Microsoft Enterprise Application Permissions Policy

Issue/Question

What is USD's process to determine which Microsoft Enterprise Applications are allowed 

Environment

  • Microsoft Enterprise App
  • Entra ID
  • Azure AD
  • Permissions 

Cause

The purpose of this policy is to protect against Microsoft enterprise applications that require excessive admin and user permissions/consent. This policy aims to protect the USD's data and systems from likely security risks while also allowing business activity to continue.

Resolution

Scope:
This policy applies to all Microsoft enterprise applications.

Policy:

  1. The IT department will maintain an inventory of all Microsoft enterprise applications used within the organization and will regularly review, at least yearly, the admin and user permissions required by these applications.
  2. Applications that require excessive admin or user permissions will be restricted and their use will require approval from the IT department.
  3. The IT department will work with the application owners to reduce the permissions required by the application or to find alternative solutions that do not require excessive permissions.
  4. Users who require access to restricted applications must submit a request to the IT department, providing justification for their need to use the application. Submit your request to servicedesk@usd.edu
  5. The IT department will review all requests and grant access to restricted applications on a case-by-case basis, taking into account the potential risks and the user's role and responsibilities within the organization.
  6. The IT department will regularly review and update this policy to ensure that it remains effective in protecting the organization's data and systems.
  7. User Consent is automatically granted for applications that are categorized as Low Impact.  Please see the image below.
    ​​​

Uploaded Image (Thumbnail)

Please contact the Service Desk if you need further assistance

ITS STAFF ONLY

  1. Granting of application permissions in Azure must be approved by the Security Team
  2. Security Team will review enterprise application admin consent requests for approval or denial
  3. Follow Reviewing USD Security Policy Requests