PA-08CriticalEnhanced Security

Risky Service Principal Detection

Privileged Access control for Microsoft 365 and Entra ID

Why This Control Matters

Compromised service principals provide persistent, automated access to your tenant. Unlike user accounts, service principals operate without MFA and can perform actions at scale. Detecting risky service principals is critical for preventing supply chain attacks.

Expected State

When this control is compliant, your tenant should meet these criteria:

1Identity Protection monitors service principal risk
2No medium or high-risk service principals are active
3Compromised service principals are investigated and disabled promptly

Enforcement

Default Mode

Auto-Remediate

Automatically fixes deviations when safe to do so

Auto-Remediation

Available

Can disable compromised service principals. Requires Workload Identities Premium.

Ready to implement this control?

TrueConfig continuously monitors your Microsoft 365 tenant for compliance with this and 50+ other security controls.