The Azure Active Directory (AD) App Property Lock functionality is intended to stop unauthorized or unintentional changes to an application's configuration. When this feature is turned on, the application's display name, reply to URLs, and app credentials are all locked, making it impossible to make changes to them without first unlocking them.
Updates to the app credentials, such as the client secret or certificate, are prohibited when the App Property Lock feature is activated and applied to an application. The application must first be unlocked in order to adjust its settings before anyone can change these credentials.
This is a useful feature for organizations that need to keep strict control over their application configuration and ensure that only authorized users can make changes. However, it's important to note that this feature should be used with caution because it can also prevent legitimate changes to the application configuration from being made.
OAuth Apps and its manipulation.
Open Authorization (OAuth) is one of the most popular protocols used for authentication and authorization, as it allows users to grant third-party applications access to their data without sharing their login credentials. Authenticating and authorizing users with OAuth can be convenient, but attackers can also take advantage of it.
Here are some reasons why attackers may go after OAuth apps:
Access to sensitive data: It is possible for attackers to gain access to sensitive user data through OAuth apps, such as email addresses, contacts, calendars, or financial information, by compromising the app.
Access to other applications: The credentials of an OAuth app can be used by an attacker to gain access to other OAuth-enabled apps and services.
Trust: Users tend to trust OAuth apps because they are developed by reputable companies such as Microsoft etc or have been verified by app stores. These apps could therefore be viewed as a way to access user data or devices by attackers.
Ease of exploitation: Due to vulnerabilities in OAuth apps, attackers may be able to exploit them easily. An attacker may be able to forge tokens and gain access to an app if an app fails to validate tokens it receives from OAuth providers.
How to enable Azure AD App Property Lock
To enable the App Property Lock feature for an application in Azure AD, follow these steps:
Sign in to the Azure portal and navigate to the Azure AD portal.
Click Manage, and then select App registrations.
Under the App instance property lock section, select Authentication, and then select Configure.
Scroll down to the "App property lock" section and enable the feature.
5. Select the properties you want to lock, such as the display name or reply URLs.
6. Save the changes to the application settings.
Once you save your changes, the property lock will be in effect. After a home tenant's credentials have been updated, any subsequent attempts to update them will fail.