Workload Identity & Applications
Application registrations and service principals
Application Ownership for Apps with Credentials
Apps with credentials (secrets or certificates) benefit from having owners for accountability during credential rotation. Apps without credentials don't need ownership tracking. Note: Owners can add credentials, so for privileged apps, restrict ownership to administrators.
Enforce Application Credential Expiration
Long-lived or non-expiring secrets are a supply chain attack risk. If a secret is leaked, it remains valid indefinitely. Rotating credentials limits the window of exposure from compromised secrets.
Service Principal Credential Hygiene
Service principals are the #1 attack vector for M365 supply chain compromises. Long-lived credentials on service principals (like those used in SolarWinds, Midnight Blizzard) bypass MFA entirely and provide persistent access.
Restrict User Application Consent
OAuth phishing attacks trick users into granting malicious apps access to their data. By blocking user consent, you force all app permission requests through admin review, stopping this attack vector.
Enforce Certificate Credentials for Applications
Client secrets are frequently compromised through accidental commits to source code, exposure in application logs, phishing attacks targeting developers, or insecure sharing via email and chat. Certificate credentials eliminate these risks by using cryptographic key pairs where the private key remains secured on your infrastructure and never needs to be transmitted or shared. Microsoft's Baseline Security Mode now blocks password-based credentials on applications.
Internal App Registration Permissions
Internal app registrations are applications you created and control. While you own the code, misconfigured permissions can expose excessive access. Regular review ensures your own apps only have necessary permissions.
Enable Admin Consent Workflow
Without admin consent workflow, any user can grant an OAuth app access to their data. Attackers use illicit consent grant attacks to trick users into granting malicious apps access. Admin approval stops this attack vector.
Third-Party Enterprise App Permissions
Third-party enterprise apps are applications from external vendors that you consented to but do not control. These apps pose supply chain risk - a compromised vendor could access your tenant data. Review vendor security certifications and limit permissions to minimum necessary.
Identify Unused Service Principals
Dormant service principals with valid credentials are invisible persistence mechanisms. Attackers can use forgotten apps with stale credentials to maintain access long after initial compromise detection.