Skip to main content

Nobody Approved That App: Taking Back Software Control in Microsoft 365

Nick Ross4 min read

TL;DR

  • By default in Microsoft 365, any user can register an OAuth application and grant it permissions to organizational data, no admin involved.
  • Research from Proofpoint and Huntress found that over 10 percent of tenants in their ecosystems contained a traitorware application likely used by attackers.
  • CIS Control 2 starts with something unglamorous: a centralized application inventory, even if it begins life as a spreadsheet.
  • Blocking user app registrations in Entra ID and removing local admin rights closes the two doors most unapproved software walks through.
  • Microsoft 365 Business Premium covers nearly every control needed for a secure application management practice, from Defender vulnerability management to ASR rules.

Ask a room of business owners who maintains their centralized, approved application inventory and you get two answers: "we don't have one" or "we have one, but it's incomplete." Neither answer is really their fault. SaaS tools are cheap, signup takes a browser and a business email, and employees onboard software faster than any IT process can track it.

That convenience has a name, shadow IT, and a price: data exfiltration paths nobody mapped and vulnerabilities nobody is patching. This post maps the problem directly to CIS Control 2, Inventory and Control of Software Assets, and walks through the Microsoft 365 tooling that puts you back in charge.

How an unapproved app gets the keys

Diagram of how unapproved applications enter a business through self-service signup

The lifecycle is depressingly consistent:

  1. A marketing team member finds an exciting new tool and signs up with their business email.
  2. During signup, the tool asks for permissions to access Microsoft data such as email and calendar.
  3. No approval process exists, so the user grants the permissions without recognizing the risk.
  4. The tool starts storing company data in an unknown third-party database.
  5. The company never formally approves the tool, the user eventually abandons it, and the data and the access both remain.

Repeat that across every department and you have software proliferation, data sprawl, and a pile of standing OAuth grants nobody remembers issuing. To be precise: not every application requests OAuth permissions into your Microsoft tenant, but the ones that do not still carry their own risk, whether or not they ever touch a workstation.

What the defaults let happen

Security risks introduced by ungoverned software, from data access to backdoor persistence

A tenant with no software governance is exposed on several fronts:

  • Unauthorized data access. Unapproved apps may be storing customer data in insecure locations.
  • Third-party vulnerabilities. Any onboarded application can carry zero-days or public exploits, now or in the future.
  • Persistent backdoor access. Attackers exploit OAuth permissions to keep access to accounts long after a password reset. Invictus IR's forensic analysis of eM Client (opens in new tab) shows legitimate application abuse used exactly this way.
  • Shadow IT and data exfiltration. Employees move sensitive company data into personal or unvetted apps.

The defaults make all of this easier than it should be. In Microsoft 365, any user can register an OAuth application and grant it specific permissions out of the box. Proofpoint and Huntress have both published research showing more than 10 percent of tenants in their ecosystems contained some type of traitorware application (opens in new tab) likely used by attackers. Unrestricted local admin rights compound the problem: users can install anything they want on their workstations, and once they do, your AV and EDR tools are the only remaining layer of defense. And underneath it all sits the most common gap we see in consulting engagements: no central inventory and no vendor management policy that defines minimum security standards.

Layer one: governance before tooling

Layered approach to regaining control of the software inventory

The first moves cost nothing but discipline.

Build a centralized software inventory. A spreadsheet is a fine start. Track:

  • Application name
  • Business purpose
  • Department owner
  • Security review status

Define an application approval process. Before anything new gets adopted, answer:

  • Does the tool support MFA and security controls?
  • Does it store sensitive data?
  • Does it comply with regulatory standards such as SOC 2 or ISO?

Review and update the inventory on a schedule. Audit usage and security posture; an inventory that is twelve months stale is a different kind of fiction.

Application inventory review and audit cycle

Layer two: close the front doors

Three tenant-side controls stop most unapproved software at the point of entry:

  • Block unapproved app registrations (opens in new tab) in Microsoft Entra ID, so users cannot consent their way into trouble.
  • Remove local admin rights from users, eliminating unilateral software installs.
  • Give end users a sanctioned path to request new applications or updates, manually or through first-party and third-party add-ons.

Together these create a stop gap: users are forced through an approved workstream before anything new lands on the network or their workstations.

Approval workflow that routes new application requests through IT

Layer three: harden the endpoint

With the entry points gated, turn to what already runs in the environment.

Use Defender for Business (opens in new tab) to detect vulnerable applications and identify exploitable security flaws across the fleet. Then layer on:

  • Intune for centralized app updates, so critical security patches actually land.
  • Attack Surface Reduction (ASR) rules to stop risky software from executing in the first place.
Endpoint hardening with Defender vulnerability management and ASR rules

For visibility beyond the endpoint, deploy Microsoft Defender for Cloud Apps (a CASB) to:

  • Monitor SaaS usage across the entire network
  • Identify risky applications before they become threats
  • Enforce Conditional Access policies based on risk scores
  • Sanction and unsanction applications

Finally, the strictest tier for environments that warrant it:

  • Application whitelisting, restricting installs to an approved list
  • Additional application control policies, such as App Control for Business (previously AppLocker), for further tightening of what can run
  • Just-in-Time privilege elevation, granting temporary admin rights only when a task genuinely requires them

Can Business Premium cover all of this?

Microsoft 365 Business Premium security stack mapped to application management controls

Almost entirely, yes. Microsoft 365 Business Premium can achieve nearly every control we recommend as part of a secure application management practice, and this blog series will cover each of them in depth, along with the common third-party MSP tools that fill the remaining gaps.

The audit is the part that does not need to be manual. CloudCapsule checks every tenant against the recommended hardening policies for locking down applications:

CloudCapsule assessment showing application hardening policy results across tenants

It also tracks your entire software inventory agentlessly, across workstations and enterprise apps, surfacing suspicious or malicious OAuth applications along with any active exploits in your inventory:

CloudCapsule software inventory view with OAuth application risk detection

Frequently asked questions

What is a traitorware or rogue OAuth application?

A legitimate-looking application that an attacker registers or abuses to gain persistent access to a tenant through granted OAuth permissions. Because the access rides on app consent rather than a stolen password, it survives password resets and often goes unnoticed. Huntress maintains a public catalog of these rogue apps.

Does blocking user consent in Entra ID break apps employees already use?

No. Existing grants remain in place until you review and revoke them. Blocking unapproved app registrations stops new consents and routes future requests through an admin consent workflow, which is exactly the approval gate most organizations are missing.

Do we need an enterprise tool to start an application inventory?

No. A spreadsheet tracking application name, business purpose, department owner, and security review status is a legitimate starting point. The discipline matters more than the tooling; you can graduate to automated discovery later.

Find the apps nobody told you about

CloudCapsule audits every tenant for the recommended application hardening policies and tracks your full software inventory agentlessly, across workstations and enterprise apps, flagging suspicious OAuth grants and active exploits. 250+ controls, 60 seconds.

Run a free scan
Nick Ross

Written by

Nick Ross

CEO · Microsoft MVP · Founder, T-Minus 365

Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.

Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.

Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.

Keep reading