SSPM which is SaaS Security Posture Management. So in effect when You've got some SaaS apps that have supported integrated like Salesforce is one of them, I think Google is as well, Google Workspace it allows you to see the configuration and gives you best practice and effect or recommended conflict to harden that environment. Maybe it's to enforce MFA for the non sas, non saml, you know, identities or various other things that are in there. In effect with those connectors there. It can then bring in the OAuth apps from those other SaaS services as well. So yeah, it's been around for quite some time. The other part as well I suppose I've probably forgotten to mention is that it can do some DLP data loss prevention sort of complementing the stuff that Purview does. It's probably like a version one actually probably fair to say from the DLP side of things. And it can sort of do session control to help lock down access from the browser where we can download, upload, things like that or do certain actions in SaaS applications where supported from a, from a browser session in effect so you can prevent download upload if it's on a unmatched device, that kind of thing. So it's definitely a lot, lot in the sort of tool set, it's definitely around, you know, cloud app, cloud apps. So yeah, that's probably a high level view of that.
Okay, yeah. Can we dive into app governance and what it's aiming to achieve in Defender cloud apps?
Yeah, so app governance has kindly been brought in as a feature for cloud apps is kind of to sort of provide security and policy management or capability around OAuth enabled apps registered like we said in Enter ID, Google and Salesforce is kind of the key ones at the moment with other ones in, you know, coming in private previews, things like that. The idea of it is to bring visibility to show you all that information. I kind of talked about previously where it was quite difficult to see all that data in one place. So that makes sense. It's kind of aggregating data to show you it so you can make, you know, decisions around, you know, these OAuth applications potentially also brings in some remediation. So revoking permissions and revoking access, things like that, as well as, you know, governing how these apps are being used, when they were last used, whether they're sharing sent, you know, whether they've hit sensitive information, that kind of thing. So that's kind of the key, key areas. You know, there are policies in there to do detections around risky apps and apps that maybe don't comply with some of the requirements you have. And yeah, so it's very good portal to get that information, those insights. Cool.
Can we dive into some of those insights and alerts that you can get in app Governance?
Yeah, sure. So there is an overview page that you see pretty much sort of high level stats around this and it's very. Once you sort of launch it, it does sort of show you quite quickly, you know, potential like I suppose issues or things that you definitely need to look at. Some of those insights kind of sort of dive into sort of high privileged apps, you know, where they've got not necessarily God mode to services, but maybe we've got some very high privileged privileges in there over privileged apps. So like I said, ones that you've got permissions that they're never using now, so maybe they need decreasing. You've got some stats around high usage again showing you data leaving the organization. You've got things like top consented users who have, you know, top percentage top consented users, priority accounts who have data that's for specific App Access and OAuth applications that access sensitive or regular content on SharePoint, OneDrive and Exchange Exchange online and teams. So I think that's quite important is the sensitive sort of data side of things. So, you know, having visibility of where you're using sensitive labels within Your data in SharePoint, OneDrive, SharePoint, SharePoint, OneDrive, Exchange and Teams, we'll get all those right. There needs to be an acronym. I suppose it's Office365 really, isn't it, at that point. But thinking about it.
I know what you mean. Yeah.
But yeah, having your sensitive information types on there, you can then identify applications maybe hitting a specific label that you've, that you've set. So maybe you've got some highly confidential data that you shouldn't see a SaaS application accessing. So at least you can see where that data might be going. So I think that's quite key. Again, this is really just showing you that visibility. When you see those SaaS app or those OAuth apps, you can click on them and in fact you can dive into then which users are using it, who last used it, what, how much data is going through that application and if it touched any sensitive information that it was accessing previously, you wouldn't be able to do that quite very easily without looking at entra logs and maybe, you know, Office365 logs to kind of correlate that all together. Yes, potentially you could do that through, I guess, sentinel side of things, but you'd have to build the queries, things like that, to sort of do that checking. In effect, this portal is doing it for you. And yeah, in effect some of those detections are being created. Then there is. Well, so you can build these detections, just look for highly privileged acts, apps over privileged sort of apps as well. There's various other ones sort of applications there, new app consented with high privileges, so you can see when new ones are being created. Bear in mind with that one though, that if you've got admin consent enabled, then they shouldn't appear that often or you would definitely know about them because you would have been doing the due diligence on the app as you consent to it. But one thing probably to bring in is as we all all love the wording, but there is machine learning built in to in effect check some of the usage of these application and detect anomalies basically within their usage there. So there's definitely a lot of stuff happening in the background as well as giving you that visibility there.
Okay. Yeah. So like I think like you said, I suppose you probably do have access to a lot of the raw data, but you would have to, you know, define what it is that you want to look at, you know, build your detections and how you want to be alerted and things like that. I suppose this wraps it all up into one package for you. And if you are an organization that is lucky enough to be licensed for it, I suppose, you know, you do have access to it. So it's just extra enriched information that you can get access to. Right. And sort of delivered on a plate really, you know.
Yeah. And this is, I guess is some of the, not necessarily complaints, but the concerns from customers that we've been sort of working with is that they've got all, you know, like you said Sam earlier, you know, they've said they've turned on the app, the admin consent part, you know, three months ago, but it's been running, you know, wild in air quotes for, you know, last two, three years, etc. And they've now got 200, 300 apps that they don't know who's using what, you know, easily. This tool kind of helps with that because it gives you all the data, you know, there and then you can decide what you do with it. And yeah, and at least you've got that sort of view. I think, I think when we were doing this and I showed a customer it, they in effect sort of said this is great, but there's so much information and you know, so much stuff in here that you know, I'm gonna have to employ someone else to take a look at this even though they probably need to do that anyway. But it's a key part to making sure, you know, they're, they're secure, making sure that data's not leaving.
Yeah. Night. There is, there is a constant struggle around focus and resource in organizations, isn't there? And what is, you know, what is priority, what is not priority, you know, because they are, they are, they're trying to manage as much risk as they possibly can. Right. You know, at, you know, with the, the limited resources, you know, that is people and budgets that they've got. Right. So I think personally, any tool that can make that easier for organizations is going to help its use even if you have to pay for that. Right. I don't want people to have to pay for things. And I suppose you do have a way to sort of DIY it yourself if you've got the time and the patience and the knowledge to, you know, to look at these things. So yeah, and a lot of the time you're completely right. People will be like, this is way too much information. But it's, it's like, no, this is something that you, you do need to look at. It is important and it, you know, it, it's maybe something that's missed, especially if you can't see it. Right. Because there's a lot of edge cases in security where you know, a config has now changed and been right sized like correctly, but still, you know, there's activity happening sort of invisibly to the organization. Right. So you know, if they do at least have knowledge of it, then they can make a justification a business case that it is monitored and managed going forward. Right.
Yeah. And you, I think you kind of hit it on nail on the head there. It's kind of. Even if you just use it for discovery, you're, you're, you're removing a blind spot again. Yeah, that's not really, ever really thought about. Yeah. And what about, we've talked about logging in sort of insights. What about remediation? Can it, can it help us actually fix any of these problems that it discovers? I don't mean to say that in a bad way, but it kind of sounded like that.
Yeah. So in effect within the alerts and things like that, you know, you can actually get it to. So off the top of my head, I don't know if it can automatically remediate. I don't know if it's something that we've got. You've got to go in and say I want to sort something out with it. But you can go in there manually in effect into an alert where it's detected something or any of the application pages and in effect revoke the permissions or reduce the permissions for that SaaS application. So if it's a word unconsent, unconsent from some of the permissions it needs or completely revoke all permissions to it. And even potentially, I guess if you still had it open, potentially also ban that OAuth application. So even if someone does consent to it, if you didn't add admin consent, you can potentially ban that application itself. And it's got integrations into also Salesforce and the Google Workspace because in effect they use OAuth apps to talk to other applications and services. They have, I guess Google works basically equipped to Office365. So in effect access to mail, things like that. Salesforce I guess will be probably data and things, customer data, things like that. So again you can see those ones. Ban the app so it can never access it. Revoke access automatically on the app if someone does consent to it. And in effect notify users that the app has been banned as well if you want to. So I think that's kind of the key parts of it. I don't know if there's an API. There is some API access to the service I think or it might be coming as it's kind of merging more into the Defender XDR portal. So maybe some ways to automate maybe that revoking based on criteria. Maybe within a Sentinel alert. Definitely be an interesting one to look at actually thinking about it. So yeah, I mean really the only remediation for this is to revoke access or to reduce access from this side of things. So. So yeah.
Okay, cool. And yeah, I think we've touched on it, but can we just talk about. Yeah. How much it costs and how it's licensed.
So I don't know how much it costs because it's part of Defender of Cloud Apps now in effect. But mainly it's still been shown as app governance being a separate sort of application. But when you, you know, Microsoft, Microsoft 365 E3. No, Microsoft 365 E5 security add on or E5 in effect you get that, that service, but I assume that you get it if you buy a, a Microsoft Defender for Cloud Apps license as well. So sort of get that. But you do have to sort of COVID the whole organization because you're, you know, you're looking at all of the user activity kind of thing. So it's not, it's not like you can sort of buy a single license and gain the access. So. But yeah, it is good and it does, like I said, it does show you, you know, which users are using it as well quite easily. I think that's the hardest part because I think previously either, you know, you had to run PowerShell to maybe get it all, get all the information. I don't think you could get it all, not easily or you had to click through every app at which point, you know, you give up with it. So. So yeah, but yeah, it's licensed going back to licensing. Yes, it's part of the E5 security add on and, and also with the. Is meant to be around with the Defender for Cloud Apps license as its sort of lowest skew that you could possibly get for it.
Cool, thanks, Alan. Anything else you want to cover on this one?
No, I think that's it. I think there's quite a lot, you know, I don't know how long we've been talking for quite some time. It's, it's, you know, it seems like a small error, but it is. You know, once you dive into it, it's, it's one of those this is great sort of moment, loads of information. But then it's also. Yeah, there's a lot of work to maybe get on top of it initially, I think. But I think that's, that's right in the sense that it's a blind spot that now you've uncovered, you know, the truths behind the OWF apps. So. Yeah.
Okay, cool. Thanks very much, Alan. Cool. What's our next episode? Our next episode is the news for October. We're going to be taking a little break before the news just because Alan's off on his Holly holidays. I'll go with that. So, yeah, so we'll be returning back with another episode in a couple of weeks time.
Yeah. Cool. Okay. Did you enjoy this episode? If so, please do consider leaving us a review on Apple or Spotify. This really helps us reach out to more people like yourselves. If you do have any specific feedback or suggestions, we have a link in our show notes to get in contact with us. Yeah. And if you've made it this far, thanks ever so much for listening and we'll catch you on the next one. Yeah, thanks. All.