Security Around Microsoft Azure AD AD "Application Access"

Question

I have successfully configured qn Azure AD App Registration, allowing a client_credentials based OAuth 2.0 flow to work. This allows a third party application to access Microsoft Graph API. The app has "Calendar.Read" permission. Meaning the app can pretty much read any of the calendars (including CEO's).

I now have a conversation with security. What is out there in the Microsoft world, that I can use to lock down usage of API access via this Application Permission? Is there ability to do things like:

• Restrict IP ranges the App can be accessed from?
• Restrict users that can access the App? (However in Client_credentials, there is no user context)
• Log traffic / activity happening via the App?

The only thing i can think of now is to say the Redirect URL configuration on the app means, no other application can get an access token using the Client_credentials, even if the application id & passkey get compromised

Any advice on further security controls that can be put in place?

Answer 1

There are very few options available currently available to offer these controls at token issuance (in Azure AD) or at API access (in Microsoft Graph). However, you can achieve similar results by carefully managing access to the app's credentials. Here are a couple steps you can take (not exhaustive):

App credentials: keep them secret, keep them safe

Use Key Vault. You can configure many of the restrictions you mention for access to data in Key Vault, including IP ranges and which users access. Key Vault also offers auditing of access to secrets. Don't forget to also be careful about which users have management access to the Key Vault (e.g. other users with access to the same Azure subscription).

Use certificates (public/private key pair), rather than client secrets (passwords), to authenticate the app. People tend to manage certificates much more carefully than they manage shared passwords, and developers are much less likely to hard-code the secret into scripts/code.

Be careful and deliberate about which users can manage the app's credentials

This is often overlooked. A user (or another app) who can access existing credentials, or add a new authorized credential to an app can act as the app and (mis)use all the permissions the app has been granted. This includes:

• Users (and apps) in the "Company Administrator", "Application Administrator" and "Cloud Application Administrator" directory roles.
• Users who are set as owners of the app registration (Application object) and enterprise app (ServicePrincipal object) for the app.
• Users (or systems) who have access to the server or service the application resides on (which will have, or have access to, the credentials).

For all of these cases, ensure this is the smallest possible number of users, and they actually have a legitimate need. For users who do need access, wherever possible enforce just-in-time, time-limited access (not persistent access), such as with Azure AD Privileged Identity Management, for time-bound, just-in-time access for Azure AD directory roles and Azure resources.

Answer 2

Restricting access: You would need to do this in your application. The Client Credential flow doesn't allow for restricting what users as you point out. However there is nothing stopping you from adding user authentication to your application, possibly using a delegated graph auth flow to determine who they are.

IP Ranges: This is not possible currently.

Logging Traffic: This is not possible on the graph side currently, however you could/should log traffic on your applications side.

Redirect urls will not help you because they are not used int eh client credential flow.

In general application only auth (client credential flow) + a broad authorization scope is very powerful, but must be managed correctly. You don't inadvertently want to build a totally new users/permissions model over the top of the graph :)