How to Fix: Third-Party Enterprise App Permissions
Step-by-step guide to implement third-party enterprise app permissions in your Microsoft 365 environment.
20-30 minutes
Estimated Time
4
Steps
high
Severity
Enhanced Security
Baseline Level
Why This Matters
Third-party enterprise apps are applications from external vendors that you consented to but do not control. These apps pose supply chain risk - a compromised vendor could access your tenant data. Review vendor security certifications and limit permissions to minimum necessary.
Prerequisites
- 1Global Administrator or appropriate admin role in Microsoft Entra ID
- 2Access to Microsoft Entra admin center (entra.microsoft.com)
Expected Configuration
- Third-party enterprise apps with elevated permissions are identified and reviewed
- External vendor apps with Directory.ReadWrite.All, Mail.ReadWrite.All are flagged
- Each third-party app with elevated permissions has documented vendor assessment
- Quarterly review of third-party app permissions is conducted
Remediation Steps
Audit Current Applications
Review the applications in your Entra ID tenant.
- •Navigate to Microsoft Entra admin center
- •Go to Applications > Enterprise applications
- •Review app registrations and permissions
Identify Required Changes
Determine which applications need modification.
- •Compare against expected configuration
- •Identify risky or non-compliant apps
- •Plan remediation approach
Apply Remediation
Make the necessary changes to application configurations.
- •Update consent settings as needed
- •Modify application permissions
- •Configure app governance policies
Verify Compliance
Confirm applications meet security requirements.
- •Run TrueConfig scan
- •Review any remaining findings
- •Document changes made
Related Resources
Automate Your Security Configuration
TrueConfig continuously monitors your Microsoft 365 environment and can automatically fix configuration drift. Start your free trial today.
Start Free Trial