The problem with SaaS apps
Organizations have been migrating to the cloud in high numbers over the past few years. Yet, cloud SaaS environments, like Microsoft 365, permit anyone to register SaaS applications in the tenant by default. This precipitates shadow IT practices among users, such as incorporating third-party applications into the environment without obtaining proper consent.
This can also translate into security vulnerabilities and third-party access to critical or sensitive organization data from apps and vendors that SecOps may not have rigorously vetted, leading to credential compromise, data theft, and cloud ransomware. Many other best practice configurations are not configured by default in a Microsoft 365 tenant.
What is ENow AppGov Score?
ENow AppGov Score extends a suite of 24 checks intended to scrutinize your enterprise applications, app registrations, and tenant settings within the context of the Microsoft Entra ID environment. This tool is designed to dispense guidance in line with recommended best practices. The scoring techniques put into use have been vetted from Microsoft-recommended identity best practices and also on the advice of Microsoft security MVPs. ENow AppGov Score is proficient in offering:
- Giving visibility to apps with credentials that are close to their expiration date.
- Digging up apps that are deemed to be high-risk or possess excessive privileges.
- Laying out details concerning user accounts coupled with administrative application privileges.
- Conducting an in-depth analysis of tenant configurations in line with recommended best practices.
The interface of the tool is predominantly visual. It features an inherent trait of other ENow products, which is the provision of color contrast and visual cues. This inclusion is to facilitate the understanding of admins about high-risk app configurations and tenant settings.
Freemium vs. Paid
The ENow AppGov Score solution comes in both freemium and paid offerings from ENow. In the attached screenshots, the freemium solution is showcased. So, what additional benefits do users receive with the paid solution?
ENow offers three paid tiers for the AppGov Score solution: Standard, Professional, and Enterprise. Users of the paid solution enjoy advantages like automated assessment runs, enhanced governance tracking, dashboards, role-specific access, and integration capabilities with other platforms, such as ServiceNow.
For a complete comparison between the free and paid tiers, visit here. Now, let’s delve into the nuts and bolts of the configuration and setup during onboarding with ENow AppGov Score.
Getting yourENow AppGov Score
To get started with ENow AppGov Score, sign up on the ENow AppGov Score website. After you finish signing up, you’ll get an email asking you to confirm your account.
Signing up for ENow AppGov Score
Click on the Sign In button located in the upper right section of the webpage.
Sign in with your Microsoft account
When you click Sign In, it will prompt you to enter a Microsoft account or choose an account you have used to sign into Microsoft 365.
Enter your Microsoft account or pick an account you have used before
Since ENow is a SaaS application, you will see the prompt to allow the permissions requested.
Permissions requested for the AppGov Score application
Once you have signed in, click the button to register for the application governance assessment.
Register your organization with admin consent
To run the application governance assessment, AppGov Score needs admin consent. You will see another permission request dialog box to accept the permission approval request. You must be logged in with an account with global administrator permissions.
Admin consent permissions request from AppGov Score
Viewing the results of the AppGov Score scan
After you click Accept in the admin consent dialog box, AppGov Score begins running the application assessment. After a few moments, you will see your Application Governance Assessment Report. As you can see below, ENow does a good job with visual cues and color in the resulting charts and information dialog boxes to help admins hone in on areas that need attention. Areas of your environment that are poorly configured stand out in red, while properly configured settings are green.
Viewing the results of the AppGov Score scan
In the premium version, the timeline featured on the line chart describes if you’re enhancing the condition of security and governance in the system. As you put your cursor over the points on the timeline, it will describe alterations that resulted in either an increase or decrease in the score.
When further inspecting the results, ENow has separated the conclusions into three segments:
- Enterprise Application Analysis: This elaborates elements such as the number of enterprise applications in operation, those that lack admin consent, perceived high-risk applications, applications without owners or descriptions, etc.
- Application Registration Analysis: This provides details on the count of application registrations with public client flows, certificates that have expired or are set to expire in the future, outdated client secrets, and secrets due to expire.
- Tenant Settings Analysis: This goes into details on accounts that possess application administration privileges. It also indicates whether the tenant configuration permits the group owner’s agreement, and if it allows users to request administration consent for the applications.
Below is a look at the Enterprise Application Analysis. As we can see, we have applications without descriptions in this particular environment. Providing application descriptions is a best practice that helps with auditing and documentation.
Looking at the Enterprise Application Analysis
The following section is the Application Registration Analysis. The tenant has no expired or expiring certificates or client secrets. If a certificate expires it can impact the users productivity as the app will no longer work.
Application Registration Analysis
ENow AppGov Score also checks the tenant-level configuration for best practices. For example, the tenant below is configured to allow group owners to consent. When this is configured, group owners can provide access to enterprise applications. Limiting this ability is recommended.
One of the features of the ENow AppGov Score assessment is a detailed description of each finding and a link to the Microsoft KB article that specifies the best practice configuration. We see the following when we click Description > Why is this important. In this case, the linked Microsoft KB is the article Configure how users consent to applications found here.
Viewing the Description and Why is this important sections
Admins can follow the guidance to remediate the findings linked right from the ENow AppGov Score assessment report, eliminating the need to search for best practice guidance. This feature is certainly a timesaver.