IT Connect

Information technology tools and resources at the UW

Risky Azure AD application permissions

This page discusses Azure AD application permissions in the context of what UW defines as risky.

Risky AAD application overview

UW-IT monitors the enterprise Azure AD tenant for AAD applications which have a set of permissions which we’ve determined are risky for the UW. When we detect an application with risky permissions, which hasn’t been explicitly approved, we raise alerts that result in that application being disabled and put in a review process. If judged to be OK, the application is re-enabled, otherwise the application is deleted.

Risky Azure AD application permissions

The permissions UW-IT currently considers risky are:

  • Any permission with a type of admin. Permissions with the admin type are considered broad permissions that typically only someone with administrator level permissions could perform. A common example would be the ability to access the given application as any user without the user’s knowledge or consent.

If you’d like UW-IT to consider adding additional permissions to what it considers risky, please send an email to help@uw.edu with “Azure AD risky permission request” in the subject line.

The service manager and owner will consider your request. If they deny your request and you disagree, you have the right to escalate to the Azure AD change advisory board. If they agree, we’ll add your permissions to the set of risky permissions that we monitor for. All risky permissions that are monitored for will be documented here.

More details

An example of an Azure AD application is the Azure AD Graph API. This Azure AD application identity is used by a RESTful web service interface by which you can query information about your Azure AD tenant. The AAD Graph API Azure AD application identity has 3 user permissions and 6 admin permissions. These are listed below to provide a concrete example of the kinds of permissions that an Azure AD application identity may provide–and that another AAD application identity may want to get access to.

Admin permissions for Azure AD Graph API

  • Read hidden memberships [Member.Read.Hidden]
  • Read all users’ full profiles [User.Read.All]
  • Read all groups [Group.Read.All]
  • Write all groups [Group.Write.All]
  • Read and write all directory data [Directory.ReadWrite.All]
  • Read all directory data [Directory.Read.All]

User permissions for Azure AD Graph API

 

  • Sign in and read user profile [User.Read]
  • Read all users’ basic profiles [User.ReadBasic.All]
  • Access the directory as the signed-in user [Directory.AccessAsUser.All]

So if a given Azure AD application was added to our enterprise Azure AD tenant and required ‘Member.Read.Hidden’ or ‘Directory.Read.All’ we’d detect that and flag that Azure AD application as having a risky permission. It would be disabled and reviewed.