[{"data":1,"prerenderedAt":1906},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":36,"navbar-about-highlight":108,"navbar-resource-highlight":182,"blog/is-it-safe-to-allow-my-employees-to-connect-third-party-apps-to-our-m365":226},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"query":14,"data":15,"variations":20,"lastUpdated":21,"firstPublished":22,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":26,"meta":27,"rev":35},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner","1c6207a5f24948ab82d4a0b17f251193","published",[],{"type":16,"url":17,"text":18,"link":19},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,1,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":28,"lastPreviewUrl":29,"breakpoints":30,"hasAutosaves":34},"data","",{"xsmall":31,"small":32,"medium":33},320,640,768,true,"ga0kpxjhh76",{"createdDate":37,"id":38,"name":39,"modelId":40,"published":13,"stageModifiedSincePublish":6,"query":41,"data":42,"variations":97,"lastUpdated":98,"firstPublished":99,"testRatio":23,"createdBy":100,"lastUpdatedBy":101,"folders":102,"meta":103,"rev":107},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":43,"text":44,"url":29,"blocks":45,"state":93},"ewrererw","testrfesssssssssss",[46,73,81],{"@type":47,"@version":48,"id":49,"component":50,"responsiveStyles":63},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":51,"tag":51,"options":52,"isRSC":62},"TopBannerContent",{"text":53,"ctaText":54,"url":55,"mainText":56,"cta":59},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks","Save Your Spot","https://pushsecurity.com/webinar/state-of-browser-security",{"content":57,"fontSize":58},"\u003Cp>Meet Push's browser security experts at BlackHat 2026.\u003C/p>","text-base",{"content":60,"fontSize":58,"url":61},"\u003Cp>Book a meeting →\u003C/p>","https://pushsecurity.com/events/blackhat-2026-meeting",null,{"large":64},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"marginTop":70,"marginBottom":70,"fontSize":71,"fontWeight":72},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"@type":47,"@version":48,"id":74,"component":75,"responsiveStyles":79},"builder-a2e1f4b9f30b464bb814d7f5de5b0aa7",{"name":76,"options":77,"isRSC":62},"Custom Code",{"code":78,"scriptsClientOnly":6},"\u003Cstyle>\n  .top-banner.bg-web-orange{background:rgb(114, 79, 255);}\n\u003C/style>\n",{"large":80},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"id":82,"@type":47,"tagName":83,"properties":84,"responsiveStyles":88},"builder-pixel-o503s4fpvk","img",{"src":85,"aria-hidden":86,"alt":29,"role":87,"width":68,"height":68},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":89},{"height":68,"width":68,"display":90,"opacity":68,"overflow":91,"pointerEvents":92},"block","hidden","none",{"deviceSize":94,"location":95},"large",{"path":29,"query":96},{},{},1783541846936,1774968080803,"ST0tXQM8slWpFrmioqKHmENB2qe2","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"kind":104,"lastPreviewUrl":105,"hasLinks":6,"breakpoints":106,"hasErrors":6,"hasAutosaves":6},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},"kyujw1aptq",[109,145],{"createdDate":110,"id":111,"name":112,"modelId":113,"published":13,"stageModifiedSincePublish":6,"query":114,"data":115,"variations":138,"lastUpdated":139,"firstPublished":140,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":141,"meta":142,"rev":144},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":116,"type":117,"testimonialLink":118,"testimonial":119},{},"testimonial","/customer-stories/inductive-automation",{"@type":120,"id":121,"model":117,"value":122},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79",{"query":123,"folders":124,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":128,"variations":132,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":135,"rev":137},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":129,"jobTitle":130,"quote":126,"image":131},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,{"kind":28,"lastPreviewUrl":29,"breakpoints":136,"hasAutosaves":34},{"small":32,"medium":33},"e8bsg4qrgtu",{},1776247404986,1776247404973,[],{"breakpoints":143,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"g9lqcuxphw7",{"createdDate":146,"id":147,"name":148,"modelId":113,"published":13,"meta":149,"stageModifiedSincePublish":6,"query":151,"data":152,"variations":178,"lastUpdated":179,"firstPublished":180,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":181,"rev":144},1776255761419,"05a9322735fc427db12e2740e4302300","Report: 2026 Browser Attack Techniques",{"breakpoints":150,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":153,"link":172,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":155},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":156,"folders":157,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":160,"variations":166,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":169,"rev":171},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":28,"lastPreviewUrl":29,"breakpoints":170,"hasAutosaves":34},{"small":32,"medium":33},"ulhc0im1hfo",{"text":173,"url":174},"Download now","/resources/browser-attacks-report","resource","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1776255810913,1776255810900,[],[183,205],{"createdDate":184,"id":185,"name":148,"modelId":186,"published":13,"meta":187,"stageModifiedSincePublish":6,"query":189,"data":190,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":203,"rev":204},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":188,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":191,"link":199,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":192},{"query":193,"folders":194,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":195,"variations":196,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":197,"rev":171},[],[],{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":198,"hasAutosaves":34},{"small":32,"medium":33},{"text":173,"url":174},{},1776256937553,1776256937540,[],"xggsv10v1q9",{"createdDate":206,"id":207,"name":208,"modelId":186,"published":13,"stageModifiedSincePublish":6,"query":209,"data":210,"variations":220,"lastUpdated":221,"firstPublished":222,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":223,"meta":224,"rev":204},1776256949234,"ce043785b71b4ece98eac811ecf4ba10","inductive-automation",[],{"link":211,"type":117,"testimonial":212,"testimonialLink":118},{},{"@type":120,"id":121,"model":117,"value":213},{"query":214,"folders":215,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":216,"variations":217,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":218,"rev":137},[],[],{"author":129,"jobTitle":130,"quote":126,"image":131},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":219,"hasAutosaves":34},{"small":32,"medium":33},{},1776256974140,1776256974130,[],{"breakpoints":225,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"id":227,"title":228,"authorsCollection":229,"content":237,"extension":1012,"faqItemsCollection":1013,"faqTitle":62,"featured":6,"hashTags":62,"meta":1015,"metaTitle":1016,"ogImage":62,"publishedDate":1017,"relatedBlogPostsCollection":1018,"slug":1883,"stem":1884,"subtitle":62,"summary":1885,"synopsis":1895,"sys":1896,"tagsCollection":1899,"__hash__":1905},"blog/blog/is-it-safe-to-allow-my-employees-to-connect-third-party-apps-to-our-m365.json","Is it safe to allow my employees to connect third-party apps to our M365/Google Workspace tenant?",{"items":230},[231],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":235},"Luke Jennings","Luke","Vice President, R&D",{"url":236},"https://images.ctfassets.net/y1cdw1ablpvd/4Hosb4zKi1dA0PUyDLMe1h/27e09d894861f2196ba794037986fb08/T016S22KZ96-U02NVQM7ZD4-57761d542d83-512.jpeg",{"json":238,"links":934},{"nodeType":239,"data":240,"content":241},"document",{},[242,251,259,266,290,297,329,336,344,363,370,377,384,390,397,404,410,417,423,429,436,442,449,455,462,469,476,483,490,497,504,511,518,584,591,760,767,774,922,928],{"nodeType":243,"data":244,"content":245},"paragraph",{},[246],{"nodeType":247,"value":248,"marks":249,"data":250},"text","It’s no secret that SaaS use is growing exponentially, but less has been said about third-party SaaS integrations, especially to core platforms like M365 or Google Workspace. In this article, we’ll explain what these third-party integrations are and what the security benefits vs risks of using them in your organization are. We’ll also provide some helpful tips about what you can do to remediate or at least lessen the risks.",[],{},{"nodeType":252,"data":253,"content":254},"heading-1",{},[255],{"nodeType":247,"value":256,"marks":257,"data":258},"What are third-party SaaS integrations and what the heck is OAuth?",[],{},{"nodeType":243,"data":260,"content":261},{},[262],{"nodeType":247,"value":263,"marks":264,"data":265},"A third-party SaaS integration with your M365 or Google Workspace deployment allows an employee (or administrator) to grant some level of access to your data by that SaaS vendor. Employees want to connect these apps because they want to easily share projects across their tools, or integrate add-on features that make their workspaces more flexible or customized to their needs, or they simply need them to be more productive. And those apps must have some level of access to your data (and the employee’s data) to function properly. The problem comes in primarily because the level of access each app requests can vary significantly by both the type of data exposed and the number of employees it affects. ",[],{},{"nodeType":243,"data":267,"content":268},{},[269,273,286],{"nodeType":247,"value":270,"marks":271,"data":272},"It can be as simple as sharing an employee’s full name and email address with the SaaS provider if they login using their business Microsoft/Google account, otherwise known as a \"",[],{},{"nodeType":274,"data":275,"content":281},"entry-hyperlink",{"target":276},{"sys":277},{"id":278,"type":279,"linkType":280},"1pbtctbbJRqLuz8dOsecOt","Link","Entry",[282],{"nodeType":247,"value":283,"marks":284,"data":285},"social login",[],{},{"nodeType":247,"value":287,"marks":288,"data":289},".\" However, integrations can also request access to much more sensitive data, such as email inboxes and document stores (OneDrive, Sharepoint, Google Drive). Employees with administrative privileges can even create integrations that allow access to all employees’ data, rather than sharing only their own data. ",[],{},{"nodeType":243,"data":291,"content":292},{},[293],{"nodeType":247,"value":294,"marks":295,"data":296},"Clearly, the security and compliance risks associated are highly variable depending on the type of integration.",[],{},{"nodeType":243,"data":298,"content":299},{},[300,304,312,316,325],{"nodeType":247,"value":301,"marks":302,"data":303},"OAuth is an industry standard protocol for authorization (",[],{},{"nodeType":305,"data":306,"content":308},"hyperlink",{"uri":307},"https://oauth.net/2/",[309],{"nodeType":247,"value":307,"marks":310,"data":311},[],{},{"nodeType":247,"value":313,"marks":314,"data":315},"). If you want to share your data on one app with another third-party app, rather than share your username and password, OAuth provides a way to authorize access to specific data based on a set of permissions. You can even later revoke access to specific apps without changing your password. A vendor that allows sharing of their data via OAuth can implement their own custom permissions - Google implements hundreds of permissions alone (",[],{},{"nodeType":305,"data":317,"content":319},{"uri":318},"https://developers.google.com/identity/protocols/oauth2/scopes",[320],{"nodeType":247,"value":318,"marks":321,"data":324},[322],{"type":323},"underline",{},{"nodeType":247,"value":326,"marks":327,"data":328},"). ",[],{},{"nodeType":243,"data":330,"content":331},{},[332],{"nodeType":247,"value":333,"marks":334,"data":335},"Essentially, OAuth is the protocol that allows you to easily choose which data you share with who and thus is a very common approach for how SaaS platforms integrate with other core SaaS platforms like Google or Microsoft.    ",[],{},{"nodeType":337,"data":338,"content":339},"heading-2",{},[340],{"nodeType":247,"value":341,"marks":342,"data":343},"An Example - Adobe Creative Cloud",[],{},{"nodeType":243,"data":345,"content":346},{},[347,351,359],{"nodeType":247,"value":348,"marks":349,"data":350},"Let’s say your Marketing team wants to make use of Adobe Creative Cloud - perhaps they need Photoshop for some image-editing and Acrobat for some PDF-editing for marketing materials. They pop along to ",[],{},{"nodeType":305,"data":352,"content":354},{"uri":353},"https://creativecloud.adobe.com/",[355],{"nodeType":247,"value":353,"marks":356,"data":358},[357],{"type":323},{},{"nodeType":247,"value":360,"marks":361,"data":362}," and click to sign up and are presented with the following choice: ",[],{},{"nodeType":364,"data":365,"content":369},"embedded-entry-block",{"target":366},{"sys":367},{"id":368,"type":279,"linkType":280},"ffx3tPYZNwZD6xj7IcLm1",[],{"nodeType":243,"data":371,"content":372},{},[373],{"nodeType":247,"value":374,"marks":375,"data":376},"Your organization is using Google Workspace for most core business functions, so they think “Oh great, I can login using my business Google account, no need to setup yet another online account and password!”",[],{},{"nodeType":243,"data":378,"content":379},{},[380],{"nodeType":247,"value":381,"marks":382,"data":383},"They click to “Continue with Google” and are presented with the choice to select their account. They are already logged in with Google so they don’t even need to enter their password.",[],{},{"nodeType":364,"data":385,"content":389},{"target":386},{"sys":387},{"id":388,"type":279,"linkType":280},"507PcDcFrMbGBdpVzt8RFl",[],{"nodeType":243,"data":391,"content":392},{},[393],{"nodeType":247,"value":394,"marks":395,"data":396},"That’s it, they are now signed up to Adobe Creative Cloud, they pay their subscription and start using Adobe’s SaaS offerings. This is known as a Social Login, and it lets your marketing team quickly and easily log into Adobe using their existing Google account.",[],{},{"nodeType":243,"data":398,"content":399},{},[400],{"nodeType":247,"value":401,"marks":402,"data":403},"However, very limited data access has actually been provided to Adobe. Adobe has only been authorized to access basic details of the employee who signed up, as you can see in the integration details below:",[],{},{"nodeType":364,"data":405,"content":409},{"target":406},{"sys":407},{"id":408,"type":279,"linkType":280},"HwDgqIjni9MzkwGJikdk1",[],{"nodeType":243,"data":411,"content":412},{},[413],{"nodeType":247,"value":414,"marks":415,"data":416},"However, after some use of Photoshop and Acrobat, your marketing team needs to both open and save documents on their Google Drive or OneDrive as that’s how they collaborate on all other documents within the company. No problem, Adobe allows you to add one of many cloud storage options. Given your company is using Google Drive, they pick that option and are presented with a new permission request from Google:",[],{},{"nodeType":364,"data":418,"content":422},{"target":419},{"sys":420},{"id":421,"type":279,"linkType":280},"3pVLUawIy8ZIZwFCZXCOs8",[],{"nodeType":364,"data":424,"content":428},{"target":425},{"sys":426},{"id":427,"type":279,"linkType":280},"zNKE1Et3zgLPFmdrvQrh4",[],{"nodeType":243,"data":430,"content":431},{},[432],{"nodeType":247,"value":433,"marks":434,"data":435},"This time, Adobe is requesting much more sensitive access than merely basic personal details - it’s asking for full read/write access to the employee’s entire Google Drive store. Google makes sure that’s clear and asks for authorization. Your employee clicks to continue and now they have the ability to read and write Google Drive from within Acrobat:",[],{},{"nodeType":364,"data":437,"content":441},{"target":438},{"sys":439},{"id":440,"type":279,"linkType":280},"3EztvIY0a6amE9qx6pi3Pe",[],{"nodeType":243,"data":443,"content":444},{},[445],{"nodeType":247,"value":446,"marks":447,"data":448},"We can now see a new integration has been created, exposing a much more significant asset by allowing full access to Google Drive on behalf of the marketing employee.",[],{},{"nodeType":364,"data":450,"content":454},{"target":451},{"sys":452},{"id":453,"type":279,"linkType":280},"7EJrX4ccSmWzWJ1kC6kMzf",[],{"nodeType":243,"data":456,"content":457},{},[458],{"nodeType":247,"value":459,"marks":460,"data":461},"We have just followed a user journey for two particularly common examples of integrations, but there are a huge number of SaaS providers out there and a huge variety of different types of integrations. However, the most common cases are simple social logins, document access, email access, calendar access and contacts access depending on the SaaS provider in use.",[],{},{"nodeType":252,"data":463,"content":464},{},[465],{"nodeType":247,"value":466,"marks":467,"data":468},"Should I be worried about this?",[],{},{"nodeType":243,"data":470,"content":471},{},[472],{"nodeType":247,"value":473,"marks":474,"data":475},"As always, the answer is “it depends.” On the one hand, by default your employees can enable integrations for their own account with whatever third parties they like and potentially expose very sensitive data assets like document stores and email. It’s a bit melodramatic to put it this way, but consenting to OAuth permissions is like giving a third party an everlasting password to act in a limited capacity as a number of users with minimal monitoring and trusting them not to abuse that access.  ",[],{},{"nodeType":243,"data":477,"content":478},{},[479],{"nodeType":247,"value":480,"marks":481,"data":482},"On the other, many integrations (especially the ones you’ll recognize by name) don’t ask for excessive permissions, and are managed by responsible and security conscious vendors that generally do a great job of securing your data. The challenge is finding integrations for which this isn’t true.",[],{},{"nodeType":243,"data":484,"content":485},{},[486],{"nodeType":247,"value":487,"marks":488,"data":489},"The reality is that it’s probably already happening across your organization, whether you know it or not. After all, SaaS use is key to modern working environments and your employees will be using it somehow. At Push Security, it’s not unusual for us to see hundreds of third-party integrations on our customers’ Google Workspace and M365 instances, even in relatively small organizations. ",[],{},{"nodeType":243,"data":491,"content":492},{},[493],{"nodeType":247,"value":494,"marks":495,"data":496},"And in fact it’s not all doom and gloom, since your employees need to use SaaS providers anyway, there are actually some security benefits to making use of social logins and third party SaaS integrations are the key mechanism for doing so. ",[],{},{"nodeType":243,"data":498,"content":499},{},[500],{"nodeType":247,"value":501,"marks":502,"data":503},"This is a key reason to not take a heavy-handed stance of “block all integrations” - while you would certainly reduce the risk of data leaks, you’d also be losing the security benefits of social logins and severely hindering your employees from getting things done quickly and easily. You will also probably force them into effectively doing the same in a different way anyway (perhaps they simply start using their personal google account and google drive where they can do these integrations instead?).",[],{},{"nodeType":252,"data":505,"content":506},{},[507],{"nodeType":247,"value":508,"marks":509,"data":510},"\nWhat are the security benefits?",[],{},{"nodeType":243,"data":512,"content":513},{},[514],{"nodeType":247,"value":515,"marks":516,"data":517},"There are a number of security benefits to using social logins and third-party integrations, but a few key considerations are:",[],{},{"nodeType":519,"data":520,"content":521},"unordered-list",{},[522,539,554,569],{"nodeType":523,"data":524,"content":525},"list-item",{},[526],{"nodeType":243,"data":527,"content":528},{},[529,535],{"nodeType":247,"value":530,"marks":531,"data":534},"Fewer passwords",[532],{"type":533},"bold",{},{"nodeType":247,"value":536,"marks":537,"data":538}," - if your employees use social logins everywhere, they can focus on having one strong password and not have to manage separate accounts and passwords for 20 different SaaS platforms.",[],{},{"nodeType":523,"data":540,"content":541},{},[542],{"nodeType":243,"data":543,"content":544},{},[545,550],{"nodeType":247,"value":546,"marks":547,"data":549},"MFA everywhere",[548],{"type":533},{},{"nodeType":247,"value":551,"marks":552,"data":553}," - if you have set up strong password policies and enforced MFA on your Google and Microsoft accounts, all of your SaaS platforms inherit the same security if you are using social logins.",[],{},{"nodeType":523,"data":555,"content":556},{},[557],{"nodeType":243,"data":558,"content":559},{},[560,565],{"nodeType":247,"value":561,"marks":562,"data":564},"Visibility of SaaS use",[563],{"type":533},{},{"nodeType":247,"value":566,"marks":567,"data":568}," - if employees use custom logins for all their SaaS platforms, you’ll have no idea what SaaS is in use (unless you use the Push browser extension ;)). With social logins and third-party integrations, you can see exactly what integrations you have across your organization, including which employees have shared which type of data access.",[],{},{"nodeType":523,"data":570,"content":571},{},[572],{"nodeType":243,"data":573,"content":574},{},[575,580],{"nodeType":247,"value":576,"marks":577,"data":579},"Fine-grained permissions ",[578],{"type":533},{},{"nodeType":247,"value":581,"marks":582,"data":583},"- OAuth integrations can request as little or as much access as they like. Ideally, many integrations will be nothing more than a social login or will otherwise limit the permissions to a small subset of data they require to reduce the risk. This is far more transparent than alternatives like integrations using API keys typically are.",[],{},{"nodeType":337,"data":585,"content":586},{},[587],{"nodeType":247,"value":588,"marks":589,"data":590},"What are the security risks?",[],{},{"nodeType":519,"data":592,"content":593},{},[594,609,624,664,679,707,734],{"nodeType":523,"data":595,"content":596},{},[597],{"nodeType":243,"data":598,"content":599},{},[600,605],{"nodeType":247,"value":601,"marks":602,"data":604},"Blindspots in your attack surface",[603],{"type":533},{},{"nodeType":247,"value":606,"marks":607,"data":608}," - At a higher level, you need to care because each of these third parties is now handling your data and you need to ensure they only have access to what they need to function, that they’re storing and managing your data responsibly, and that you treat them as you would any other vendor in your supply chain.",[],{},{"nodeType":523,"data":610,"content":611},{},[612],{"nodeType":243,"data":613,"content":614},{},[615,620],{"nodeType":247,"value":616,"marks":617,"data":619},"Excessive permissions",[618],{"type":533},{},{"nodeType":247,"value":621,"marks":622,"data":623}," - Third-party integrations can request whatever permissions they like. Some SaaS apps may choose to request excessively high permissions and simply not function unless an employee accepts it. This can lead to employees being conditioned to accept permissions whatever they are and granting excessive permissions.",[],{},{"nodeType":523,"data":625,"content":626},{},[627],{"nodeType":243,"data":628,"content":629},{},[630,635,639,647,651,660],{"nodeType":247,"value":631,"marks":632,"data":634},"Consent phishing",[633],{"type":533},{},{"nodeType":247,"value":636,"marks":637,"data":638}," - A technique that tricks a user into granting a malicious third-party app access to their account. Since this technique preys on users that are already logged in, it is effective against users with strong passwords, multi-factor authentication, or even passwordless setups. You can read more about this technique in our ",[],{},{"nodeType":305,"data":640,"content":642},{"uri":641},"https://pushsecurity.com/blog/consent-phishing-the-emerging-phishing-technique-that-can-bypass-2fa/",[643],{"nodeType":247,"value":644,"marks":645,"data":646},"previous blog post",[],{},{"nodeType":247,"value":648,"marks":649,"data":650},". ",[],{},{"nodeType":305,"data":652,"content":654},{"uri":653},"https://www.bleepingcomputer.com/news/security/sans-shares-details-on-attack-that-led-to-their-data-breach/",[655],{"nodeType":247,"value":656,"marks":657,"data":659},"SANS had a breach in 2020",[658],{"type":323},{},{"nodeType":247,"value":661,"marks":662,"data":663}," caused by a consent phishing attack, which led to a leak of around 28,000 records of SANs members’ personal information (PII).",[],{},{"nodeType":523,"data":665,"content":666},{},[667],{"nodeType":243,"data":668,"content":669},{},[670,675],{"nodeType":247,"value":671,"marks":672,"data":674},"SaaS account compromise",[673],{"type":533},{},{"nodeType":247,"value":676,"marks":677,"data":678}," - If an employee has a separate account and password for a SaaS platform and that is compromised somehow, any integrations with your Google workspace or M365 are also compromised. For example, perhaps they have a weak password with no MFA on a SaaS provider and then an attacker uses that to access Google Drive via a pre-existing integration from that SaaS platform.",[],{},{"nodeType":523,"data":680,"content":681},{},[682],{"nodeType":243,"data":683,"content":684},{},[685,690,694,703],{"nodeType":247,"value":686,"marks":687,"data":689},"SaaS provider compromise",[688],{"type":533},{},{"nodeType":247,"value":691,"marks":692,"data":693}," - If a SaaS provider itself is compromised, any integrations could also be exploited. This is the SaaS integration equivalent of an MSP or other third party with privileged access to your data being compromised. Hubspot ",[],{},{"nodeType":305,"data":695,"content":697},{"uri":696},"https://thehackernews.com/2022/04/into-breach-breaking-down-3-saas-app.html",[698],{"nodeType":247,"value":699,"marks":700,"data":702},"experienced a breach",[701],{"type":323},{},{"nodeType":247,"value":704,"marks":705,"data":706}," in April 2022, which “allowed malicious actors the ability to access and export contact data using the employee's access to several HubSpot accounts.”",[],{},{"nodeType":523,"data":708,"content":709},{},[710],{"nodeType":243,"data":711,"content":712},{},[713,718,722,730],{"nodeType":247,"value":714,"marks":715,"data":717},"Stolen integration tokens ",[716],{"type":533},{},{"nodeType":247,"value":719,"marks":720,"data":721},"- The way integrations work under the hood are via OAuth tokens. If these are stolen somehow, due to a device compromise or SaaS provider compromise, they can potentially be used to gain access to data, similar to if a password was stolen in the same circumstances. They also do not expire on a password change, so changing a password after a compromise is not enough on its own to deal with this threat. A recent example of this was the ",[],{},{"nodeType":305,"data":723,"content":725},{"uri":724},"https://github.blog/2022-04-15-security-alert-stolen-oauth-user-tokens/",[726],{"nodeType":247,"value":727,"marks":728,"data":729},"exploitation of GitHub",[],{},{"nodeType":247,"value":731,"marks":732,"data":733}," via tokens stolen from Heroku and TravisCI. ",[],{},{"nodeType":523,"data":735,"content":736},{},[737],{"nodeType":243,"data":738,"content":739},{},[740,745,749,757],{"nodeType":247,"value":741,"marks":742,"data":744},"Integration backdoors",[743],{"type":533},{},{"nodeType":247,"value":746,"marks":747,"data":748}," - Integrations provide another method of backdoor access to a user account post-compromise. Setting up a malicious integration is one method to maintain access to data that will survive a password change conducted as part of incident response. A real-world example of this issue was a privilege escalation attack in Azure, covered nicely ",[],{},{"nodeType":305,"data":750,"content":752},{"uri":751},"https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5",[753],{"nodeType":247,"value":754,"marks":755,"data":756},"here",[],{},{"nodeType":247,"value":648,"marks":758,"data":759},[],{},{"nodeType":337,"data":761,"content":762},{},[763],{"nodeType":247,"value":764,"marks":765,"data":766},"Security guidance tips for third-party integrations",[],{},{"nodeType":243,"data":768,"content":769},{},[770],{"nodeType":247,"value":771,"marks":772,"data":773},"Let’s face it, your employees need to use SaaS solutions to be productive and they are going to use them somehow. We have even seen how third-party SaaS integrations can provide some security benefits, too, but there are new risks to be aware of as well. Here are some basic security tips to consider to ensure you are enabling this practice securely.",[],{},{"nodeType":519,"data":775,"content":776},{},[777,792,807,822,837,852,893],{"nodeType":523,"data":778,"content":779},{},[780],{"nodeType":243,"data":781,"content":782},{},[783,788],{"nodeType":247,"value":784,"marks":785,"data":787},"Gain visibility",[786],{"type":533},{},{"nodeType":247,"value":789,"marks":790,"data":791}," - Whether you know it or not, your employees are probably using SaaS platforms, which may include third-party SaaS integrations. Find out what SaaS platforms and integrations are in use and pay attention to any with sensitive permissions you might want to review. Push can help do this for you. ",[],{},{"nodeType":523,"data":793,"content":794},{},[795],{"nodeType":243,"data":796,"content":797},{},[798,803],{"nodeType":247,"value":799,"marks":800,"data":802},"Remove dormant or infrequently used integrations ",[801],{"type":533},{},{"nodeType":247,"value":804,"marks":805,"data":806},"- Reduce your attack surface by simply removing the apps no one or only a few people are using. This also makes the third-party security vetting process a bit less burdensome, so it’s a smart move once you know which integrations won’t be missed when they’re gone. We can help with this as well. ",[],{},{"nodeType":523,"data":808,"content":809},{},[810],{"nodeType":243,"data":811,"content":812},{},[813,818],{"nodeType":247,"value":814,"marks":815,"data":817},"Modify incident response playbooks ",[816],{"type":533},{},{"nodeType":247,"value":819,"marks":820,"data":821},"- If you have incident response playbooks in place for what to do in the event of an employee’s password being compromised or their laptop/mobile being stolen or infected with malware, you need to consider modifying these. Consider adding invalidating SaaS OAuth tokens in addition to standard steps like password changes, remote wipes and fresh device builds.",[],{},{"nodeType":523,"data":823,"content":824},{},[825],{"nodeType":243,"data":826,"content":827},{},[828,833],{"nodeType":247,"value":829,"marks":830,"data":832},"Encourage social logins ",[831],{"type":533},{},{"nodeType":247,"value":834,"marks":835,"data":836},"- Social logins have a bit of a bad rap, possibly this is due to their roots in low security, non-work environments - but that being said, when using your M365 or Workspace as the identity source these methods are a great for for many organizations that struggle with weak passwords, shared passwords and a lack of MFA across SaaS apps. If you're going to be using social logins, it makes sense to ensure your Google/Microsoft accounts have good password policies and MFA. ",[],{},{"nodeType":523,"data":838,"content":839},{},[840],{"nodeType":243,"data":841,"content":842},{},[843,848],{"nodeType":247,"value":844,"marks":845,"data":847},"Educate your users about consent phishing",[846],{"type":533},{},{"nodeType":247,"value":849,"marks":850,"data":851}," - Awareness of traditional phishing for passwords is pretty high these days, but awareness about consent phishing is far lower. Make sure your employees are aware of this as well and know who to speak to if they’re worried they consented to a malicious app.",[],{},{"nodeType":523,"data":853,"content":854},{},[855],{"nodeType":243,"data":856,"content":857},{},[858,863,867,876,880,889],{"nodeType":247,"value":859,"marks":860,"data":862},"Admin approval for sensitive permissions - ",[861],{"type":533},{},{"nodeType":247,"value":864,"marks":865,"data":866},"M365 has an admin approval process for integrations and allows you to define low risk permissions that users can consent to themselves. This can allow you to empower users to use social logins and lower risk integrations on their own, but require an admin to approve apps requiring more sensitive permissions. Google workspace allows you to configure restricted permissions but is much less flexible. Check out Microsoft’s ",[],{},{"nodeType":305,"data":868,"content":870},{"uri":869},"https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow",[871],{"nodeType":247,"value":872,"marks":873,"data":875},"admin consent workflow guide",[874],{"type":323},{},{"nodeType":247,"value":877,"marks":878,"data":879}," and their article about ",[],{},{"nodeType":305,"data":881,"content":883},{"uri":882},"https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-permission-classifications?tabs=azure-portal",[884],{"nodeType":247,"value":885,"marks":886,"data":888},"how to configure permissions ",[887],{"type":323},{},{"nodeType":247,"value":890,"marks":891,"data":892},"for more guidance.",[],{},{"nodeType":523,"data":894,"content":895},{},[896],{"nodeType":243,"data":897,"content":898},{},[899,904,908,918],{"nodeType":247,"value":900,"marks":901,"data":903},"Prioritize apps that need additional vetting ",[902],{"type":533},{},{"nodeType":247,"value":905,"marks":906,"data":907},"- prioritize apps based on how many people in the company use it and if it’s requesting access to highly sensitive data to work or integrating with SaaS that have data you don’t want exposed. We provided some more practical guidance on risk prioritization ",[],{},{"nodeType":274,"data":909,"content":913},{"target":910},{"sys":911},{"id":912,"type":279,"linkType":280},"3PqX7fLrTIYhWjbEhHSRHG",[914],{"nodeType":247,"value":754,"marks":915,"data":917},[916],{"type":323},{},{"nodeType":247,"value":919,"marks":920,"data":921},".",[],{},{"nodeType":364,"data":923,"content":927},{"target":924},{"sys":925},{"id":926,"type":279,"linkType":280},"6oHRbGLus4bstsAc7E0zBD",[],{"nodeType":243,"data":929,"content":930},{},[931],{"nodeType":247,"value":29,"marks":932,"data":933},[],{},{"entries":935},{"inline":936,"hyperlink":937,"block":947},[],[938,943],{"sys":939,"__typename":940,"title":941,"slug":942},{"id":278},"BlogPosts","Should I let my employees login with their work Google account?","should-i-let-my-employees-login-with-their-work-google-account",{"sys":944,"__typename":940,"title":945,"slug":946},{"id":912},"5 steps to manage the risk of unsanctioned SaaS ","manage-saas-risks-without-hindering-employees",[948,957,963,970,976,983,989,995],{"sys":949,"__typename":950,"title":951,"caption":952,"layoutMode":62,"file":953},{"id":368},"Image","OAuth Adobe example","Example of an OAuth / Social login",{"url":954,"width":955,"height":956},"https://images.ctfassets.net/y1cdw1ablpvd/6pEiqSetxWVLelN31IKEeY/c0d22fd96149753ebc08d05b79c398c5/image6.png",930,922,{"sys":958,"__typename":950,"title":959,"caption":960,"layoutMode":62,"file":961},{"id":388},"Login with Google example","Choose which Google account to login with",{"url":962,"width":955,"height":956},"https://images.ctfassets.net/y1cdw1ablpvd/n3VMAqOZNNsOoQrdjZyvS/79e6a4d8c33add2d014be89457907da1/image4.png",{"sys":964,"__typename":950,"title":965,"caption":965,"layoutMode":62,"file":966},{"id":408},"Push OAuth (third-party integration) details panel",{"url":967,"width":968,"height":969},"https://images.ctfassets.net/y1cdw1ablpvd/5LRUtkyeQF3RvD7V9KVBNV/4bd2f9cb0b0709a74a32259543461d45/image3.png",733,688,{"sys":971,"__typename":950,"title":972,"caption":972,"layoutMode":62,"file":973},{"id":421},"Permission request from Google",{"url":974,"width":955,"height":975},"https://images.ctfassets.net/y1cdw1ablpvd/4oCVoWws9dIB52qS3dXqdv/5cb3dd2d3be0295443853b86ac0afbba/image2.png",352,{"sys":977,"__typename":950,"title":978,"caption":979,"layoutMode":62,"file":980},{"id":427},"Adobe wants to access your Google account","Adobe connecting to Google",{"url":981,"width":955,"height":982},"https://images.ctfassets.net/y1cdw1ablpvd/AdvCDGO8Hqow3GhbA8JVv/dc70d323c1e5cce3e78e257b481b16a2/image1.png",1566,{"sys":984,"__typename":950,"title":985,"caption":985,"layoutMode":62,"file":986},{"id":440},"Acrobat requesting permission to access Google ",{"url":987,"width":955,"height":988},"https://images.ctfassets.net/y1cdw1ablpvd/6Mai9NoebpGJvZBv4yUyDZ/98e63a152b4cdd7608195f10240604d6/image5.png",634,{"sys":990,"__typename":950,"title":991,"caption":992,"layoutMode":62,"file":993},{"id":453},"Push's OAuth integration panel Adobe","Push's OAuth integration panel for the Adobe app",{"url":994,"width":968,"height":969},"https://images.ctfassets.net/y1cdw1ablpvd/6bAz2nvGdkJYA45K7Sfwh/4c09eb10980f8f94f05b9ccaa1f97227/image7.png",{"sys":996,"__typename":997,"content":998,"title":1009,"buttonText":1010,"buttonUrl":1011,"signupRedirectUrl":62},{"id":926},"ActionBlockComponent",{"json":999},{"nodeType":239,"data":1000,"content":1001},{},[1002],{"nodeType":243,"content":1003,"data":1008},[1004],{"nodeType":247,"value":1005,"marks":1006,"data":1007},"Find out if you have any malicious apps that employees have accidentally installed due to consent phishing. Note: you must be logged in to access.",[],{},{},"Detect risky third-party apps and malicious mail rules ","Check now","/app/feature/secure-oauth-permissions-and-applications/","json",{"items":1014},[],{},"Should I connect third-party apps to my M365/Google tenant?","2022-10-12T00:00:00.000Z",{"items":1019},[1020,1496],{"__typename":940,"sys":1021,"content":1023,"title":1474,"synopsis":1475,"hashTags":62,"publishedDate":1476,"slug":1477,"tagsCollection":1478,"authorsCollection":1488},{"id":1022},"6yiDFGYTMw79qmErstqRqp",{"json":1024},{"data":1025,"content":1026,"nodeType":239},{},[1027,1059,1063,1070,1077,1083,1090,1106,1113,1120,1140,1199,1202,1209,1280,1296,1303,1310,1330,1337,1357,1364,1371,1378,1385,1392,1399,1405,1412,1419,1436,1439,1457],{"data":1028,"content":1029,"nodeType":243},{},[1030,1034,1043,1047,1055],{"data":1031,"marks":1032,"value":1033,"nodeType":247},{},[],"Despite measures by Microsoft to address the issue, ",{"data":1035,"content":1037,"nodeType":305},{"uri":1036},"https://www.microsoft.com/security/blog/2021/07/14/microsoft-delivers-comprehensive-solution-to-battle-rise-in-consent-phishing-emails/",[1038],{"data":1039,"marks":1040,"value":1042,"nodeType":247},{},[1041],{"type":323},"consent phishing is still on the rise",{"data":1044,"marks":1045,"value":1046,"nodeType":247},{},[],". (Not sure what consent phishing is? ",{"data":1048,"content":1049,"nodeType":305},{"uri":641},[1050],{"data":1051,"marks":1052,"value":1054,"nodeType":247},{},[1053],{"type":323},"Read more here",{"data":1056,"marks":1057,"value":1058,"nodeType":247},{},[],"). Although prevention is best, how do you check this hasn’t already happened? ",{"data":1060,"content":1061,"nodeType":1062},{},[],"hr",{"data":1064,"content":1065,"nodeType":243},{},[1066],{"data":1067,"marks":1068,"value":1069,"nodeType":247},{},[],"First, a bit of background on how OAuth apps work in Microsoft 365.",{"data":1071,"content":1072,"nodeType":243},{},[1073],{"data":1074,"marks":1075,"value":1076,"nodeType":247},{},[],"When you install an OAuth app in Microsoft 365, you see something like the familiar consent screen below, which shows the app's name and the permissions it's asking for. Once you've given your consent, behind the scenes a “service principal” is created in your tenant - this is your instance of the app. When the app does whatever the app is supposed to do (e.g. inspect your calendar, manage your to-do list etc.), it does it via this service principal.",{"data":1078,"content":1082,"nodeType":364},{"target":1079},{"sys":1080},{"id":1081,"type":279,"linkType":280},"6nPueTKEjLphqlytbQ0gcx",[],{"data":1084,"content":1085,"nodeType":243},{},[1086],{"data":1087,"marks":1088,"value":1089,"nodeType":247},{},[],"The app is able to authenticate to do this using a token that it is sent during the consent process. If you look closely at the URL you visit to get to the consent screen (example below), you’ll see there is a reply URL parameter - this is telling Microsoft where to send the token when a user consents:",{"data":1091,"content":1092,"nodeType":243},{},[1093,1097,1102],{"data":1094,"marks":1095,"value":1096,"nodeType":247},{},[],"https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=\u003Cclient_id>&response_type=code&",{"data":1098,"marks":1099,"value":1101,"nodeType":247},{},[1100],{"type":533},"redirect_uri=https%3A%2F%pushsecurity.com ",{"data":1103,"marks":1104,"value":1105,"nodeType":247},{},[],"&response_mode=query&scope=https%3A%2F%2Fgraph.microsoft.com%2F calendars.read%20https%3A%2F%2Fgraph.microsoft.com%2Fmail.send&state=12345",{"data":1107,"content":1108,"nodeType":243},{},[1109],{"data":1110,"marks":1111,"value":1112,"nodeType":247},{},[],"The app uses this token to authenticate as the service principal to then do whatever it’s supposed to do. In case your hacker brain is getting ahead of itself, you can’t change the reply URL to any old value to steal tokens. The app developer specifies a list of URLs that are allowed to be used here in the app’s manifest - more on that later.",{"data":1114,"content":1115,"nodeType":243},{},[1116],{"data":1117,"marks":1118,"value":1119,"nodeType":247},{},[],"Until recently, this ecosystem was a bit of a wild west. Although you can publish apps in the official app store, you don’t have to. Attackers were able to create an app on their tenant and then send consent URLs encouraging victims to grant them access, often having great success. ",{"data":1121,"content":1122,"nodeType":243},{},[1123,1127,1136],{"data":1124,"marks":1125,"value":1126,"nodeType":247},{},[],"In October 2020, ",{"data":1128,"content":1130,"nodeType":305},{"uri":1129},"https://techcommunity.microsoft.com/t5/azure-active-directory-identity/publisher-verification-and-app-consent-policies-are-now/ba-p/1257374",[1131],{"data":1132,"marks":1133,"value":1135,"nodeType":247},{},[1134],{"type":323},"Microsoft released “Publisher verification”",{"data":1137,"marks":1138,"value":1139,"nodeType":247},{},[],", allowing developers to be vetted by Microsoft and get a badge of approval on their consent screens. The following month, Microsoft changed policies so users, by default, weren't allowed to consent to apps that didn't come from a verified publisher. This makes a consent phishing attack much more difficult for attackers who are now left with the following options:",{"data":1141,"content":1142,"nodeType":519},{},[1143,1166,1189],{"data":1144,"content":1145,"nodeType":523},{},[1146],{"data":1147,"content":1148,"nodeType":243},{},[1149,1153,1162],{"data":1150,"marks":1151,"value":1152,"nodeType":247},{},[],"Find a tenant that allows users to consent to non-verified apps. The default should have been changed for all to not allow this but you can change it back (in case you’re curious, ",{"data":1154,"content":1156,"nodeType":305},{"uri":1155},"https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent?tabs=azure-portal",[1157],{"data":1158,"marks":1159,"value":1161,"nodeType":247},{},[1160],{"type":323},"see how to check your own settings here",{"data":1163,"marks":1164,"value":1165,"nodeType":247},{},[],").",{"data":1167,"content":1168,"nodeType":523},{},[1169],{"data":1170,"content":1171,"nodeType":243},{},[1172,1176,1185],{"data":1173,"marks":1174,"value":1175,"nodeType":247},{},[],"Go through the publisher verification process anyway: the process is ",{"data":1177,"content":1179,"nodeType":305},{"uri":1178},"https://docs.microsoft.com/en-gb/azure/active-directory/develop/publisher-verification-overview#requirements",[1180],{"data":1181,"marks":1182,"value":1184,"nodeType":247},{},[1183],{"type":323},"detailed here",{"data":1186,"marks":1187,"value":1188,"nodeType":247},{},[],". It’s probably possible to trick but requires mocking a real company which is going to be expensive and hard to scale.",{"data":1190,"content":1191,"nodeType":523},{},[1192],{"data":1193,"content":1194,"nodeType":243},{},[1195],{"data":1196,"marks":1197,"value":1198,"nodeType":247},{},[],"Compromise an already verified publisher: definitely adds cost and complexity to an attack but would be an extremely valuable and effective approach - how much do you trust the security of all your app publishers?",{"data":1200,"content":1201,"nodeType":1062},{},[],{"data":1203,"content":1204,"nodeType":243},{},[1205],{"data":1206,"marks":1207,"value":1208,"nodeType":247},{},[],"So let’s look for some malicious apps...",{"data":1210,"content":1211,"nodeType":243},{},[1212,1216,1225,1229,1238,1242,1251,1255,1264,1268,1276],{"data":1213,"marks":1214,"value":1215,"nodeType":247},{},[],"The Azure AD interface to inspect OAuth apps, or service principals, is the ",{"data":1217,"content":1219,"nodeType":305},{"uri":1218},"https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AllApps/menuId/",[1220],{"data":1221,"marks":1222,"value":1224,"nodeType":247},{},[1223],{"type":323},"Enterprise Applications blade",{"data":1226,"marks":1227,"value":1228,"nodeType":247},{},[]," but it’s lacking key information you need for this exercise like the reply URLs and publisher status. You might be able to see similar info if you have the licenses for ",{"data":1230,"content":1232,"nodeType":305},{"uri":1231},"https://docs.microsoft.com/en-gb/cloud-app-security/what-is-cloud-app-security",[1233],{"data":1234,"marks":1235,"value":1237,"nodeType":247},{},[1236],{"type":323},"Cloud App Security",{"data":1239,"marks":1240,"value":1241,"nodeType":247},{},[]," but they’re expensive - you can also get full information about service principals from ",{"data":1243,"content":1245,"nodeType":305},{"uri":1244},"https://docs.microsoft.com/en-us/graph/api/resources/serviceprincipal?view=graph-rest-1.0",[1246],{"data":1247,"marks":1248,"value":1250,"nodeType":247},{},[1249],{"type":323},"Graph API",{"data":1252,"marks":1253,"value":1254,"nodeType":247},{},[],", or ",{"data":1256,"content":1258,"nodeType":305},{"uri":1257},"https://docs.microsoft.com/en-us/powershell/module/az.resources/get-azadserviceprincipal?view=azps-6.3.0",[1259],{"data":1260,"marks":1261,"value":1263,"nodeType":247},{},[1262],{"type":323},"PowerShell",{"data":1265,"marks":1266,"value":1267,"nodeType":247},{},[]," (is it too early to say that ",{"data":1269,"content":1271,"nodeType":305},{"uri":1270},"/features/secure-oauth-permissions-and-applications/",[1272],{"data":1273,"marks":1274,"value":1275,"nodeType":247},{},[],"Push can also solve this problem",{"data":1277,"marks":1278,"value":1279,"nodeType":247},{},[]," for you in only a few button clicks?)",{"data":1281,"content":1282,"nodeType":243},{},[1283,1287,1292],{"data":1284,"marks":1285,"value":1286,"nodeType":247},{},[],"Right off the bat, ",{"data":1288,"marks":1289,"value":1291,"nodeType":247},{},[1290],{"type":533},"we can disregard a lot of the information presented by the app",{"data":1293,"marks":1294,"value":1295,"nodeType":247},{},[],". The app’s name, home page, logo can all be anything an attacker says so if they’re trying to trick a user this will most likely look convincing and legitimate. The best you can do here is sanity check that this app makes sense in the context of your organisation or this user. ",{"data":1297,"content":1298,"nodeType":243},{},[1299],{"data":1300,"marks":1301,"value":1302,"nodeType":247},{},[],"So what is useful?",{"data":1304,"content":1305,"nodeType":337},{},[1306],{"data":1307,"marks":1308,"value":1309,"nodeType":247},{},[],"What can the app do?",{"data":1311,"content":1312,"nodeType":243},{},[1313,1317,1326],{"data":1314,"marks":1315,"value":1316,"nodeType":247},{},[],"Start by prioritising apps by the permissions they’ve been granted. Attackers will often target access to mail, files, or admin functionality so any app that requests these should be subject to more scrutiny and looked at first. As with any security exercise, you’ll know best for what’s sensitive to your organisation so apply that logic here. If you are unsure what a specific permission means, ",{"data":1318,"content":1320,"nodeType":305},{"uri":1319},"https://docs.microsoft.com/en-us/graph/permissions-reference",[1321],{"data":1322,"marks":1323,"value":1325,"nodeType":247},{},[1324],{"type":323},"here's a full reference",{"data":1327,"marks":1328,"value":1329,"nodeType":247},{},[],". ",{"data":1331,"content":1332,"nodeType":337},{},[1333],{"data":1334,"marks":1335,"value":1336,"nodeType":247},{},[],"Access to all data or just specific users?",{"data":1338,"content":1339,"nodeType":243},{},[1340,1344,1354],{"data":1341,"marks":1342,"value":1343,"nodeType":247},{},[],"It’s important to understand the difference between app permissions and delegated permissions. In short, app permissions grant tenant-wide access, delegated permissions grant access as the user. For example, if the app permission Mail.Read was granted to an app, it could read everyone’s email. If the delegated permission Mail.Read was granted to an app, it could only read the mail of the person who granted permission. ",{"data":1345,"content":1349,"nodeType":274},{"target":1346},{"sys":1347},{"id":1348,"type":279,"linkType":280},"16568b78-3c85-451f-bb62-9d50148ca1b9",[1350],{"data":1351,"marks":1352,"value":1353,"nodeType":247},{},[],"Learn more about app vs. delegated permissions here",{"data":1355,"marks":1356,"value":919,"nodeType":247},{},[],{"data":1358,"content":1359,"nodeType":337},{},[1360],{"data":1361,"marks":1362,"value":1363,"nodeType":247},{},[],"How many users have installed this app?",{"data":1365,"content":1366,"nodeType":243},{},[1367],{"data":1368,"marks":1369,"value":1370,"nodeType":247},{},[],"If you are the victim of consent phishing, hopefully the attacker only managed to dupe a small number of users, so common advice would be prioritise apps with a low install count. Although this makes sense, it’s often not that practical since, unless you’ve been running a tight ship, you’ll probably find a lot of apps used by one or two people.",{"data":1372,"content":1373,"nodeType":243},{},[1374],{"data":1375,"marks":1376,"value":1377,"nodeType":247},{},[],"On the flip side, app permissions can only be approved by an admin; admins can also consent to delegated permissions on behalf of all users. So apps with these permissions - effectively tenant-wide access - have also probably been approved by only a single user. Hopefully you have more faith in your admins’ ability to spot a phish but you should still treat these as having only been vetted by a single user.",{"data":1379,"content":1380,"nodeType":337},{},[1381],{"data":1382,"marks":1383,"value":1384,"nodeType":247},{},[],"Where the tokens go - the thing you can’t spoof",{"data":1386,"content":1387,"nodeType":243},{},[1388],{"data":1389,"marks":1390,"value":1391,"nodeType":247},{},[],"The only piece of information an app can’t lie about is its reply URLs. As mentioned above, these are the URLs that Microsoft is allowed to send an access token to when a user consents. If the app publisher doesn’t own these domains, they won’t ever receive their token and they can’t use the app’s access. If you can confirm all the reply URLs specified by the app are legitimately owned by the organisation the app is supposed to be from, you can be fairly confident the app is owned by them.",{"data":1393,"content":1394,"nodeType":243},{},[1395],{"data":1396,"marks":1397,"value":1398,"nodeType":247},{},[],"In the interests of keeping this short(er), a guide on domain analysis is probably out of scope. However, here’s a real-world example malicious OAuth app that was pretending to be Salesforce related, using a pretty suspicious looking URL, so you won’t always need deep analysis:",{"data":1400,"content":1404,"nodeType":364},{"target":1401},{"sys":1402},{"id":1403,"type":279,"linkType":280},"1oSdJPeXHsGlAXeX6Q2UOs",[],{"data":1406,"content":1407,"nodeType":337},{},[1408],{"data":1409,"marks":1410,"value":1411,"nodeType":247},{},[],"Is it verified? Does it matter?",{"data":1413,"content":1414,"nodeType":243},{},[1415],{"data":1416,"marks":1417,"value":1418,"nodeType":247},{},[],"You might be tempted to trust any app that is verified by Microsoft. The stamp of verification is clearly worth something but, as mentioned earlier, don’t discount the possibility of a determined attacker compromising a verified publisher to publish their own malicious app or edit an existing one. ",{"data":1420,"content":1421,"nodeType":243},{},[1422,1426,1432],{"data":1423,"marks":1424,"value":1425,"nodeType":247},{},[],"Likewise, you might also find a lot of your service principals, even ones by seemingly reputable publishers, are reported as not verified. This is because the service principal is an instance of the app at the time of install - if the publisher wasn’t verified at that point, the service principal won’t be (even if the publisher has since been verified). Since Microsoft only introduced publisher verification in 2020, all apps installed before this date will report as unverified. For reference, 78% of the service principals we’ve looked at report as having unverified publishers so this isn’t ",{"data":1427,"marks":1428,"value":1431,"nodeType":247},{},[1429],{"type":1430},"italic","necessarily",{"data":1433,"marks":1434,"value":1435,"nodeType":247},{},[]," something to worry about. ",{"data":1437,"content":1438,"nodeType":1062},{},[],{"data":1440,"content":1441,"nodeType":243},{},[1442,1446,1453],{"data":1443,"marks":1444,"value":1445,"nodeType":247},{},[],"If you find apps that look like they don't belong and you're worried they're the result of consent phishing, as well as removing the app's access (you can do this on the app's Properties page in the ",{"data":1447,"content":1449,"nodeType":305},{"uri":1448},"https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AllApps",[1450],{"data":1451,"marks":1452,"value":1224,"nodeType":247},{},[],{"data":1454,"marks":1455,"value":1456,"nodeType":247},{},[],"), you should investigate how the app got there in the first place. A detailed walkthrough of how to fully investigate is coming soon.",{"data":1458,"content":1459,"nodeType":243},{},[1460,1464,1471],{"data":1461,"marks":1462,"value":1463,"nodeType":247},{},[],"You can gather information about the apps in your Microsoft 365 tenant with only a few clicks using the Push platform. See which apps are installed on your tenant, what kind of access they have and if we think any look suspicious. It only takes a few minutes and is totally free! ",{"data":1465,"content":1466,"nodeType":305},{"uri":1270},[1467],{"data":1468,"marks":1469,"value":1470,"nodeType":247},{},[],"Check it out.",{"data":1472,"marks":1473,"value":29,"nodeType":247},{},[],"How to find a malicious OAuth app on Microsoft 365 ","How do you find a malicious Microsoft 365 OAuth app? Learn what to look for, and what to ignore, when checking your users haven't been consent phished.","2021-09-06T00:00:00.000+01:00","how-to-find-a-malicious-oauth-app-on-microsoft-365",{"items":1479},[1480,1484],{"sys":1481,"name":1483},{"id":1482},"3pjES4THCIfSAwhGdNwBcy","Browser security",{"sys":1485,"name":1487},{"id":1486},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":1489},[1490],{"fullName":1491,"firstName":1492,"jobTitle":1493,"profilePicture":1494},"Andy Waugh","Andy","VP Product",{"url":1495},"https://images.ctfassets.net/y1cdw1ablpvd/3Rf76rJn6S9inMb4dUnAIJ/0a787f8141d05b95300e2fe77c4493fa/DSC_6868.jpg",{"__typename":940,"sys":1497,"content":1498,"title":941,"synopsis":1869,"hashTags":62,"publishedDate":1870,"slug":942,"tagsCollection":1871,"authorsCollection":1879},{"id":278},{"json":1499},{"data":1500,"content":1501,"nodeType":239},{},[1502,1509,1516,1522,1529,1535,1542,1549,1556,1563,1570,1576,1583,1590,1597,1615,1633,1651,1681,1707,1725,1732,1739,1746,1753,1760,1767,1785,1816,1823,1841,1848,1855,1862],{"data":1503,"content":1504,"nodeType":243},{},[1505],{"data":1506,"marks":1507,"value":1508,"nodeType":247},{},[],"We have all seen the option on websites to login using a variety of different tech giant accounts (“Login with Google, Login with Microsoft”), instead of creating a new account or using username and password. This is known as a social login and, less often, social sign-in or social sign-on. ",{"data":1510,"content":1511,"nodeType":243},{},[1512],{"data":1513,"marks":1514,"value":1515,"nodeType":247},{},[],"Normally, this is more associated with personal use than business use, but it’s just as possible for employees to log into a SaaS platform using a business Google Workspace account - but should we be encouraging or discouraging this behavior? We’ll answer that question in this article but, spoiler alert, at Push Security we encourage it in most cases and we’ll explain why in this article. ",{"data":1517,"content":1521,"nodeType":364},{"target":1518},{"sys":1519},{"id":1520,"type":279,"linkType":280},"47o2DQc4uabGwXXN85HBUG",[],{"data":1523,"content":1524,"nodeType":243},{},[1525],{"data":1526,"marks":1527,"value":1528,"nodeType":247},{},[],"We've created a quick and dirty video demo of a social login to help explain the concept: ",{"data":1530,"content":1534,"nodeType":364},{"target":1531},{"sys":1532},{"id":1533,"type":279,"linkType":280},"2rIwQIeOZ9cZY47vUrYkf3",[],{"data":1536,"content":1537,"nodeType":337},{},[1538],{"data":1539,"marks":1540,"value":1541,"nodeType":247},{},[],"What is a social login?",{"data":1543,"content":1544,"nodeType":243},{},[1545],{"data":1546,"marks":1547,"value":1548,"nodeType":247},{},[],"So what actually happens when you click to login with Google? Aren’t you just giving your Google password to some random website? That’s a security concern many people have but, thankfully, that isn’t the case. ",{"data":1550,"content":1551,"nodeType":243},{},[1552],{"data":1553,"marks":1554,"value":1555,"nodeType":247},{},[],"Social logins actually work using OAuth 2.0, which stands for “Open Authorization.” It’s a standard to allow third-party apps to access your data. OAuth is actually for a much broader set of use cases than just social logins, but that’s for another article. ",{"data":1557,"content":1558,"nodeType":243},{},[1559],{"data":1560,"marks":1561,"value":1562,"nodeType":247},{},[],"Let’s focus on what happens when you click to sign-in with Google. You’re actually redirected to Google’s own servers and asked to authorize the website to be granted any access to your data that it has requested. In a simple social login case, the website should only be asking for minimal access to view simple details, such as your email address and full name in order to verify your identity.",{"data":1564,"content":1565,"nodeType":243},{},[1566],{"data":1567,"marks":1568,"value":1569,"nodeType":247},{},[],"If this is the case, Google does not even specifically ask you to accept those permissions, it just verifies which Google account you would like to use. If you are already logged in with Google then you won’t even need to enter your password.",{"data":1571,"content":1575,"nodeType":364},{"target":1572},{"sys":1573},{"id":1574,"type":279,"linkType":280},"2PbJH7qfRYIxJRBmHJLSdI",[],{"data":1577,"content":1578,"nodeType":243},{},[1579],{"data":1580,"marks":1581,"value":1582,"nodeType":247},{},[],"…and that’s it, you’ve just socially logged in to a website using your Google account. You didn’t need to create an account, set a password, use a password manager or even enter your Google password. It was so easy! But is it secure?",{"data":1584,"content":1585,"nodeType":252},{},[1586],{"data":1587,"marks":1588,"value":1589,"nodeType":247},{},[],"Security Benefits",{"data":1591,"content":1592,"nodeType":243},{},[1593],{"data":1594,"marks":1595,"value":1596,"nodeType":247},{},[],"The short answer is - yes, it is secure, and there are actually many security benefits. Let’s consider some of them:",{"data":1598,"content":1599,"nodeType":519},{},[1600],{"data":1601,"content":1602,"nodeType":523},{},[1603],{"data":1604,"content":1605,"nodeType":243},{},[1606,1611],{"data":1607,"marks":1608,"value":1610,"nodeType":247},{},[1609],{"type":533},"Multi-Factor authentication (MFA) everywhere!",{"data":1612,"marks":1613,"value":1614,"nodeType":247},{},[]," - You’ve followed good security practice and enabled MFA for all of your Google accounts, right? Great, well then every other SaaS platform that your employees use social logins just inherited MFA protection for free! Not only does the platform not even need to support MFA on its own (most don’t), but you don't even need to set it up!",{"data":1616,"content":1617,"nodeType":519},{},[1618],{"data":1619,"content":1620,"nodeType":523},{},[1621],{"data":1622,"content":1623,"nodeType":243},{},[1624,1629],{"data":1625,"marks":1626,"value":1628,"nodeType":247},{},[1627],{"type":533},"Easy password resets",{"data":1630,"marks":1631,"value":1632,"nodeType":247},{},[]," - Ok, so one of your employees gets their (commonly shared) password phished. All those SaaS accounts could be immediately compromised and how many password resets now need to be performed? Oh, they use a password manager? Ok, what if their laptop is compromised with malware? You need to assume the password manager is compromised too. That’s still a lot of password resets. On the other hand, if you use social logins for everything you only have one password to change. If you have MFA too, it probably would have been tough for the attacker to make use of that password during the compromise window before the change, too.",{"data":1634,"content":1635,"nodeType":519},{},[1636],{"data":1637,"content":1638,"nodeType":523},{},[1639],{"data":1640,"content":1641,"nodeType":243},{},[1642,1647],{"data":1643,"marks":1644,"value":1646,"nodeType":247},{},[1645],{"type":533},"Easy offboarding -",{"data":1648,"marks":1649,"value":1650,"nodeType":247},{},[]," When an employee leaves the company, it’s not so hard to delete their core business accounts, but it’s much more painful to have a process for removing all old SaaS accounts too. If social logins are well implemented by the SaaS provider then the removal of a Google workspace account automatically means the corresponding SaaS accounts are no longer accessible either.  ",{"data":1652,"content":1653,"nodeType":519},{},[1654],{"data":1655,"content":1656,"nodeType":523},{},[1657],{"data":1658,"content":1659,"nodeType":243},{},[1660,1665,1669,1677],{"data":1661,"marks":1662,"value":1664,"nodeType":247},{},[1663],{"type":533},"Visibility",{"data":1666,"marks":1667,"value":1668,"nodeType":247},{},[]," - If employees use custom logins for all their SaaS platforms, you’ll have no idea what SaaS platforms are in use (unless you use the Push browser extension ;)). With social logins, you can see exactly which platforms your employees are using across the organization. (",{"data":1670,"content":1672,"nodeType":305},{"uri":1671},"https://support.google.com/a/answer/7281227?hl=en#zippy=",[1673],{"data":1674,"marks":1675,"value":1671,"nodeType":247},{},[1676],{"type":323},{"data":1678,"marks":1679,"value":1680,"nodeType":247},{},[],") ",{"data":1682,"content":1683,"nodeType":519},{},[1684],{"data":1685,"content":1686,"nodeType":523},{},[1687],{"data":1688,"content":1689,"nodeType":243},{},[1690,1695,1699,1704],{"data":1691,"marks":1692,"value":1694,"nodeType":247},{},[1693],{"type":533},"Simplicity ",{"data":1696,"marks":1697,"value":1698,"nodeType":247},{},[],"- Complexity is often the enemy of security and, let’s face it, getting all your employees to use password managers with different passwords for large numbers of accounts, creating new accounts every time, handling password changes for all of them, etc., is the definition of complexity. On the other hand, social logins are just so simple. You login to Google once, then any other SaaS platform you want to access that supports them you just click “login with Google”, select your account and you’re done. That’s it - ",{"data":1700,"marks":1701,"value":1703,"nodeType":247},{},[1702],{"type":533},"simplicity benefits security",{"data":1705,"marks":1706,"value":1329,"nodeType":247},{},[],{"data":1708,"content":1709,"nodeType":519},{},[1710],{"data":1711,"content":1712,"nodeType":523},{},[1713],{"data":1714,"content":1715,"nodeType":243},{},[1716,1721],{"data":1717,"marks":1718,"value":1720,"nodeType":247},{},[1719],{"type":533},"No shared passwords ",{"data":1722,"marks":1723,"value":1724,"nodeType":247},{},[],"- Let’s face it, it’s difficult to get employees to use password managers for everything and commonly people end up using the same one or two passwords for everything. Then all it takes is for any one platform to be compromised and that account is compromised for any other platforms where the password is shared. Therefore, your security is dependent on the security of the weakest platform you use of many. On the other hand, if you use social logins for everything, there is only ever one strongly protected account, which is much less likely to be compromised.",{"data":1726,"content":1727,"nodeType":243},{},[1728],{"data":1729,"marks":1730,"value":1731,"nodeType":247},{},[],"Our view is that it’s better to have one account that you put all your focus on securing as best as possible than many accounts that individually have a lower level of security. ",{"data":1733,"content":1734,"nodeType":243},{},[1735],{"data":1736,"marks":1737,"value":1738,"nodeType":247},{},[],"But why would I want everything in one account, protected with one password?If your Google account is used to access everything then all your eggs are in one basket right? If your Google account is compromised, or even Google themselves are compromised, then everything else you use is compromised too. Pretty concerning, right? This is true and it does remain a risk. ",{"data":1740,"content":1741,"nodeType":243},{},[1742],{"data":1743,"marks":1744,"value":1745,"nodeType":247},{},[],"However, if you’re a Google Workspace user then you’re trusting Google with most of your key data anyway - all your email, documents, calendar appointments etc are stored with Google and accessed using Google accounts. Also, if your Google email gets hacked that can generally be used to password reset all your other accounts anyway! Plus, using a password manager could be argued to also be putting all your eggs in one basket too.",{"data":1747,"content":1748,"nodeType":243},{},[1749],{"data":1750,"marks":1751,"value":1752,"nodeType":247},{},[],"We’ll go into some of the potential concerns of using social logins in this next section because there may be some valid use cases where you won’t want to use them.",{"data":1754,"content":1755,"nodeType":252},{},[1756],{"data":1757,"marks":1758,"value":1759,"nodeType":247},{},[],"Security Caveats",{"data":1761,"content":1762,"nodeType":243},{},[1763],{"data":1764,"marks":1765,"value":1766,"nodeType":247},{},[],"Ok, we said at Push Security that we encourage the use of social logins. But we aren’t going to wave our hands and cover up any downsides - as always, there are always some. We consider some of the following to be key drawbacks:",{"data":1768,"content":1769,"nodeType":519},{},[1770],{"data":1771,"content":1772,"nodeType":523},{},[1773],{"data":1774,"content":1775,"nodeType":243},{},[1776,1781],{"data":1777,"marks":1778,"value":1780,"nodeType":247},{},[1779],{"type":533},"Giving away sensitive data",{"data":1782,"marks":1783,"value":1784,"nodeType":247},{},[]," - This article has been entirely focused on social logins, but we said at the start that OAuth was for more than that. When a user logs in using Google, the website can ask for permissions far beyond what is needed for a simple social login. These can be sensitive, such as allowing access to emails, calendars, Google Drive documents etc and the user will be prompted separately to accept or refuse this. In most cases, you’ll probably find websites do not request additional permissions for a simple login/signup but may do if you enable more advanced integrations. However, some websites may just ask for the kitchen sink from the first login. It’s possible your employees may then start giving away sensitive access to third parties without a second thought.",{"data":1786,"content":1787,"nodeType":243},{},[1788,1792,1802,1806,1813],{"data":1789,"marks":1790,"value":1791,"nodeType":247},{},[],"There are also malicious apps created simply to exploit permissions so they can gain access to an employee’s or company’s data by requesting excessive permissions and requesting the employee to opt into them by default. This is called consent phishing and we’ve written up a ",{"data":1793,"content":1797,"nodeType":274},{"target":1794},{"sys":1795},{"id":1796,"type":279,"linkType":280},"1bV8YTSQHvveCTnRc4H8su",[1798],{"data":1799,"marks":1800,"value":1801,"nodeType":247},{},[],"quick guide",{"data":1803,"marks":1804,"value":1805,"nodeType":247},{},[]," here about what the risk is, how it works, and how to handle it. ",{"data":1807,"content":1808,"nodeType":305},{"uri":641},[1809],{"data":1810,"marks":1811,"value":29,"nodeType":247},{},[1812],{"type":323},{"data":1814,"marks":1815,"value":29,"nodeType":247},{},[],{"data":1817,"content":1818,"nodeType":243},{},[1819],{"data":1820,"marks":1821,"value":1822,"nodeType":247},{},[],"You can always see what access has been given by your employees to different platforms and review accordingly and you can even configure more sensitive permissions as restricted so your employees can’t accept them on their own. However, this risk remains, whereas it’s not as easy for an employee to inadvertently open up significant data access with a custom login for a website.   ",{"data":1824,"content":1825,"nodeType":519},{},[1826],{"data":1827,"content":1828,"nodeType":523},{},[1829],{"data":1830,"content":1831,"nodeType":243},{},[1832,1837],{"data":1833,"marks":1834,"value":1836,"nodeType":247},{},[1835],{"type":533},"Privacy and Anonymity",{"data":1838,"marks":1839,"value":1840,"nodeType":247},{},[]," - if you use social logins for everything, then every SaaS platform your employees use will have at least some access to basic personal information for your employees that use them. Google will also probably have more information about what SaaS providers you are using than they would otherwise, too. ",{"data":1842,"content":1843,"nodeType":243},{},[1844],{"data":1845,"marks":1846,"value":1847,"nodeType":247},{},[],"Maybe you just wanted to try out a new SaaS service without getting spammed by their sales team for the next 12 months? For that, you might want to go with an anonymous, disposable email address. Whatever the case, social logins will always give away basic personal details at a minimum and there might be times where this isn’t desirable. But for most companies, we’ve found those to be edge cases.",{"data":1849,"content":1850,"nodeType":243},{},[1851],{"data":1852,"marks":1853,"value":1854,"nodeType":247},{},[],"You may not necessarily want the public (or your adversaries) to know what SaaS apps employees are using. If an attacker gained access to your Google or Microsoft account that you were using for social login, they would be able to see the apps that are accessed with social login. On the other hand, if an attacker gets access to your primary core business platforms, this is likely going to be the least of your concerns.",{"data":1856,"content":1857,"nodeType":252},{},[1858],{"data":1859,"marks":1860,"value":1861,"nodeType":247},{},[],"Conclusion",{"data":1863,"content":1864,"nodeType":243},{},[1865],{"data":1866,"marks":1867,"value":1868,"nodeType":247},{},[],"Social logins are good for business use for third-party SaaS platforms, not just for personal use. They save time and bring many security benefits in most cases too. As long as you understand the residual risks that remain and are happy managing those risks, you should consider encouraging your users to use social logins. ","Is logging in with Google or Microsoft secure? Yes, with caveats. ","2022-10-04T00:00:00.000Z",{"items":1872},[1873,1877],{"sys":1874,"name":1876},{"id":1875},"1gZi8NrRy2v9OqPV7C4dwD","Risk management",{"sys":1878,"name":1483},{"id":1482},{"items":1880},[1881],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":1882},{"url":236},"is-it-safe-to-allow-my-employees-to-connect-third-party-apps-to-our-m365","blog/is-it-safe-to-allow-my-employees-to-connect-third-party-apps-to-our-m365",{"json":1886},{"data":1887,"content":1888,"nodeType":239},{},[1889],{"data":1890,"content":1891,"nodeType":243},{},[1892],{"data":1893,"marks":1894,"value":1895,"nodeType":247},{},[],"Learn about the benefits and risks of SaaS integrations and get tips for how to manage the risks.\n",{"id":1897,"publishedAt":1898},"68syxk4cmD6QOdVRcDqgEZ","2024-10-01T13:31:27.920Z",{"items":1900},[1901,1903],{"sys":1902,"name":1876},{"id":1875},{"sys":1904,"name":1483},{"id":1482},"VjZy_gUNanyQ7VnHw5t5YWHiGgoQHme2r5PVYHMQJRI",1784196721291]