How to Configure Application Authentication Methods in Microsoft Entra ID

Introduction

Application authentication methods, such as certificates and password secrets, are essential for apps to acquire tokens and access data in Microsoft Entra ID. IT administrators can enforce best practices for using these authentication methods through specific policies. This article explores how these policies work, their importance, and how to manage them effectively using Microsoft Entra ID portal.

What Are Application Authentication Methods Policies?

Application authentication methods policies allow IT admins to control how applications use various authentication methods. These policies can:

• Block the use of certain authentication methods.
• Limit the lifetime of password secrets.
• Enforce restrictions based on the creation date of the application or service principal.

Key Benefits

1. Enhanced Security: By enforcing these policies, organizations can take advantage of new app security hardening features, review their current security posture, and implement necessary controls.
2. Flexibility: Policies can be tailored for individual applications or service principals, providing granular control.
3. Scalability: Policies can be enforced for new applications as well as existing ones, ensuring consistent security standards.

Types of Policy Controls

• Tenant Default Policy: Applies to all applications or service principals within a tenant. This policy is created by default but is disabled until configured.
• App Management Policies: Allows for the inclusion or exclusion of individual applications from the tenant default policy, providing more specific control.

Tenant Default App Management Policy

The tenant default policy is a single object that always exists but is disabled by default. It includes:

• Application Restrictions: Target applications owned by the tenant.
• Service Principal Restrictions: Target applications provisioned from another tenant.

These restrictions help lock down credential usage in apps originating from the tenant and control credential addition in externally provisioned applications.

App Management Policy for Applications and Service Principals

App management policies can be defined in the appManagementPolicy resource, containing various restrictions or different enforcement dates from the tenant default policy. When both policies exist, the app management policy takes precedence, and the assigned application or service principal doesn't inherit from the tenant default policy.

Restrictions Managed in Microsoft Entra ID

The application authentication methods policy offers several restrictions, including:

• Password Addition: Restricts adding new password secrets to applications.
• Password Lifetime: Enforces a maximum lifetime for password secrets.
• Custom Password Addition: Restricts adding custom password secrets.
• Symmetric Key Addition: Blocks adding new symmetric keys.
• Symmetric Key Lifetime: Enforces a maximum lifetime for symmetric keys.
• Asymmetric Key Lifetime: Enforces a maximum lifetime for asymmetric key credentials (certificates).

Applying Policies Based on App Type

Single-Tenant Apps: Apply the policy to the application object.
Multi-Tenant Apps (Homed in Customer Tenant): Apply the policy to the application object.
Multi-Tenant Apps (Provisioned from Another Tenant): Apply the policy to the service principal object.

Summary of Key Differences

Application Authentication Method Policy Requirements

Roles: The least privileged roles for managing these policies are Application Administrator and Cloud Application Administrator.
Licensing: All app policy management operations require a Microsoft Entra Workload ID Premium license.

How to configure Application Authentication Policies

To create an application authentication method policy, follow these steps:

1. Open your browser and navigate to https://entra.microsoft.com
2. Go to the "Protection" tab.
3. Click on "Authentication Methods."
4. Select "Application Policies."

Let's establish password restrictions for the application registration based on the default policy.

For our testing case, follow these steps:
1. Select values for "Password Addition."
2. Set the "Password Lifetime."
3. Optionally, if desired, apply the same settings to Enterprise Apps by selecting "Copy setting selection to enterprise apps."

Example Selection as Follows: For password addition, applications created after June 2, 2024.
For password lifetime, applications created after May 30, 2024, with a maximum lifetime of 90 days.

Optionally selected Copy setting selection to Enterprise Apps

Select Save and Enable this Default Policy

Policy has been Enabled

Now, let's test the password addition policy for applications created after June 2nd.

Here is a list of applications on the tenant along with their creation dates.

Let's select the WPMail application, which was created on June 3, 2024, and examine the password creation restrictions applied to it.

It's evident that the policy has been successfully applied to the application.

Now, let's test the application that was created after May 30, 2024.

It's evident that the policy is in effect, and the maximum lifetime for secret creation is limited to 90 days.

Now Lets Create Custom Application policies

Note: Custom application policies affect selected app registrations and enterprise apps. The restrictions in these polices will override the ones enabled in the 'Default policy

To create custom application policies, navigate to the "Same Application Policies" section and select "Custom Application Policies."

Click on "New Custom Policy" and in the upcoming window, provide a policy name and description and click Next

In the upcoming password restrictions section, we will select the settings as indicated in the screenshot below. Additionally, we will include symmetric key addition restrictions for testing purposes. Click Next to proceed with the remaining settings

Certificate Restrictions we will not configure now. Click Next and Review the settings
Note: Certificate restrictions allow you to configure settings to create control boundaries on the use of certificates in your applications and service principals

After Review click Create.

Now that our custom application policy has been created, let's proceed to add the application and enable this policy.

Click on our policy to open it, then scroll all the way down and click on the "Add Apps" section.

We are adding two applications for testing the custom policy.

Click the "Enable Policy" button to activate the policy.

Now lets test the Application Secret creation

Client Secret creation is blocked, as shown in the screenshot below.

Lets Validate the Secret Expiry Policy using our second application

Now we can observe that the Custom Application policy is in effect, restricting secret creation to a maximum of 30 days.

Conclusion

Managing application authentication methods in Microsoft Entra ID is crucial for maintaining robust security standards. By leveraging the Microsoft Entra Portal, administrators can enforce detailed and flexible policies to control how applications use authentication methods. Implementing these policies helps ensure that all applications comply with organizational security requirements, protecting against unauthorized access and credential abuse.