APP-03HighEnhanced Security
Internal App Registration Permissions
Workload Identity & Applications control for Microsoft 365 and Entra ID
Why This Control Matters
Internal app registrations are applications you created and control. While you own the code, misconfigured permissions can expose excessive access. Regular review ensures your own apps only have necessary permissions.
Expected State
When this control is compliant, your tenant should meet these criteria:
- 1Internal app registrations with high-privilege Graph permissions are documented and reviewed quarterly
- 2Permissions like Mail.ReadWrite.All, Directory.ReadWrite.All, and RoleManagement.ReadWrite.Directory are flagged
- 3Each internal app with elevated permissions has documented business justification
Enforcement
Default Mode
Advisory
Alerts on deviations but does not make changes
Auto-Remediation
Manual Only
Review flagged internal applications and remove unnecessary permissions
Ready to implement this control?
TrueConfig continuously monitors your Microsoft 365 tenant for compliance with this and 50+ other security controls.