Framework/Configurations/SVT/AAD/AAD.Application.json
|
{ "FeatureName": "Application", "Reference": "aka.ms/azsktcp/Application", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "AAD_Application_Remove_Test_Demo_Apps", "Description": "Old test/demo apps should be removed from the tenant", "Id": "App120", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckOldTestDemoApps", "Rationale": "Demo apps are usually short-term projects that do not go through the full engineering process and due diligence required for enterprise apps. As a result, it is important to constantly review and prune demo app entries from the tenant.", "Recommendation": "Refer: TODO", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "AAD_Application_Permit_Only_HTTPS_ReturnURLs", "Description": "All return URLs configured for an application must be HTTPS endpoints", "Id": "App130", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckReturnURLsAreHTTPS", "Rationale": "Return URLs of an application are particularly sensitive because many authentication flows involve posting the token to the returnURL after successful authentication. If such a URL does not use HTTPS, it leads to disclosure of the token on the network in clear text.", "Recommendation": "Refer: TODO", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "AAD_Application_Review_Orphaned_Apps", "Description": "Do not permit orphaned apps (i.e., apps with no owners) in the tenant", "Id": "App140", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckOrphanedApp", "Rationale": "From a governance standpoint, it is important that every application has one or more owners who are responsible for the upkeep of the application's record in the tenant, rotating credentials, etc.", "Recommendation": "Refer: TODO", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "AAD_Application_Require_FTE_Owner", "Description": "At least one of the owners of an app must be an FTE", "Id": "App150", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckAppFTEOwner", "Rationale": "Guest users in a tenant are often transient. Ensuring that at least one FTE owner is accountable for managing the app, rotating credentials, etc. leads to better app governance.", "Recommendation": "Refer: TODO", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true }, { "ControlID": "AAD_Application_Minimize_Resource_Access_Requested", "Description": "Apps should request the least permissions needed to various resources", "Id": "App160", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "TBD-Later", "Rationale": "Ensuring that an app requests only those permissions that it needs to function properly in keeping with the principle of least privilege ensures that in the event of a compromise, the damage can be contained.", "Recommendation": "Refer: TODO", "Tags": [ "SDL", "TCP", "Automated", "AuthZ", "RBAC" ], "Enabled": true } ] } |