APP-05CriticalRecommended Secure

Service Principal Credential Hygiene

Workload Identity & Applications control for Microsoft 365 and Entra ID

Why This Control Matters

Service principals are the #1 attack vector for M365 supply chain compromises. Long-lived credentials on service principals (like those used in SolarWinds, Midnight Blizzard) bypass MFA entirely and provide persistent access.

Expected State

When this control is compliant, your tenant should meet these criteria:

1All service principal credentials expire within 90 days
2No service principals have non-expiring secrets
3Federated credentials or managed identities are preferred

Enforcement

Default Mode

Advisory

Alerts on deviations but does not make changes

Auto-Remediation

Manual Only

Review and rotate service principal credentials. Migrate to federated credentials where possible.

Ready to implement this control?

TrueConfig continuously monitors your Microsoft 365 tenant for compliance with this and 50+ other security controls.