At the Microsoft Build conference this year the Azure AD team announced an interesting new capability called Publisher verification. The goal of this is to let you know, as someone about to give an application permissions to some or all of your data, that the application is from who it says it’s from.
Consenting to give an application permissions to your data is an important acknowledgement that you trust that application with your data. You want to be really sure you are saying “yes!” to the right company.
So … What does this look like?
Publisher verification means that when you are consenting to an application you will see a blue check/tick stamp next to the publisher name like this:
This means that when consenting to an application you can be sure the app you are consenting to is from the publisher that you expect. It’s an extra level of confidence that you didn’t get phished into consenting to a rouge app that is about to steal all your data and do nefarious things with it … well … you trust that the publisher won’t since you trust them right? 🙂 More on this in a moment.
How does this work?
Microsoft is attempting to help customers consent to app publishers they trust by making the app publishers jump through a few hoops to prove they are who they say they are. Most app stores do this like Apple by doing a business verification check for example.
App developers must associate their application registration to their Microsoft Partner Network (MPN) account. The app developer pops their MPN id into the app registration and MS then verifies the following:
- The verified publisher domain of the app registration in the Azure AD matches a verified domain in your MPN account.
- The account you are logged in as is an authorized user in the MPN account
The publisher domain requirement, #1 above, could be a little tricky for some developers to meet. You will likely need to find whoever manages your MPN account and work with them on ensuring you have a DNS verified domain verified in both MPN and your Azure AD where you register the app. A lot of developers register apps in a secondary Azure AD tenant away from their companies primary tenant so this could take a bit of planning to connect up a verified domain in AAD and MPN to make it work.
How do you set it up?
You set this up in Azure AD on the app registration blade for your application. Go into the Branding tab for your app and you should see the Publisher Verification section towards the bottom. Simply drop in you MPN id. If all the checks pan out (see above) then your application will be marked as verified like so:
Where is all this going?
As Microsoft holds more and more of organizations data it’s incredibly important they help customers protect it. Ensuring customers are aware of who they are giving access to their data is an important first step in that. That said, it’s certainly not going to stop an app developer from taking all your data if they break that trust with you, but it can help with ensuring you are saying yes to the right app to start with.
In addition to the announcement about publisher verification, Microsoft said they will allow customers to enforce policies that ensure users can only consent to apps from verified publishers. This would lower the likelihood of a user being tricked into consenting to an app that a malicious actor set up to siphon data etc… They would need to have jumped though more hoops at least to verify their app first.
I believe we will see this taken further in the future in a few ways:
- Publisher verified app consent only on by default. (see update note below)
- The ability for admins to set policy that allows consent only to a set list of verified publishers
Microsoft holds the keys to many organizations valuable data. They really want to avoid a Cambridge Analytica situation and are taking the first steps necessary to build more trust into their APIs and apps that connect to your data.
I think this is a great move by Microsoft. It might seem like a small one currently, but hopefully we will see more advances in the future that will help us all protect our data.
You can read more about how to set this up with your applications here: Publisher verification (preview)
UPDATE: Publisher Verification is now GA. Also you must have publisher verification done for your new multi-tenant apps you register after Nov 8th 2020 or users will not be able to consent to them.