We just found an app with Exchange Administrator permissions admin-consented months ago. what’s your process for catching and correcting excessive permissions before they become problematic?
Hi SophiaX,
While some applications might need Exchange Administrator permissions (apps and solutions with migration, backup and restore purposes are typical apps that come to mind that require these permissions…), for most apps this permissions would indeed be excessive.
In the Microsoft Entra admin center, the Diagnostic Settings options under Monitoring & health allows you to stream Audit Logs to an Azure Log Analytics workspace. This not only allows you to retain audit logs beyond the default Entra log retention period, but it also allows integration with Azure Monitor. This very integration can provide notifications based on the audit logs.
If correctly configured, it can provide a notification within 15 minutes of an app when it is assigned excessive permissions like Exchange Administrator. In my book, that would fulfil the ‘before they become problematic’ requirement.
Would that work?
I will give that a try. Thank you. This will only be forward-looking, correct? It won’t highlight historical data/permissions matching this?
Yes, that is correct and - unfortunately - one of the downsides of Azure Log Analytics.