From our good partner Jos Lieben. Check out his work at https://www.lieben.nu/:
An Azure App Registration is a powerful tool available to Microsoft 365 users. If not secured correctly, it can be dangerous to your organization as well. Here are some tips to better secure your App Registrations:
Conditional Access Policy
An App Registration can be targeted by your organization’s Conditional Access Policies. You can apply many different scenarios, but these are recommended (in order of importance):
- Require MFA
- Require a Compliant Device
- Require Low or No User Risk
- Require Low of No Sign-In Risk
- Session Length of 1-2 hours
Restrict Access to Pre-Approved Users
The App Registration should only allow logins from a pre-approved Users list. You can access this list from the Enterprise Application object that matches with your App Registration
If you are using a Cloud Access Security Broker such as Microsoft Cloud App Security, set up a rule to alert when someone is added to the authorized users group.
These are a few simple things, but the security on your App Registrations is way better with them. Make sure your sensitive Apps are secured.