APP-01: Application Ownership for Apps with Credentials
Overview
Applications that hold credentials (client secrets or certificates) need at least one assigned owner to ensure accountability during credential rotation and lifecycle management. Without an owner, there is no clear responsible party to rotate expiring secrets, respond to security alerts, or manage the application's credentials.
TrueConfig detects app registrations and service principals that carry credentials (passwordCredentials or keyCredentials) but have no owner assigned. Remediation is manual: an admin must assign an appropriate owner for each flagged app. This control is informational in severity. Apps with no credentials at all are skipped because they do not require the same ownership accountability.
Important: Owners of an app registration can add new credentials to that app. For apps with privileged permissions, restrict ownership to administrators to prevent credential abuse.
Prerequisites
Required Roles
- Global Administrator or Application Administrator - Can assign owners to any app registration or enterprise application
- Cloud Application Administrator - Can assign owners to most applications
Required Licenses
No premium Entra ID license is required for this control. Any Microsoft Entra ID tier supports owner assignment on app registrations and service principals. An appropriate admin role (see above) is still required to perform the steps.
Time Estimate
- Initial audit: 20-40 minutes (depending on number of credentialed apps)
- Owner assignment per app: 5-10 minutes
- Ongoing monitoring: 15 minutes per review cycle
Step-by-Step Instructions
Step 1: Identify Credentialed Apps Without Owners
TrueConfig flags these apps automatically. You can also enumerate them directly.
Method A: Entra Admin Center (App Registrations)
- Navigate to Microsoft Entra admin center (https://entra.microsoft.com)
- Expand Identity → Applications → App registrations
- Click All applications
- Click Columns and add the Owners column
- For each app, open Certificates & secrets to check whether any secret or certificate exists
- Note apps that have credentials but show no owners
Method B: PowerShell (Recommended for Bulk Auditing)
This script finds app registrations that carry at least one credential but have no owner:
Connect-MgGraph -Scopes "Application.Read.All", "Directory.Read.All"
$apps = Get-MgApplication -All -Property Id,DisplayName,AppId,PasswordCredentials,KeyCredentials
$results = foreach ($app in $apps) {
$hasCredentials = ($app.PasswordCredentials.Count -gt 0) -or ($app.KeyCredentials.Count -gt 0)
if (-not $hasCredentials) { continue }
$owners = Get-MgApplicationOwner -ApplicationId $app.Id
if ($owners.Count -eq 0) {
[PSCustomObject]@{
DisplayName = $app.DisplayName
AppId = $app.AppId
ObjectId = $app.Id
Secrets = $app.PasswordCredentials.Count
Certificates = $app.KeyCredentials.Count
}
}
}
$results | Format-Table -AutoSize
$results | Export-Csv -Path "UnownedCredentialedApps.csv" -NoTypeInformation
Write-Host "Found $($results.Count) credentialed apps without owners"
Method C: Microsoft Graph API
GET https://graph.microsoft.com/v1.0/applications?$select=id,displayName,appId,passwordCredentials,keyCredentials&$expand=owners($select=id,displayName)
Filter results where passwordCredentials or keyCredentials is non-empty AND owners is empty.
Step 2: Prioritize by Risk
Not all unowned credentialed apps carry equal risk. Prioritize:
| Priority | Criteria |
|---|---|
| High | App has broad API permissions (e.g., *.All scopes, admin consent) and no owner |
| Medium | Active app with secrets, some delegated permissions, no owner |
| Low | Inactive app or app with minimal permissions, no owner |
For high-priority apps, restrict ownership to administrators (see Step 3 note below).
Step 3: Assign Owners
Via Entra Admin Center
- In App registrations, click on the application
- In the left menu, select Owners
- Click + Add owners
- Search for and select the responsible admin or developer
- Click Select
- Repeat for a second owner if possible (two owners prevent single points of failure)
Note for privileged apps: Because an owner can add credentials to an app, do not assign non-admin users as owners of apps with high-privilege permissions. Limit ownership to members of the Application Administrator or Global Administrator role.
Via PowerShell
Connect-MgGraph -Scopes "Application.ReadWrite.All"
$appObjectId = "<app-registration-object-id>"
$ownerUserId = "<owner-user-object-id>"
$body = @{
"@odata.id" = "https://graph.microsoft.com/v1.0/directoryObjects/$ownerUserId"
}
New-MgApplicationOwnerByRef -ApplicationId $appObjectId -BodyParameter $body
Write-Host "Owner assigned to $appObjectId"
Step 4: Verify TrueConfig No Longer Flags the App
After assigning owners, TrueConfig re-evaluates on its next scan cycle. Confirm the app no longer appears in the APP-01 findings list. If it does, verify the owner assignment saved correctly in Entra.
Step 5: Establish a Process for New Apps
Prevent future gaps by requiring owners at registration time:
- Add owner assignment to your application onboarding checklist
- Schedule a recurring review (monthly or quarterly) to catch any new credentialed apps without owners
- For automated app registrations (CI/CD pipelines, etc.), assign the owning service account or team lead as owner at creation time
Verification Checklist
- All apps flagged by TrueConfig (APP-01) have at least one owner assigned
- Privileged apps have owners restricted to administrator-role accounts
- Owner identities are current employees or service accounts with active access
- A second owner is assigned where feasible (avoids single point of failure)
- TrueConfig APP-01 findings list is clear (or new items are acknowledged with a remediation date)
- New-app onboarding process requires owner assignment before credentials are issued
Troubleshooting
Issue: Cannot add owner to a Microsoft first-party app
Cause: Microsoft-published enterprise apps (Teams, SharePoint, etc.) do not support custom owner assignment through the standard UI.
Solution: These apps are managed by Microsoft. TrueConfig does not flag them because accountability lies with Microsoft. Focus remediation on your own app registrations and third-party apps.
Issue: App still appears in TrueConfig after assigning an owner
Cause: The scan may not have refreshed yet, or the owner assignment did not persist.
Solution:
- Confirm the owner appears under App registrations → Owners in Entra
- Wait for the next TrueConfig scan cycle
- If the issue persists, verify your admin role has
Application.ReadWrite.Alland re-assign
Issue: Cannot determine who should own the app
Cause: The app may be legacy or the creator has left the organization.
Solution:
- Review Sign-in logs for the app to find active users
- Check IT ticketing history for the app name
- Assign to the IT Security team as a temporary owner for investigation
- If no active use is found, disable the app and monitor for complaints before deleting
Issue: Owner is a former employee
Cause: Ownership was not transferred during offboarding.
Solution:
- Use admin credentials to add a new owner
- Remove the former employee's owner entry
- Add owner transfer to your offboarding checklist
Related Resources
- Assign owners to an application in Microsoft Entra ID
- Application management best practices
- Microsoft Graph PowerShell: Get-MgApplication
- Related controls: APP-02 (Enforce Application Credential Expiration)
Last updated: January 2025