Framework/Configurations/SVT/AAD/AAD.AppRegistration.json
|
{
"FeatureName": "AppRegistration", "Reference": "aka.ms/azsktcp/Application", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "AAD_AppRegistration_Remove_Test_Demo_Apps", "Description": "Old test/demo apps should be removed from the tenant", "Id": "App120", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckOldTestDemoApps", "Rationale": "Demo apps are usually short-term projects that do not go through the full engineering process and due diligence required for enterprise apps. As a result, it is important to constantly review and prune demo app entries from the tenant.", "Recommendation": "Refer: TODO", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": false }, { "ControlID": "AAD_AppRegistration_DP_Use_HTTPS_Redirect_URI", "Description": "Ensure all return URLs configured for an application to use HTTPS endpoints.", "Id": "App130", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckReturnURLsAreHTTPS", "Rationale": "Ensuring that return URLs for an application exclusively use HTTPS endpoints is crucial for security. During authentication flows, tokens are often transmitted to these URLs after successful authentication. If a return URL lacks HTTPS encryption, it exposes tokens to potential interception, compromising sensitive data security.", "Recommendation": "1. Access App Registrations. --> 2. Locate and select the relevant application. --> 3. Navigate to Authentication settings under Manage. --> 4. Ensure that all return URLs configured for the application exclusively use HTTPS endpoints.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "AAD_AppRegistration_Review_Orphaned_Apps", "Description": "Do not permit orphaned apps (i.e., apps with no owners) in the tenant", "Id": "App140", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckOrphanedApp", "Rationale": "From a governance standpoint, it is important that every application has one or more owners who are responsible for the upkeep of the application's record in the tenant, rotating credentials, etc.", "Recommendation": "1. Access App Registrations. --> 2. Locate and select the relevant application. --> 3. Navigate to Owners settings under Manage. --> 4. Ensure that the application has at least one owner. If not, consider removing the application.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "AAD_AppRegistration_Require_FTE_Owner", "Description": "At least one of the owners of an app must be an FTE", "Id": "App150", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckAppFTEOwner", "Rationale": "Guest users in a tenant are often transient. Ensuring that at least one FTE owner is accountable for managing the app, rotating credentials, etc. leads to better app governance.", "Recommendation": "Refer: TODO", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": false }, { "ControlID": "AAD_AppRegistration_Minimize_Resource_Access_Requested", "Description": "Apps should request the least permissions needed to various resources", "Id": "App160", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "TBD-Later", "Rationale": "Ensuring that an app requests only those permissions that it needs to function properly in keeping with the principle of least privilege ensures that in the event of a compromise, the damage can be contained.", "Recommendation": "Refer: TODO", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": false }, { "ControlID": "AAD_AppRegistration_HomePage_Use_HTTPS", "Description": "The home page URL for an application must be an HTTPS endpoint", "Id": "App170", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckHomePageIsHTTPS", "Rationale": "Using HTTPS ensures that sensitive data is not disclosed during transit and that the application's clients are not spoofed by rogue endpoint posing as the application.", "Recommendation": "Refer: TODO", "Tags": [ "SDL", "TCP", "Automated", "DP" ], "Enabled": false }, { "ControlID": "AAD_AppRegistration_LogoutURLs_Use_HTTPS", "Description": "The logout URL configured for an application must be an HTTPS endpoint", "Id": "App180", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckLogoutURLIsHTTPS", "Rationale": "The logout URL for an application is used during authentication flows. Not using an HTTPS URL for this may lead to disclosure of authentication info/tokens.", "Recommendation": "Refer: TODO", "Tags": [ "SDL", "TCP", "Automated", "AuthN", "DP" ], "Enabled": false }, { "ControlID": "AAD_AppRegistration_Must_Have_Privacy_Disclosure", "Description": "All enterprise apps must use a privacy disclosure statement", "Id": "App190", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckPrivacyDisclosure", "Rationale": "Adding an appropriate and uniform privacy disclosure for all enterprise apps helps users make correct privacy-related choices when deciding to use the applications. This is also a regulatory requirement in most jurisdictions.", "Recommendation": "Refer: TODO", "Tags": [ "SDL", "TCP", "Automated", "Privacy" ], "Enabled": false }, { "ControlID": "AAD_AppRegistration_Must_Restrict_To_Tenant", "Description": "Enterprise (line of business) apps should be tenant scope only", "Id": "App200", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAppIsCurrentTenantOnly", "Rationale": "Line of business (LOB) applications are usually written to meet a specific company's business needs. Such applications should be restricted to the current tenant only (i.e., the tenant where they are registered).", "Recommendation": "1. Access App Registrations. --> 2. Locate and select the relevant application. --> 3. Navigate to Authentication settings under Manage. --> 4. Ensure that the supported account types is set to 'Accounts in this organizational directory only'.", "Tags": [ "SDL", "TCP", "Automated" ], "Enabled": true }, { "ControlID": "AAD_AppRegistration_AuthZ_Do_Not_Use_Wildcards_In_Redirect_URIs", "Description": "Avoid the use of wildcard characters in redirect URIs.", "Id": "App210", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckRedirectURIsWithWilcard", "Rationale": "Including wildcard characters in redirect URIs introduces significant security vulnerabilities. Attackers can exploit this by creating fraudulent redirect URIs resembling legitimate ones, leading to potential phishing attacks and unauthorized access to authentication tokens. In the case of public clients, this can directly grant attackers access tokens, while for confidential apps, it can enable auth code injection attacks to obtain access tokens.", "Recommendation": "1. Access App Registrations. --> 2. Locate and select the relevant application. --> 3. Navigate to Authentication settings under Manage. --> 4. Ensure all redirect URIs are configured with exact domains instead of wildcard characters.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "AAD_AppRegistration_AuthN_Do_Not_Use_Implicit_Flow", "Description": "Implicit Flow should not be allowed in App Registration", "Id": "App220", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckImplicitFlowIsNotUsed", "Rationale": "Using implicit flow, exposes the access token in the URL fragment, and does not support PKCE, making it vulnerable to access token leage and token replay attacks.", "Recommendation": "1. Access App Registrations. --> 2. Locate and select the relevant application. --> 3. Proceed to Authentication settings under Manage. --> 4. Disable access tokens used for implicit flows.", "Tags": [ "SDL", "TCP", "Automated", "AuthN" ], "Enabled": true }, { "ControlID": "AAD_AppRegistration_AuthZ_Remove_Dangling_URIs", "Description": "Ensure redirect URIs have valid DNS ownership.", "Id": "App240", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckDanglingRedirectURIs", "Rationale": "Allowing redirect URIs with no DNS ownership allows attackers to get ownership of the URL before the actual owners, enabling them to get auth tokens by phishing users to these sites under attackers' controls.", "Recommendation": "1. Access App Registrations. --> 2. Locate and select the relevant application. --> 3. Proceed to Authentication settings under Manage. --> 4. Ensure all redirect URIs are configured with valid DNS records to prevent unauthorized access.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "AAD_AppRegistration_AuthZ_Add_FTE_Owners_Only", "Description": "All owners of the app registration should be FTE only.", "Id": "App250", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAppHasFTEOwnerOnly", "Rationale": "Owners of the app have access to critical app settings such as auth flows, credentials and API permissions. Providing ownership to FTE accounts only leads to better app governance and prevents malicious users from outside the enterprise from accessing critical data.", "Recommendation": "1. Access App Registrations. --> 2. Locate and select the relevant application. --> 3. Proceed to Owners under Manage. --> 4. Remove any non-Member accounts.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "AAD_AppRegistration_AuthN_Do_Not_Allow_Long_Expiry_Secrets", "Description": "App Registrations should not have long expiry secrets.", "Id": "App220", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAppDoesNotHaveLongExpirySecrets", "Rationale": "If client secrets are a must to be used, ensure that the secret expiry is not more than 90 days. Long expiry secrets can lead to unauthorized access for a longer window in case of secret compromise.", "Recommendation": "1. Access App Registrations. --> 2. Locate and select the relevant application. --> 3. Proceed to certificates and secrets under Manage. --> 4. Under Client secrets look delete any secrets with expiry more than 90 days. (Configurable in Application -> CredentialExpiryThresholdInDays, ControlSettings.json).", "Tags": [ "SDL", "TCP", "Automated", "AuthN" ], "Enabled": true }, { "ControlID": "AAD_AppRegistration_AuthZ_Minimize_Permissions_Requested", "Description": "App Registrations should request the least permissions needed to various resources", "Id": "App230", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAppUsesMiniminalPermissions", "Rationale": "Apps should only require the least needed permission possible to prevent risky unauthorized access to enterprise resources. App permissions are riskier than delegated permissions as these do not require user consent.", "Recommendation": "1. Access App Registrations. --> 2. Locate and select the relevant application. --> 3. Go to API permissions under Manage. --> 4. Review the risky permissions for this app listed in Application.LOG file and revoke them.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "AAD_AppRegistration_AuthN_Do_Not_Allow_Long_Expiry_Secrets_For_Orphaned_Apps", "Description": "App Registrations with no owners should not have long expiry secrets.", "Id": "App260", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckOrphanedAppDoesNotHaveLongExpirySecrets", "Rationale": "Apps without any ownership can either be legacy apps no longer being used or app whose owners have left the organization. If client secrets with secret expiry of more than 90 days are associated this could lead to a longer attack window of app compromise outside the enterprise. Ensuring enterprise security hygiene, either the app or the secret should be deleted and proper ownership should be defined.", "Recommendation": "1. Access App Registrations. --> 2. Locate and select the relevant application. --> 3. Proceed to certificates and secrets under Manage. --> 4. Under Client secrets look delete any secrets with expiry more than 90 days. (Configurable in Application -> CredentialExpiryThresholdInDays, ControlSettings.json).", "Tags": [ "SDL", "TCP", "Automated", "AuthN" ], "Enabled": true }, { "ControlID": "AAD_AppRegistration_AuthZ_Enable_App_Instance_Lock", "Description": "Enable app instance lock for multi-tenant apps on all properties.", "Id": "App270", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAppInstanceLock", "Rationale": "App instance property lock prevents owners of Enterprise Applications in other tenants from creating credentials of the SPN. The credentials can allow misuse of SPNs to gain unauthorized access to critical Enterprise data.", "Recommendation": "1. Access App Registrations. --> 2. Locate and select the relevant application. --> 3. Proceed to Authentication settings under Manage. --> 4. Under advanced settings, enable app instance property lock and select all properties from the dropdown.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true } ] } |