Framework/Configurations/SVT/AAD/AAD.AppRegistration.json
|
{
"FeatureName": "AppRegistration", "Reference": "aka.ms/azsktcp/Application", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "AAD_AppRegistration_Remove_Test_Demo_Apps", "Description": "Old test/demo apps should be removed from the tenant", "Id": "App120", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckOldTestDemoApps", "Rationale": "Demo apps are usually short-term projects that do not go through the full engineering process and due diligence required for enterprise apps. As a result, it is important to constantly review and prune demo app entries from the tenant.", "Recommendation": "Refer: TODO", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": false }, { "ControlID": "AAD_AppRegistration_ReturnURLs_Use_HTTPS", "Description": "All return URLs configured for an application must be HTTPS endpoints", "Id": "App130", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckReturnURLsAreHTTPS", "Rationale": "Return URLs of an application are particularly sensitive because many authentication flows involve posting the token to the returnURL after successful authentication. If such a URL does not use HTTPS, it leads to disclosure of the token on the network in clear text.", "Recommendation": "Refer: TODO", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "AAD_AppRegistration_Review_Orphaned_Apps", "Description": "Do not permit orphaned apps (i.e., apps with no owners) in the tenant", "Id": "App140", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckOrphanedApp", "Rationale": "From a governance standpoint, it is important that every application has one or more owners who are responsible for the upkeep of the application's record in the tenant, rotating credentials, etc.", "Recommendation": "Refer: TODO", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "AAD_AppRegistration_Require_FTE_Owner", "Description": "At least one of the owners of an app must be an FTE", "Id": "App150", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckAppFTEOwner", "Rationale": "Guest users in a tenant are often transient. Ensuring that at least one FTE owner is accountable for managing the app, rotating credentials, etc. leads to better app governance.", "Recommendation": "Refer: TODO", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": false }, { "ControlID": "AAD_AppRegistration_Minimize_Resource_Access_Requested", "Description": "Apps should request the least permissions needed to various resources", "Id": "App160", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "TBD-Later", "Rationale": "Ensuring that an app requests only those permissions that it needs to function properly in keeping with the principle of least privilege ensures that in the event of a compromise, the damage can be contained.", "Recommendation": "Refer: TODO", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": false }, { "ControlID": "AAD_AppRegistration_HomePage_Use_HTTPS", "Description": "The home page URL for an application must be an HTTPS endpoint", "Id": "App170", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckHomePageIsHTTPS", "Rationale": "Using HTTPS ensures that sensitive data is not disclosed during transit and that the application's clients are not spoofed by rogue endpoint posing as the application.", "Recommendation": "Refer: TODO", "Tags": [ "SDL", "TCP", "Automated", "DP" ], "Enabled": false }, { "ControlID": "AAD_AppRegistration_LogoutURLs_Use_HTTPS", "Description": "The logout URL configured for an application must be an HTTPS endpoint", "Id": "App180", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckLogoutURLIsHTTPS", "Rationale": "The logout URL for an application is used during authentication flows. Not using an HTTPS URL for this may lead to disclosure of authentication info/tokens.", "Recommendation": "Refer: TODO", "Tags": [ "SDL", "TCP", "Automated", "AuthN", "DP" ], "Enabled": false }, { "ControlID": "AAD_AppRegistration_Must_Have_Privacy_Disclosure", "Description": "All enterprise apps must use a privacy disclosure statement", "Id": "App190", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckPrivacyDisclosure", "Rationale": "Adding an appropriate and uniform privacy disclosure for all enterprise apps helps users make correct privacy-related choices when deciding to use the applications. This is also a regulatory requirement in most jurisdictions.", "Recommendation": "Refer: TODO", "Tags": [ "SDL", "TCP", "Automated", "Privacy" ], "Enabled": false }, { "ControlID": "AAD_AppRegistration_Must_Restrict_To_Tenant", "Description": "Enterprise (line of business) apps should be tenant scope only", "Id": "App200", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAppIsCurrentTenantOnly", "Rationale": "Line of business (LOB) applications are usually written to meet a specific company's business needs. Such applications should be restricted to the current tenant only (i.e., the tenant where they are registered).", "Recommendation": "Refer: TODO", "Tags": [ "SDL", "TCP", "Automated" ], "Enabled": true }, { "ControlID": "AAD_AppRegistration_AuthZ_Do_Not_Use_Wildcards_In_Redirect_URIs", "Description": "Redirect URIs should not contain wildcard characters.", "Id": "App210", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckRedirectURIsWithWilcard", "Rationale": "Allowing wildcard in redirect URIs makes it easier for attackers to get auth tokens from the app by creating similar redirect URIs and phishing users to malicious URLs. For public clients this can provide attackers directly with an access token whereas for confidential apps, attackers can leverage auth code injection attacks to get an access token.", "Recommendation": "1. Go to App Registration. 2. Navigate to the app. 3. Go to Authentication under Manage. 4. Configure all redirect URIs with wildcards to exact domains", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "AAD_AppRegistration_AuthN_Do_Not_Use_Implicit_Flow", "Description": "Implicit Flow should not be allowed in App Registration", "Id": "App220", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckImplicitFlowIsNotUsed", "Rationale": "Using implicit flow, exposes the access token in the URL fragment, and does not support PKCE, making it vulnerable to access token leage and token replay attacks.", "Recommendation": "1. Go to App Registration. 2. Navigate to the app. 3. Disable access tokens used for implicit flows.", "Tags": [ "SDL", "TCP", "Automated", "AuthN" ], "Enabled": true }, { "ControlID": "AAD_AppRegistration_AuthZ_Remove_Dangling_URIs", "Description": "Redirect URIs should have proper DNS ownership.", "Id": "App240", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckDanglingRedirectURIs", "Rationale": "Allowing redirect URIs with no DNS ownership allows attackers to get ownership of the URL before the actual owners, enabling them to get auth tokens by phishing users to these sites under attackers' controls.", "Recommendation": "1. Go to App Registration. 2. Navigate to the app. 3. Go to Authentication under Manage. 4. Configure all redirect URIs and their DNS records.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "AAD_AppRegistration_AuthZ_Add_FTE_Owners_Only", "Description": "All owners of the app registration should be FTE only.", "Id": "App250", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAppHasFTEOwnerOnly", "Rationale": "Owners of the app have access to critical app settings such as auth flows, credentials and API permissions. Providing ownership to FTE accounts only leads to better app governance and prevents malicious users from outside the enterprise from accessing critical data.", "Recommendation": "1. Go to App Registration. 2. Navigate to the app. 3. Go to owners. 4. Remove any non FTE account", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "AAD_AppRegistration_AuthN_Do_Not_Allow_Long_Expiry_Secrets", "Description": "App Registrations should not have long expiry secrets.", "Id": "App220", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAppDoesNotHaveLongExpirySecrets", "Rationale": "If client secrets are a must to be used, ensure that the secret expiry is not more than 90 days. Long expiry secrets can lead to unauthorized access for a longer window in case of secret compromise.", "Recommendation": "1. Go to App Registration. 2. Navigate to the app. 3. Go to certificates and secrets and delete any client secrets with expiry more than 90 days", "Tags": [ "SDL", "TCP", "Automated", "AuthN" ], "Enabled": true }, { "ControlID": "AAD_AppRegistration_AuthZ_Minimize_Permissions_Requested", "Description": "App Registrations should request the least permissions needed to various resources", "Id": "App230", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAppUsesMiniminalPermissions", "Rationale": "Apps should only require the least needed permission possible to prevent risky unauthorized access to enterprise resources. App permissions are riskier than delegated permissions as these do not require user consent.", "Recommendation": "1. Go to App Registration. 2. Navigate to the app. 3. Go to API permissions and remove any risky permissions.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "AAD_AppRegistration_AuthN_Do_Not_Allow_Long_Expiry_Secrets_For_Orphaned_Apps", "Description": "App Registrations with no owners should not have long expiry secrets.", "Id": "App260", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckOrphanedAppDoesNotHaveLongExpirySecrets", "Rationale": "Apps without any ownership can either be legacy apps no longer being used or app whose owners have left the organization. If client secrets with secret expiry of more than 90 days are associated this could lead to a longer attack window of app compromise outside the enterprise. Ensuring enterprise security hygiene, either the app or the secret should be deleted and proper ownership should be defined.", "Recommendation": "1. Go to App Registration. 2. Navigate to the app. 3. Go to certificates and secrets and delete any client secrets with expiry more than 90 days. 4. Either delete the app or provide ownership to the apps.", "Tags": [ "SDL", "TCP", "Automated", "AuthN" ], "Enabled": true }, { "ControlID": "AAD_AppRegistration_AuthZ_Enable_App_Instance_Lock", "Description": "Multi-tenant apps should have app instance lock enabled on all properties.", "Id": "App270", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAppInstanceLock", "Rationale": "App instance property lock prevents owners of Enterprise Applications in other tenants from creating credentials of the SPN. The credentials can allow misuse of SPNs to gain unauthorized access to critical Enterprise data.", "Recommendation": "1. Go to App Registration. 2. Navigate to the app. 3. Go to Authentication under Manage. 4. Enable app instance property lock.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true } ] } |