Protecting Application and Service Principal Permissions in Azure AD

Presented at Blue Team Con 2022, Aug. 28, 2022, 10 a.m. (50 minutes)

Do you know what your service principals are doing? Service principals represent non-human accounts in Azure AD. They’re a big improvement over the on-premises service account model, but the permissions they are granted can introduce new risks. In this talk we’ll explain the threats to the permission consent model posed by app sprawl and malicious actors. We’ll show you how to discover what apps are in your environment and how to understand the risk associated with those apps. Key topics we’ll cover include: • Understanding the service principal and application directory objects • Evaluating the impact and blast radius of permissions • Delegated (on behalf of a user) and application (without a user) permissions • Identifying threats to your applications and service principals • Managing requests from app developers Based on our experience implementing an application permission security assessment model across Microsoft’s internal IT environment, we’ll share lessons learned, gotchas, and product features that can help you manage the security of service principals and applications in your Azure AD tenant.

Presenters:

• Eric Hall - Principal Security Architect, Microsoft
  Eric is an architect in Microsoft's Digital Security and Resilience Office of the CTO. He focuses on Identity and Application security and helping Microsoft to secure its internal enterprise. Prior to his current role, Eric worked with customers in the defense and financial industries to secure their on-premises and cloud identity systems.

Similar Presentations:

• Diana Initiative 2020 Virtual / Hiding In The Clouds: How Attackers Can Use Applications Consent for Sustained Persistence and How To Find It
• DeepSec 2017 „Science First!“ / Normal Permissions In Android: An Audiovisual Deception
• May Contain Hackers (MCH2022) / No Permissions Needed!