Skip to main content

Removing a Rogue Application from a Tenant

Brady
  • Updated

Product: ITDR: Huntress Managed Identity Threat Detection and Response
Environment: Rogue Applications, Entra
Summary: How to remove a rogue application from a Microsoft 365 tenant, and how to view all applications in that tenant.

 

Foreword about verifying app removal

Please note there are two areas in Huntress where Entra Apps can be viewed, each representing very different data sets:

https://YourHuntressPortal/account/rogue_apps/cloud_applications - this is a list of all Entra applications that Huntress has detected through your ITDR integration. Since there is a time delay between an action and when that action is sent to Huntress and processed, it's advisable to use your Entra portal to verify an app's status whenever looking for confirmation of a change. You can find this page in your Huntress portal by clicking on ITDR on the far left, clicking "Rogue Applications", and then clicking the blue button titled "View All Installed Apps".

https://huntresslabs.github.io/rogueapps/ - this is a list of rogue applications that Huntress provides to show specifically what we are looking for in Traitorware. This is not a list of applications in your tenant(s). You can find this page in your Huntress portal by clicking on ITDR on the far left, clicking "Rogue Applications", and then clicking on "View All"

 

Removing a Rogue Application from a Tenant

This article describes the steps necessary to completely remediate an identified Rogue Application within a Microsoft 365 tenant. During Early Access of the Rogue Applications capability, please follow the steps below to prevent malicious actors from accessing your Microsoft environment.

 

Step 1.

Navigate to the Azure portal for the tenant (portal.azure.com).

Step 2.

Click on the Enterprise Applications widget within Azure or type “Enterprise Applications” into the Azure search bar.

Locate the entry for the Rogue Application in question and click on it.

Step 3.

Click on the properties tab on the left navigation bar.

Step 4.

There are two options to remediate usage of the application.

Option 1 (Recommended)

  1. Click the delete button to completely delete the application from the tenant
  2. Revoke all active sessions for all identities using the application

Option 2

  1. Select “No” for the “Enabled for users to sign-in?” option
  2. Revoke all active sessions for all identities using the application

Related articles