APP-06: Third-Party Enterprise App Permissions

Overview

Third-party enterprise apps are applications from external vendors that appear in your Enterprise applications blade because you or an administrator consented to them. You do not own the code and cannot control how these applications are developed or maintained. This creates supply chain risk: a compromised or malicious vendor could use elevated permissions to access your tenant data.

This control requires identifying all third-party enterprise apps with elevated permissions, conducting vendor security assessments, and reviewing permissions quarterly to ensure external apps hold only the minimum access necessary.

"Third-party enterprise apps are applications from external vendors that you consented to but do not control. These apps pose supply chain risk -- a compromised vendor could access your tenant data. Review vendor security certifications and limit permissions to minimum necessary."

Note: This control covers external vendor apps only. For internal app registrations that your organization created and controls, see APP-03: Internal App Registration Permissions.

Prerequisites

Required Roles

  • Global Administrator - Full access to review and modify enterprise app permissions
  • Application Administrator - Can review permissions on most enterprise apps
  • Cloud Application Administrator - Can review permissions (excluding app proxy apps)
  • Privileged Role Administrator - Required for reviewing role management permissions

Required Licenses

  • Microsoft Entra ID (any tier)

Time Estimate

  • Initial Audit: 45-60 minutes
  • Per-App Vendor Assessment: 15-30 minutes
  • Quarterly Review: 30-45 minutes

Step-by-Step Instructions

Step 1: Identify Third-Party Enterprise Apps

Third-party enterprise apps are found under Enterprise applications and do not have a corresponding App registration owned by your organization. Microsoft first-party services (for example, "Office 365 Exchange Online" or "Microsoft Graph") are excluded from this control. Focus on external vendor applications.

  1. Navigate to Microsoft Entra admin center (https://entra.microsoft.com)
  2. Go to IdentityApplicationsEnterprise applications
  3. Set the Application type filter to Enterprise applications
  4. Exclude apps where Publisher is "Microsoft"
  5. Document all remaining external vendor apps

Distinguishing internal from third-party apps: If an app appears in App registrations under your organization's ownership, it is an internal app governed by APP-03. If it appears only in Enterprise applications with an external publisher, it is a third-party app governed by this control.

Step 2: Flag High-Privilege Permissions

For each external vendor app, review the API permissions granted under the Permissions tab. Flag apps that hold any of the following:

Permissions Requiring Vendor Assessment

PermissionRiskDescription
Directory.ReadWrite.AllHighFull read/write access to Entra ID directory
Mail.ReadWrite.AllHighRead and write all tenant mailboxes
RoleManagement.ReadWrite.DirectoryHighAssign or remove any admin role
AppRoleAssignment.ReadWrite.AllHighGrant additional permissions at runtime
Files.ReadWrite.All (Application)HighAccess all OneDrive and SharePoint files
User.ReadWrite.All (Application)HighModify all user accounts

Audit via PowerShell

Connect-MgGraph -Scopes "Application.Read.All", "Directory.Read.All"

$flaggedPermissions = @(
    "Directory.ReadWrite.All",
    "Mail.ReadWrite.All",
    "RoleManagement.ReadWrite.Directory",
    "AppRoleAssignment.ReadWrite.All",
    "Files.ReadWrite.All",
    "User.ReadWrite.All",
    "Group.ReadWrite.All",
    "Sites.ReadWrite.All"
)

# Collect owned app IDs to exclude internal apps
$ownedAppIds = (Get-MgApplication -All).AppId

# Get Microsoft Graph SP for permission resolution
$graphSp = Get-MgServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'"

# Microsoft's tenant ID -- exclude Microsoft first-party services
$microsoftTenantId = "f8cdef31-a31e-4b4a-93e4-5f571e91255a"

$results = @()

$servicePrincipals = Get-MgServicePrincipal -All | Where-Object {
    $_.AppId -notin $ownedAppIds -and
    $_.AppOwnerOrganizationId -ne $microsoftTenantId
}

foreach ($sp in $servicePrincipals) {
    $appRoles = Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $sp.Id

    foreach ($role in $appRoles) {
        $permission = $graphSp.AppRoles | Where-Object { $_.Id -eq $role.AppRoleId }

        if ($permission.Value -in $flaggedPermissions) {
            $results += [PSCustomObject]@{
                VendorApp         = $sp.DisplayName
                Publisher         = $sp.PublisherName
                AppId             = $sp.AppId
                VerifiedPublisher = $sp.VerifiedPublisher.DisplayName
                Permission        = $permission.Value
                GrantedOn         = $role.CreatedDateTime
            }
        }
    }
}

$results | Export-Csv -Path "ThirdPartyApps-HighPrivPermissions.csv" -NoTypeInformation
$results | Format-Table -AutoSize

Step 3: Conduct Vendor Security Assessment

For each external vendor app holding elevated permissions, document a vendor assessment:

Assessment ItemHow to Verify
Vendor name and productEnterprise app properties, vendor website
Publisher verification statusCheck Verified publisher badge in Entra
Security certificationsSOC 2 Type II, ISO 27001, CSA STAR, or equivalent
Data processing agreementConfirm a DPA or GDPR processing agreement is in place
Breach notification policyReview vendor security documentation
Minimum permissions justificationCan the vendor function with fewer permissions?
Business ownerWho in your organization approved this vendor?
Last reviewed dateRecord the review

Vendors holding Directory.ReadWrite.All, RoleManagement.ReadWrite.Directory, or Mail.ReadWrite.All should present current security certifications before elevated permissions are retained.

Step 4: Reduce Permissions to Minimum Necessary

Contact the vendor to request a reduction before revoking permissions unilaterally, as removing required permissions may break the integration.

Preferred Reduction Paths

Broad PermissionPreferred Alternative
Mail.ReadWrite.AllMail.ReadWrite.Shared + Application Access Policy scoped to required mailboxes
Files.ReadWrite.AllSites.Selected for specific SharePoint sites only
Directory.ReadWrite.AllSpecific read/write scopes limited to the object types required
User.ReadWrite.AllUser.Read.All if write access is not actually used

Revoke a Permission via PowerShell

Connect-MgGraph -Scopes "AppRoleAssignment.ReadWrite.All"

$servicePrincipalId  = "vendor-app-service-principal-id"
$appRoleAssignmentId = "assignment-id-from-audit"

Remove-MgServicePrincipalAppRoleAssignment `
    -ServicePrincipalId $servicePrincipalId `
    -AppRoleAssignmentId $appRoleAssignmentId

Write-Host "Permission revoked"

Restrict Vendor Mail Access to Specific Mailboxes

Connect-ExchangeOnline

New-DistributionGroup -Name "VendorApp-MailboxAccess" -Type Security
Add-DistributionGroupMember -Identity "VendorApp-MailboxAccess" -Member "service@contoso.com"

New-ApplicationAccessPolicy `
    -AppId "vendor-app-id" `
    -PolicyScopeGroupId "VendorApp-MailboxAccess" `
    -AccessRight RestrictAccess `
    -Description "Restrict vendor app to approved mailboxes only"

Test-ApplicationAccessPolicy -Identity "service@contoso.com" -AppId "vendor-app-id"

Step 5: Establish Quarterly Review Cadence

APP-06 requires quarterly review of all third-party enterprise apps with elevated permissions.

At each quarterly review:

  1. Re-run the PowerShell audit to detect newly consented apps or permission changes
  2. Re-verify that vendor security certifications are current (certifications expire)
  3. Remove access for any vendor relationship that has ended
  4. Confirm that permissions still reflect an integration in active use
Review ItemFrequency
Full third-party app auditQuarterly
Newly consented external appsAt consent time
Terminated vendor cleanupAt contract end
Certification expiry checkAnnually (minimum)

Verification Checklist

  • All third-party enterprise apps with elevated permissions are identified
  • External vendor apps are distinguished from internal app registrations (APP-03)
  • Apps holding Directory.ReadWrite.All or Mail.ReadWrite.All are flagged and assessed
  • Each third-party app with elevated permissions has a documented vendor security assessment
  • Vendors have current security certifications on file where required
  • Permissions are reduced to minimum necessary; Application Access Policies applied where applicable
  • Quarterly review schedule is established and the first review is complete
  • Terminated vendor apps have been removed or disabled
  • Review findings are recorded in your ITSM or vendor inventory

Troubleshooting

Issue: Cannot determine whether an enterprise app is internal or third-party

Cause: The distinction between owned app registrations and consented third-party apps is not always obvious in the UI.

Solution:

  1. Navigate to App registrationsAll applications
  2. Search by the app's display name
  3. If you find a matching app registration owned by your organization, it is internal (APP-03)
  4. If no owned registration exists, the app is a third-party enterprise app governed by this control

Issue: Cannot find security certifications for a vendor

Cause: Smaller vendors may not publish certifications publicly.

Solution:

  1. Contact the vendor's security or compliance team directly
  2. Request their latest SOC 2 report, ISO 27001 certificate, or equivalent
  3. If the vendor cannot provide any security documentation, treat the risk as elevated
  4. Document the gap in your vendor assessment and escalate to your risk owner

Issue: Vendor states the broad permission is required for the integration to function

Cause: Some vendor integrations were designed with overly broad permissions.

Solution:

  1. Raise the issue with the vendor; many will support scoped alternatives on request
  2. If a broad permission is unavoidable, document the business justification and obtain explicit risk acceptance
  3. Implement compensating controls: Application Access Policy, enhanced audit logging, Conditional Access for workload identities
  4. Schedule a reassessment when the vendor updates their integration

Issue: Cannot revoke a permission -- "Insufficient privileges"

Cause: You may lack the required admin role, or the permission was granted by a higher-privilege admin.

Solution:

  1. Ensure you have Global Administrator or Application Administrator role
  2. For permissions involving role management, you also need Privileged Role Administrator
  3. Check whether the app is a protected Microsoft first-party service

Issue: Revoked permission reappears

Cause: A user or administrator re-consented to the application.

Solution:

  1. Restrict user consent to prevent users from re-consenting (see APP-08)
  2. Configure the admin consent workflow to require explicit approval for future grants (see APP-04)
  3. Document the permission as "denied" and monitor audit logs for re-consent events

Issue: Too many service principals to review manually

Cause: Large environments may have hundreds of consented third-party apps.

Solution:

  1. Use the PowerShell audit script to prioritize by risk level
  2. Focus first on apps with critical permissions (Directory.ReadWrite.All, RoleManagement.ReadWrite.Directory)
  3. Then address apps with no sign-in activity in 90 days (potentially unused)
  4. Address apps with no verified publisher badge last

Related Resources


Last updated: January 2025