From our good partner Jos Lieben. Check out his work at https://www.lieben.nu/:

 

An Azure App Registration is a powerful tool available to Microsoft 365 users. If not secured correctly, it can be dangerous to your organization as well. Here are some tips to better secure your App Registrations:

 

Conditional Access Policy

An App Registration can be targeted by your organization’s Conditional Access Policies. You can apply many different scenarios, but these are recommended (in order of importance):

  1. Require MFA
  2. Require a Compliant Device
  3. Require Low or No User Risk
  4. Require Low of No Sign-In Risk
  5. Session Length of 1-2 hours

Restrict Access to Pre-Approved Users

The App Registration should only allow logins from a pre-approved Users list. You can access this list from the Enterprise Application object that matches with your App Registration

Secure User Access with Approved List

Secure User Access with Approved List

 

Alert Rule

If you are using a Cloud Access Security Broker such as Microsoft Cloud App Security, set up a rule to alert when someone is added to the authorized users group.

 

Wrap-Up

These are a few simple things, but the security on your App Registrations is way better with them. Make sure your sensitive Apps are secured.