Workload Identity & Applications

Application registrations and service principals

8controls
1critical
2auto-remediable
APP-01MediumLevel 1

Assign Owners to All Applications

Unowned applications become orphaned and unmanaged. When security issues arise or credentials need rotation, there is no accountable party. Orphaned apps are a common persistence mechanism for attackers.

APP-02HighLevel 1

Enforce Application Credential Expiration

Long-lived or non-expiring secrets are a supply chain attack risk. If a secret is leaked, it remains valid indefinitely. Rotating credentials limits the window of exposure from compromised secrets.

APP-05CriticalLevel 1

Service Principal Credential Hygiene

Service principals are the #1 attack vector for M365 supply chain compromises. Long-lived credentials on service principals (like those used in SolarWinds, Midnight Blizzard) bypass MFA entirely and provide persistent access.

APP-08HighLevel 1Auto-fix

Restrict User Application Consent

OAuth phishing attacks trick users into granting malicious apps access to their data. By blocking user consent, you force all app permission requests through admin review, stopping this attack vector.

APP-03HighLevel 2

Internal App Registration Permissions

Internal app registrations are applications you created and control. While you own the code, misconfigured permissions can expose excessive access. Regular review ensures your own apps only have necessary permissions.

APP-04MediumLevel 2Auto-fix

Enable Admin Consent Workflow

Without admin consent workflow, any user can grant an OAuth app access to their data. Attackers use illicit consent grant attacks to trick users into granting malicious apps access. Admin approval stops this attack vector.

APP-06HighLevel 2

Third-Party Enterprise App Permissions

Third-party enterprise apps are applications from external vendors that you consented to but do not control. These apps pose supply chain risk - a compromised vendor could access your tenant data. Review vendor security certifications and limit permissions to minimum necessary.

APP-07MediumLevel 2

Identify Unused Service Principals

Dormant service principals with valid credentials are invisible persistence mechanisms. Attackers can use forgotten apps with stale credentials to maintain access long after initial compromise detection.

Ready to implement workload identity & applications controls?

TrueConfig continuously monitors your Microsoft 365 tenant and helps you maintain compliance with these security controls.