APP-07MediumEnhanced Security

Identify Unused Service Principals

Workload Identity & Applications control for Microsoft 365 and Entra ID

Why This Control Matters

Dormant service principals with valid credentials are invisible persistence mechanisms. Attackers can use forgotten apps with stale credentials to maintain access long after initial compromise detection.

Expected State

When this control is compliant, your tenant should meet these criteria:

1Service principals with no sign-in activity for 90+ days are identified
2Unused service principals are disabled or removed
3Exceptions are documented for service accounts with infrequent use

Enforcement

Default Mode

Advisory

Alerts on deviations but does not make changes

Auto-Remediation

Manual Only

Requires sign-in activity data (P2 license for full visibility)

Ready to implement this control?

TrueConfig continuously monitors your Microsoft 365 tenant for compliance with this and 50+ other security controls.