365 Application Role Grants

Alert title: “Application Role Grants”

Description: Alerts if a new Application Grant (“Enterprise Application” in 365) is detected. Users can grant applications access without Administrator permission.   An alert is considered ‘new’ if added within the Maximum Retrospective period

Options:

  • It is possible to ignore application role grants by Application Display Name
  • It is possible to ignore application role grants by Application ID
  • It is possible to ignore any application grants by specific users

The problem: This alert is triggered if a new application is given access to the tenancy by one of the users.

Impact: If the application that has been granted permission then access to your tenancy may be gained without other ongoing authorisations (such as explicit permission, or MFA).  Effectively ‘silent’ access in the background without you being aware.

Suggested steps: Engage a technician to confirm that the alert is accurate.   Investigate and confirm if malicious or otherwise . Investigate permissions and make sure they are the minimal required.