APP-03: Internal App Registration Permissions
Frequently asked questions about implementing and managing the APP-03 security control in Microsoft 365 and Entra ID.
QWhat is APP-03 (Internal App Registration Permissions)?▼
APP-03 is a security control that internal app registrations are applications you created and control. while you own the code, misconfigured permissions can expose excessive access. regular review ensures your own apps only have necessary permissions. It requires that internal app registrations with high-privilege graph permissions are documented and reviewed quarterly and permissions like mail.readwrite.all, directory.readwrite.all, and rolemanagement.readwrite.directory are flagged, each internal app with elevated permissions has documented business justification.
QWhy is Internal App Registration Permissions important for Microsoft 365 security?▼
Internal app registrations are applications you created and control. While you own the code, misconfigured permissions can expose excessive access. Regular review ensures your own apps only have necessary permissions.
QHow do I implement APP-03 in my tenant?▼
APP-03 requires manual implementation. Review flagged internal applications and remove unnecessary permissions
QWhat license do I need for APP-03?▼
This control can be implemented with any Microsoft 365 subscription, including free Azure AD.
QWhich security baseline includes APP-03?▼
APP-03 is included in the Enhanced Security baseline (Level 2). This level adds stricter controls for security-conscious organizations.
5
Questions
1
Related Controls
—
Categorized
Related Resources
Still have questions?
Our security experts are here to help. Start a free trial and get personalized guidance for your Microsoft 365 environment.
Start Free Trial