Why “app registrations” present a security risk to M365

by | May 5, 2022 | Security, Office 365

Let’s start by describing what an app registration is:  An app registration happens when you allow an external program to integrate with your Microsoft 365 tenant.  A common example might be allowing a scheduling tool like Calendly to access your companies’ calendars stored in M365. Basically, it refers to when an app in the M365 family calls on data stored in with your Office M365 account,

What we are noticing more of is the requirement for mobile phones to require an app registration to be able to access company email if the employee is not using the mobile Microsoft Outlook app  (eg, when using the mobile phone’s built in mail client). Most people do not assign app risks to email, so this is something to look out for.

It is also possible for these permissions remain after the application is no longer needed or in use.  Because app registrations are persistent, they may present a security risk long after the permissions have been forgotten about. 

Examples of things we’ve seen include: Zoom, Samsung email, Apple Business Manager, Quickbooks desktop (for email), Zapier, Smartsheet, Addevent, Calendly, Atlassian, LinkedIn, Polly, Doodle, and so on

How do you feel about Samsung having access to your M365 tenant?  Or Apple?  What about some random cloud-based application that you evaluated at one time and are no longer using? 

What do we recommend you do about app registrations? 

  1. App registration approvals should be restricted to admins only.  Unfortunately, this is not the default out of the box – end users can approve applications.  Please let us know if you would like us to change this for you – it will save us a lot of time.  We are conducting a review and getting in touch proactively with clients that subscribe to our M365 security essentials services. 
  1. Use Outlook on mobile instead of your built-in mail client – it does not require new or additional permissions. 
  1. Do some housekeeping.  Your internal IT contact should periodically review the list of authorized app registrations in Azure AD.  The list can be quite extensive, and it is impossible for us to know what is in use by all your employees.  If you would like a snapshot of what programs have access to your M365 data, please reach out to VIPsupport.  We can remove anything you identify as being no longer needed.