APP-01: Application Ownership for Apps with Credentials

Overview

Applications that hold credentials (client secrets or certificates) need at least one assigned owner to ensure accountability during credential rotation and lifecycle management. Without an owner, there is no clear responsible party to rotate expiring secrets, respond to security alerts, or manage the application's credentials.

TrueConfig detects app registrations and service principals that carry credentials (passwordCredentials or keyCredentials) but have no owner assigned. Remediation is manual: an admin must assign an appropriate owner for each flagged app. This control is informational in severity. Apps with no credentials at all are skipped because they do not require the same ownership accountability.

Important: Owners of an app registration can add new credentials to that app. For apps with privileged permissions, restrict ownership to administrators to prevent credential abuse.

Prerequisites

Required Roles

  • Global Administrator or Application Administrator - Can assign owners to any app registration or enterprise application
  • Cloud Application Administrator - Can assign owners to most applications

Required Licenses

No premium Entra ID license is required for this control. Any Microsoft Entra ID tier supports owner assignment on app registrations and service principals. An appropriate admin role (see above) is still required to perform the steps.

Time Estimate

  • Initial audit: 20-40 minutes (depending on number of credentialed apps)
  • Owner assignment per app: 5-10 minutes
  • Ongoing monitoring: 15 minutes per review cycle

Step-by-Step Instructions

Step 1: Identify Credentialed Apps Without Owners

TrueConfig flags these apps automatically. You can also enumerate them directly.

Method A: Entra Admin Center (App Registrations)

  1. Navigate to Microsoft Entra admin center (https://entra.microsoft.com)
  2. Expand IdentityApplicationsApp registrations
  3. Click All applications
  4. Click Columns and add the Owners column
  5. For each app, open Certificates & secrets to check whether any secret or certificate exists
  6. Note apps that have credentials but show no owners

Method B: PowerShell (Recommended for Bulk Auditing)

This script finds app registrations that carry at least one credential but have no owner:

Connect-MgGraph -Scopes "Application.Read.All", "Directory.Read.All"

$apps = Get-MgApplication -All -Property Id,DisplayName,AppId,PasswordCredentials,KeyCredentials

$results = foreach ($app in $apps) {
    $hasCredentials = ($app.PasswordCredentials.Count -gt 0) -or ($app.KeyCredentials.Count -gt 0)
    if (-not $hasCredentials) { continue }

    $owners = Get-MgApplicationOwner -ApplicationId $app.Id
    if ($owners.Count -eq 0) {
        [PSCustomObject]@{
            DisplayName       = $app.DisplayName
            AppId             = $app.AppId
            ObjectId          = $app.Id
            Secrets           = $app.PasswordCredentials.Count
            Certificates      = $app.KeyCredentials.Count
        }
    }
}

$results | Format-Table -AutoSize
$results | Export-Csv -Path "UnownedCredentialedApps.csv" -NoTypeInformation
Write-Host "Found $($results.Count) credentialed apps without owners"

Method C: Microsoft Graph API

GET https://graph.microsoft.com/v1.0/applications?$select=id,displayName,appId,passwordCredentials,keyCredentials&$expand=owners($select=id,displayName)

Filter results where passwordCredentials or keyCredentials is non-empty AND owners is empty.

Step 2: Prioritize by Risk

Not all unowned credentialed apps carry equal risk. Prioritize:

PriorityCriteria
HighApp has broad API permissions (e.g., *.All scopes, admin consent) and no owner
MediumActive app with secrets, some delegated permissions, no owner
LowInactive app or app with minimal permissions, no owner

For high-priority apps, restrict ownership to administrators (see Step 3 note below).

Step 3: Assign Owners

Via Entra Admin Center

  1. In App registrations, click on the application
  2. In the left menu, select Owners
  3. Click + Add owners
  4. Search for and select the responsible admin or developer
  5. Click Select
  6. Repeat for a second owner if possible (two owners prevent single points of failure)

Note for privileged apps: Because an owner can add credentials to an app, do not assign non-admin users as owners of apps with high-privilege permissions. Limit ownership to members of the Application Administrator or Global Administrator role.

Via PowerShell

Connect-MgGraph -Scopes "Application.ReadWrite.All"

$appObjectId = "<app-registration-object-id>"
$ownerUserId = "<owner-user-object-id>"

$body = @{
    "@odata.id" = "https://graph.microsoft.com/v1.0/directoryObjects/$ownerUserId"
}

New-MgApplicationOwnerByRef -ApplicationId $appObjectId -BodyParameter $body
Write-Host "Owner assigned to $appObjectId"

Step 4: Verify TrueConfig No Longer Flags the App

After assigning owners, TrueConfig re-evaluates on its next scan cycle. Confirm the app no longer appears in the APP-01 findings list. If it does, verify the owner assignment saved correctly in Entra.

Step 5: Establish a Process for New Apps

Prevent future gaps by requiring owners at registration time:

  1. Add owner assignment to your application onboarding checklist
  2. Schedule a recurring review (monthly or quarterly) to catch any new credentialed apps without owners
  3. For automated app registrations (CI/CD pipelines, etc.), assign the owning service account or team lead as owner at creation time

Verification Checklist

  • All apps flagged by TrueConfig (APP-01) have at least one owner assigned
  • Privileged apps have owners restricted to administrator-role accounts
  • Owner identities are current employees or service accounts with active access
  • A second owner is assigned where feasible (avoids single point of failure)
  • TrueConfig APP-01 findings list is clear (or new items are acknowledged with a remediation date)
  • New-app onboarding process requires owner assignment before credentials are issued

Troubleshooting

Issue: Cannot add owner to a Microsoft first-party app

Cause: Microsoft-published enterprise apps (Teams, SharePoint, etc.) do not support custom owner assignment through the standard UI.

Solution: These apps are managed by Microsoft. TrueConfig does not flag them because accountability lies with Microsoft. Focus remediation on your own app registrations and third-party apps.

Issue: App still appears in TrueConfig after assigning an owner

Cause: The scan may not have refreshed yet, or the owner assignment did not persist.

Solution:

  1. Confirm the owner appears under App registrationsOwners in Entra
  2. Wait for the next TrueConfig scan cycle
  3. If the issue persists, verify your admin role has Application.ReadWrite.All and re-assign

Issue: Cannot determine who should own the app

Cause: The app may be legacy or the creator has left the organization.

Solution:

  1. Review Sign-in logs for the app to find active users
  2. Check IT ticketing history for the app name
  3. Assign to the IT Security team as a temporary owner for investigation
  4. If no active use is found, disable the app and monitor for complaints before deleting

Issue: Owner is a former employee

Cause: Ownership was not transferred during offboarding.

Solution:

  1. Use admin credentials to add a new owner
  2. Remove the former employee's owner entry
  3. Add owner transfer to your offboarding checklist

Related Resources


Last updated: January 2025