eG Help

To delegate identity and access management functions to Azure AD, an application must be registered with an Azure AD tenant. When you register your application with Azure AD,you are creating an identity configuration for your application that allows it to integrate with Azure AD. For this purpose, registration automatically assigns a globally unique ID (application ID) to your app. Besides giving your app an identity, you also need to be mindful of the security requirements of your app during registration. To protect your application and user interactions with it from harm, you should authenticate accesses to the application using secrets and/or certificates. A client secret is the application password, which is auto-generated by Azure during application registration. A more secure authentication option would be certificates. Azure AD certificate-based authentication (CBA) enables customers to allow or require users to authenticate with X.509 certificates against their Azure Active Directory (Azure AD) for applications and browser sign-in. You can create a self-signed certificate for your application, export it to a file, and upload this certificate file when registering your application using the Azure portal.

You can authenticate applications using secrets or certificates or both. However, be it a secret or a certificate, their validity is determined by their expiry date. You can set when the client secret should expire, during application registration. For a certificate on the other hand, the expiry date is set when generating that certificate. An application stays secure only as long as the certificate/secret associated with it is valid/active.

If an application uses an invalid/expired certificate/secret, the security framework of that application will be severely compromised. This may not only impact application functionality, but can also have far-reaching, organization-wide effects (depending upon the permissions granted to that application). If this is to be avoided, administrators will need to be be informed about the expiry of a certificate/secret, and should also be able to quickly identify the application that is tied to expired certificates/secrets. Better still, if an administrator receives a heads up before a certificate/secret expires, it will help him/her take pre-emptive actions and avert potential security disasters. The AzrADAppRgstrtnTest helps with all of the above!

This test monitors application registrations on Azure AD, and reports the count and details of applications with invalid or expired secrets/certificates. With this information, administrators can rapidly identify applications with a high security risk quotient, and initiate measures to mitigate those risks. The test also alerts administrators to secrets and certificates that are about to expire, and thus enables administrators take proactive action against impending expiry. Additionally, the test also points administrators to ‘unprotected’ applications - i.e., applications without certificates or secrets. This way, the test urges administrators to employ either or both of the authentication options that Azure AD provides and secure their critical applications.

Outputs of the test : One set of results for the Azure AD tenant being monitored

Measurement	Description	Measurement Unit	Interpretation
total_apps	Indicates the number of applications that are registered with Azure AD.	Number
vld_crtfct_clnt	Indicates the number of app registrations with valid certificates/secrets.	Number	Use the detailed diagnosis of this measure to know which app registrations have valid certificates/secrets. The details of these valid certificates/secrets are also provided as part of detailed metrics.
no_crtfct_clnt	Indicates the number of app registrations without any certificates/client-secrets.	Number	Use the detailed diagnosis of this measure to identify those applications that are not authenticated by any secrets/certificates. The permissions these applications have are also displayed as part of detailed metrics. From the scope of these permissions, you can infer if such applications may be a flight risk to the security ofthe Azure cloud organization and its resources. You may want to consider authenticating accesses to such applications using certificates/secrets, so that the security risks are eliminated.
exprd_crtfct_clnt	Indicates the number of app registrations having certificates/client-secrets that have expired.	Number	Using the detailed diagnosis of this measure, you can identify those app registrations that are having expired certificates/secrets. You may want to renew the certificates or change the expiry date of the secrets to ensure that the applications stay protected.
total_crtfcts	Indicates the total number of certificates uploaded to Azure AD.	Number
vld_crtfcts	Indicates the number of certificates on Azure AD that are currently valid.	Number
exprd_crtfcts	Indicates the number of app registration certificates that have expired.	Number	Use the detailed diagnosis of this measure to know which certificates have expired, when, which apps use them, and what permissions the apps have. This will tell you whether the applications left unprotected by expired certificates will expose your Azure organization to malicious attacks.
crtfcts_abt_expr	Indicates the number of certificates that will be expiring within the duration specified against the Expiry Days Limit parameter.	Number	Ideally, the value of this measure should be 0. A non-zero value is a cause for concern. Use the detailed diagnosis of this measure to know which certificates are about to expire, when, which apps use them, and what permissions the apps have. With the help of this information, you can initiate measures to avert security disasters that may occur in the event that the certificates do expire.
ttl_ClntScrts	Indicates the total number of client secrets assigned to app registrations on Azure AD.	Number
vld_ClntScrts	Indicates the number of client secrets that are currently valid.	Number
exprd_Clnt	Indicates the number of app registration client secrets that have expired.	Number	Use the detailed diagnosis of this measure to know which client secrets have expired, when, which apps use them, and what permissions the apps have. This will tell you whether the applications left unprotected by expired clien certificates will expose your Azure organization to malicious attacks.
clnt_Scrts_abt_exp	Indicates the number of client secrets that will be expiring within the duration specified against the Expiry Days Limit parameter.	Number	Ideally, the value of this measure should be 0. A non-zero value is a cause for concern. Use the detailed diagnosis of this measure to know which client secrets are about to expire, when, which apps use them, and what permissions the apps have. With the help of this information, you can initiate measures to avert security disasters that may occur in the event that the secrets do expire.
bth_Crtfct_Clnt	Indicates the number of app registrations authenticated using both certificates and client secrets.	Number
AppregCrtdWtnRcntDs	Indicates the number of apps that were registered during the last measurement period.	Number	The detailed diagnosis of this measure reveals the names of the recently registered apps, their IDs, when they were created, and what permissions were granted to them.
CrtfctCrtdWtnRcntDs	Indicates the number of certificates that were created during the last measurement period.	Number	UThe detailed diagnosis of this measure reveals the ID and expiry date of the certificates that were created recently, and which applications are currently using these certificates.
ClntScrtCrtdWtnRcntDs	Indicates the number of client secrets that were created during the last measurement period.	Number	The detailed diagnosis of this measure reveals name the and expiry date of the client secrets that were created recently, and which applications are currently using these secrets.