APP-06HighEnhanced Security
Third-Party Enterprise App Permissions
Workload Identity & Applications control for Microsoft 365 and Entra ID
Why This Control Matters
Third-party enterprise apps are applications from external vendors that you consented to but do not control. These apps pose supply chain risk - a compromised vendor could access your tenant data. Review vendor security certifications and limit permissions to minimum necessary.
Expected State
When this control is compliant, your tenant should meet these criteria:
- 1Third-party enterprise apps with elevated permissions are identified and reviewed
- 2External vendor apps with Directory.ReadWrite.All, Mail.ReadWrite.All are flagged
- 3Each third-party app with elevated permissions has documented vendor assessment
- 4Quarterly review of third-party app permissions is conducted
Enforcement
Default Mode
Advisory
Alerts on deviations but does not make changes
Auto-Remediation
Manual Only
Review flagged third-party applications, verify vendor security posture, and document justification
Ready to implement this control?
TrueConfig continuously monitors your Microsoft 365 tenant for compliance with this and 50+ other security controls.