How many of you can confidently say that your business maintains a centralized and approved application inventory? If you’re like most organizations, the answer is either “no” or “we have one, but it’s incomplete.” And honestly, that’s not entirely your fault.
With the rise of SaaS tools, ease of access, and the ability for employees to sign up for applications on their own, keeping a tight grip on your application inventory is incredibly challenging. But this shadow IT introduces significant risks to the organization—ranging from data exfiltration to security vulnerabilities in unapproved applications.
In this blog series, we’re going to break down software inventory management and security, mapping it directly to CIS Control 2 (Inventory & Control of Software Assets). We’ll also dive into Microsoft 365’s security tools, showing you how to protect your organization against these risks.
Let’s zoom out and look at how applications typically get introduced into a business.
💡 A marketing team member finds an exciting new tool and signs up with their business email.
💡 During sign-up, the tool asks for permissions to access Microsoft data (email, calendar, etc.).
💡 No approval process exists, so the user grants permissions without realizing the security risks.
💡 The tool starts storing company data in an unknown third-party database.
💡 If the company doesn’t approve the tool, they may abandon it—but the data and access remain.
Repeat this process across multiple departments, and you’ve got a recipe for software proliferation, data sprawl, and security risks. What I am referencing here is Oauth applications. Not all applications will ask for these permissions into your Microsoft tenant but still carry their own risk whether or not they are downloaded locally to workstations.
A lack of software governance exposes businesses to several security threats:
🔹 Unauthorized Data Access – Unapproved apps might be storing customer data in insecure locations.
🔹 Vulnerabilities in Third-Party Apps – The applications onboarded can have vulnerabilities such as zero-days and public exploits either now or in the future.
🔹 Persistent Backdoor Access – Attackers can exploit OAuth permissions to maintain access to accounts.
🔹 Shadow IT & Data Exfiltration – Employees may move sensitive company data to personal or unvetted apps.
✅ Create a centralized software inventory—this can start as a simple spreadsheet tracking:
✅ Implement an application approval process—define security standards:
✅ Regularly review & update the inventory—audit usage and security posture.
✅ Block unapproved app registrations in Microsoft Entra ID.
✅ Remove local admin rights from users to prevent unauthorized software installs.
✅ Provide end-users a path to make request for net new applications or application updates. (can be done manually or by using 1st party or 3rd party add-ons)
The following provides a stop gap so that users are forced to go through an approved workstream to get net new applications onto the network or end-user workstations.
Leverage Defender for Business to:
✅ Use Intune for centralized app updates—ensure critical security patches are applied.
✅ Enable Attack Surface Reduction (ASR) rules to prevent risky software from executing.
✅ Deploy Microsoft Defender for Cloud Apps (CASB) to:
✅ Implement Application Whitelisting—restrict software installs to an approved list.
✅ Implement Additional Applicaiton Control Policies—implement policies like App control for business (previously known as App Locker) for further tightening of application installs.
✅ Use Just-in-Time (JIT) Privilege Elevation—allow temporary admin rights when necessary.
We will be covering all of these security controls as part of this blog series. Microsoft 365 Business Premium can achieve almost all of the controls I recommend as part of a secure application management practice but I will also elude to common 3rd party MSP tools you might be leveraging as well.
If you’re struggling with Microsoft 365 security assessments, run a free assessment using CloudCapsule to instantly get insights into your tenant security posture, software inventory, and risk exposure.
CloudCapsule audits all of your tenants for the recommended hardening policies for locking down applications.
CloudCapsule now scans for suspicious Oauth applications that can be used by attackers for persistence techniques and lateral movement.
In some scenarios, common applications like em Client and Perfectdata have been registered in tenants after an attacker gains initial access to continue the kill chain. You can easily identify these now in the Apps section. When discovered, these apps should be removed immediately.
CloudCapsule provides central tracking of your entire software inventory (agentless) across workstations and enterprise apps, and suspicious or malicious Oauth applications can be detected along with any active exploits across your inventory.
9 min read
Nick Ross: Mar 11, 2025 10:27:46 AM
How many of you can confidently say that your business maintains acentralized and approved application inventory? If you’re like most organizations,...
2 min read
Daniel Johnson: Mar 3, 2025 1:15:24 PM
{% video_player "embed_player" overrideable=False, type='hsvideo2', hide_playlist=True, viral_sharing=False, embed_button=False, autoplay=False,...
2 min read
Daniel Johnson: Dec 21, 2024 8:38:19 AM
The CloudCapsule team will be hitting the road in the new year, with our first stop being Right of Boom 2025 in Las Vegas, Feb 19-21! Please join us...
Nick Ross