Phishing attacks on users are rising. There are countless possibilities for phishing attacks. One of them attempts to gain unauthorized access to the data via the app registration. If the attack is successful, no password change will lock the attacker out again. Auch die Multi-Faktor-Authentifizierung bietet keinen Schutz, da die App des Angreifers bereits zum Zugriff auf die Daten berechtigt ist. It’s time to restrict app registration and thus increase security against phishing.

Table of contents hide
1 Disallow app registration for users
2 Perform app registration by administrator

Disallow app registration for users

The following request appears when an app requires additional permissions:

Pishing Schutz - App Registration Permission request

This app registration is restricted for users in the Azure Portal (https://portal.azure.com). A user can no longer perform app registration after this.

Note: The restriction only applies to users, an administrator can perform an app registration at any time. See chapter “App registration by administrator”.

Navigate in Azure Portal (https://portal.azure.com) to:

“Azure AD” > “Enterprise Applications” > “Consent and permission” and set

  • User consent for application to “Do not allow user consent”
  • Group owner consent for app accessing data to “Do not allow group owner consent”
Pishing Schutz - Enterprise applications consent and permissions

Go to “Azure AD” > “User settings” an set

  1. App registration > No
    The ability to register apps should only be reserved for administrators. If an insecure app is registered, the attacker can very easily access sensitive data.
  2. Administration portal > No
    Access to your organization’s information in Azure AD should be restricted for administrators only. Standard user accounts do not need access to this information.
  3. LinkedIn account conecctions > No
    Users cannot connect their LinkedIn accounts. This prevents data sharing between Azure and LinkedIn.
Pishing Schutz - Azure Active Directory user settings

Perform app registration by administrator

An administrator can perform an app registration on behalf of all users in the tenant. Users can use the app and no longer need to perform additional registration.

Choose the App under “Azure AD” > “Enterprise applications”

Pishing Schutz - App Registration All applications

Under “Permissions” the administrator releases the application for all users in the tenant with “Grant admin consent for…”.

Pishing Schutz - App Permissions

Follow me on LinkedIn and get informed about my latest posts.

Follow on LinkedIn

Was this post helpful to you? Show your enthusiasm with the delightful aroma of a freshly brewed coffee for me!

Buy me a coffee

Sponsored Links