Hello again! I’m Jeff Sakowicz, Principal Program Management Lead for Application Platform Security within the Microsoft Identity team. Our team’s goal is to foster a secure, trustworthy, and thriving app ecosystem. Part of achieving this goal is enabling apps to support a Zero Trust security model.
This is the second post in our series on why Zero Trust matters for developers. In the previous post, I introduced the Zero Trust principles and how they apply to identity and access management. In this post, I will focus on how you can design apps using the principle of least privileged access with the Microsoft identity platform.
Why should you care about using least privileged access?
In short, by limiting what your app has permission to do, you reduce the potential blast radius of attacks and increase adoption of your apps by customers. In our experience, IT administrators are applying more scrutiny when reviewing permission being requested by applications and deciding whether to grant a given app permissions. When you create an app that asks for a lot of permissions, it will be less likely to be approved or could be denied altogether.
What is overprivilege and what is an overprivileged app?
When an entity asks for, and in some cases is granted, more permissions than it needs, we call it “overprivileged.” In this post we will focus exclusively on overprivileged applications with respect to OAuth2.0 permissions in the Microsoft Identity platform and use example scenarios of client apps that call the Microsoft Graph API. That said, principles in this blog do apply to other permission models and APIs – we’ll cover this more in future posts.
Overprivilege occurs when an app has requested and been granted unused or reducible permissions:
- Unused permission: Permission that is not necessary at all for the desired tasks. For example, a calendar app that obtains the Files.ReadWrite.All permission but doesn’t integrate with any Files APIs has unused permissions.
- Reducible permission: Permission that has a lower-privileged alternative that would still provide the access for required tasks. For example, consider an application that needs to read files from the signed-in user’s OneDrive, but never needs to create new files or modify existing ones. If this app has requested and been granted Files.ReadWrite.All, it has a reducible permission. Instead, it should be requesting Files.Read.
What are the goals in combatting overprivileged apps?
There are three main goals for us in the Microsoft Identity team in terms of combatting overprivileged apps:
- Help developers to build trustworthy apps that are adopted smoothly by avoiding excessive permissions, since requesting unnecessary privileges creates friction with users, IT, and policies applied to app consent within an environment.
- Help IT Admins and other decision makers understand how to identify, request, and grant least privileged permissions in their organization to limit overprivileged apps.
- Prevent attackers from gaining elevated privileges that increase the scope of compromise and enable lateral movement within an environment.
How can you ensure your apps become least privileged?
Here are three high level best practices for developers and IT Admins to keep in mind when thinking about adhering to the least privileged principle for applications:
- Prevent overprivilege by avoiding unused and reducible permissions. Fully understand the permissions required for the API calls that your application needs to make, and only request what is necessary to enable your scenario.
- Audit the privileges that have been previously granted to existing apps in your app portfolio on a regular basis, identifying opportunities for privilege reduction or removal. This means IT admins audit the permissions consent granted to apps within their tenant and developers review the permissions that their apps are requesting.
- Remediate by updating apps to stop requesting unused and reducible permissions and revoke previously granted permissions that are no longer necessary.
Microsoft has tools that help you with this process. For example, when you can use Graph Explorer to determine the Microsoft Graph API calls you need to make in order to enable your scenario. Then, you can find the corresponding permissions from least to most privileged for Microsoft Graph by using this handy permissions reference.
Learn more about specific steps in the documentation here: https://aka.ms/least-privilege.
How to start building Zero Trust readiness
To even learn more, check out the new guidance for developers we’ve published to the Zero Trust Guidance Center. It includes new development and integration resources for developing Zero Trust-ready apps.
For more details, read the full whitepaper for developers that can be downloaded here: Zero Trust for the Microsoft Identity developer
Learn more about Microsoft identity:
