APP-06: Third-Party Enterprise App Permissions
Frequently asked questions about implementing and managing the APP-06 security control in Microsoft 365 and Entra ID.
QWhat is APP-06 (Third-Party Enterprise App Permissions)?▼
APP-06 is a security control that third-party enterprise apps are applications from external vendors that you consented to but do not control. these apps pose supply chain risk - a compromised vendor could access your tenant data. review vendor security certifications and limit permissions to minimum necessary. It requires that third-party enterprise apps with elevated permissions are identified and reviewed and external vendor apps with directory.readwrite.all, mail.readwrite.all are flagged, each third-party app with elevated permissions has documented vendor assessment, quarterly review of third-party app permissions is conducted.
QWhy is Third-Party Enterprise App Permissions important for Microsoft 365 security?▼
Third-party enterprise apps are applications from external vendors that you consented to but do not control. These apps pose supply chain risk - a compromised vendor could access your tenant data. Review vendor security certifications and limit permissions to minimum necessary.
QHow do I implement APP-06 in my tenant?▼
APP-06 requires manual implementation. Review flagged third-party applications, verify vendor security posture, and document justification
QWhat license do I need for APP-06?▼
This control can be implemented with any Microsoft 365 subscription, including free Azure AD.
QWhich security baseline includes APP-06?▼
APP-06 is included in the Enhanced Security baseline (Level 2). This level adds stricter controls for security-conscious organizations.
5
Questions
1
Related Controls
—
Categorized
Related Resources
Still have questions?
Our security experts are here to help. Start a free trial and get personalized guidance for your Microsoft 365 environment.
Start Free Trial