Table of Contents
1. What Are Entra Enterprise Applications?
In Microsoft Entra ID (formerly Azure AD), Enterprise Applications represent the service principals, the actual instances of applications that live inside your tenant.
When you integrate an app (like Salesforce, ServiceNow, or a custom internal API) with Entra, you’re essentially giving it an identity so it can authenticate and access resources securely.
Think of it like this:
- App registrations define what the app is.
- Enterprise applications define how that app behaves in your tenant, including what it can access and who can use it. Sometimes called an enterprise application, or enterprise app, it provides the application with an identity to take action within a tenant where the application is added.
They hold the permissions (delegated or application-level), consent records, and configuration that determine how data flows between your tenant and external systems.
2. Why Securing Enterprise Applications Is a Big Deal
Enterprise apps can be your best friend or your biggest liability, depending on how well you control their permissions.
a. Over-Privileged Apps = Attack Surface
It’s common for apps to be granted broad permissions like Directory.ReadWrite.All or User.Read.All “just to make it work.”
But every unnecessary permission is an open door for attackers, especially if a compromised app or account token can be abused to exfiltrate sensitive data.
b. Forgotten Apps Don’t Forget You
Old or unused apps often linger in tenants with valid credentials and active permissions. These “zombie apps” are dangerous, they fly under the radar and can still access data months after their owners have left the company.
c. OAuth Consent Abuse
Attackers love phishing users into consenting to malicious apps. With delegated permissions, a compromised consent can give attackers persistent access without needing a password.
d. Compliance and Visibility
In large environments, hundreds of enterprise applications exist, many connected by departments outside central IT. Without continuous reviews, it’s impossible to guarantee compliance or prove security posture to auditors.
3. Common Security Best Practices
Here are some proven guardrails for managing Entra Enterprise Applications securely:
- Principle of Least Privilege: Grant only the permissions the app actually needs.
- Admin Consent Policies: Limit who can consent to high-impact permissions.
- Lifecycle Management: Regularly review and remove unused applications.
- App Ownership: Assign clear owners and enforce accountability.
- Monitor Sign-ins: Enable logging for app sign-ins and failures to detect anomalies.
These controls should be part of your Entra security baseline, not optional extras.
4. Reviewing Permissions with PowerShell
You can’t secure what you can’t see.
That’s why I built a PowerShell script — GetEnterpriseAppPermissions.ps1 — to automate the collection of enterprise application permissions and present them in a clear, exportable report.
What the Script Does
- Connects to Microsoft Graph via
Connect-MgGraph - Enumerates all enterprise applications (
Get-MgServicePrincipal) - Collects delegated and application permissions (
OAuth2PermissionGrants,AppRoleAssignments) - Outputs the results into a clean CSV or table format, showing which apps have which permissions, consent type, and who consented
Key Columns in the Report
| Column | Description |
|---|---|
| App Display Name | The name of the enterprise application |
| App ID | The unique identifier (Service Principal ID) |
| Permission Type | Delegated or Application |
| Permission Name | The Graph API or resource permission assigned |
| Consent Type | Whether admin or user consent was provided |
| Granted By | Who consented to the permission |
| Created Date | When the permission was granted |
Why It’s Useful
- Provides a snapshot of your current exposure
- Helps identify overly permissive applications
- Supports quarterly security reviews
- Can feed into Power BI dashboards for ongoing monitoring
In short: it’s visibility at scale. The kind of visibility that keeps you out of post-breach “how did we miss this?” meetings.
5. Using the Script
- Save the script as
GetEnterpriseAppPermissions.ps1 - Install the Microsoft Graph PowerShell SDK (if not already):
Install-Module Microsoft.Graph -Scope CurrentUser - Run the script:
.\GetEnterpriseAppPermissions.ps1 - When prompted, sign in with an account that has
Directory.Read.Allpermissions. - The script will generate a CSV file (e.g.,
EnterpriseAppPermissionsReport.csv) in the same folder.
6. What to Do After You Have the Report
- Review for risky permissions: Look for
*Allscopes likeMail.ReadWrite.AllorDirectory.ReadWrite.All. - Check stale apps: Identify applications with no sign-ins or activity for 90+ days.
- Tighten consent: If a user consented to a permission that should require admin approval, correct it.
- Remove what’s not needed: Disable or delete unused enterprise applications.
7. Closing Thoughts
Microsoft Entra Enterprise Applications are powerful they enable integration, automation, and innovation.
But with great OAuth comes great responsibility.
If you manage an Entra tenant, treat application permissions with the same scrutiny you’d give to privileged admin accounts. Regular reviews using automation — like this PowerShell script — are not optional; they’re your early warning system.
Run it quarterly.
Report the findings.
Tighten access.
And sleep a little easier knowing you’re not one OAuth consent away from chaos.
Thank you for stopping by. ✌️