Hello again! I’m Jeff Sakowicz, Principal Program Management Lead for Application Platform Security within the Microsoft Identity team. Our team’s goal is to foster a secure, trustworthy, and thriving app ecosystem. Part of achieving this goal is enabling apps to support a Zero Trust security model.
This is the second post in our series on why Zero Trust matters for developers. In the previous post, I introduced the Zero Trust principles and how they apply to identity and access management. In this post, I will focus on how you can design apps using the principle of least privileged access with the Microsoft identity platform.
Why should you care about using least privileged access?
In short, by limiting what your app has permission to do, you reduce the potential blast radius of attacks and increase adoption of your apps by customers. In our experience, IT administrators are applying more scrutiny when reviewing permission being requested by applications and deciding whether to grant a given app permissions. When you create an app that asks for a lot of permissions, it will be less likely to be approved or could be denied altogether.
What is overprivilege and what is an overprivileged app?
When an entity asks for, and in some cases is granted, more permissions than it needs, we call it “overprivileged.” In this post we will focus exclusively on overprivileged applications with respect to OAuth2.0 permissions in the Microsoft Identity platform and use example scenarios of client apps that call the Microsoft Graph API. That said, principles in this blog do apply to other permission models and APIs – we’ll cover this more in future posts.
Overprivilege occurs when an app has requested and been granted unused or reducible permissions:
What are the goals in combatting overprivileged apps?
There are three main goals for us in the Microsoft Identity team in terms of combatting overprivileged apps:
How can you ensure your apps become least privileged?
Here are three high level best practices for developers and IT Admins to keep in mind when thinking about adhering to the least privileged principle for applications:
Microsoft has tools that help you with this process. For example, when you can use Graph Explorer to determine the Microsoft Graph API calls you need to make in order to enable your scenario. Then, you can find the corresponding permissions from least to most privileged for Microsoft Graph by using this handy permissions reference.
Learn more about specific steps in the documentation here: https://aka.ms/least-privilege.
How to start building Zero Trust readiness
To even learn more, check out the new guidance for developers we’ve published to the Zero Trust Guidance Center. It includes new development and integration resources for developing Zero Trust-ready apps.
For more details, read the full whitepaper for developers that can be downloaded here: Zero Trust for the Microsoft Identity developer
Learn more about Microsoft identity:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.