APP-03: Internal App Registration Permissions
Frequently asked questions about implementing and managing the APP-03 security control in Microsoft 365 and Entra ID.
Free baseline scan · No credit card · 5 minute setup
QWhat is APP-03 (Internal App Registration Permissions)?▼
APP-03 is a security control that internal app registrations are applications you created and control. while you own the code, misconfigured permissions can expose excessive access. regular review ensures your own apps only have necessary permissions. It requires that internal app registrations with high-privilege graph permissions are documented and reviewed quarterly and permissions like mail.readwrite.all, directory.readwrite.all, and rolemanagement.readwrite.directory are flagged, each internal app with elevated permissions has documented business justification.
QWhy is Internal App Registration Permissions important for Microsoft 365 security?▼
Internal app registrations are applications you created and control. While you own the code, misconfigured permissions can expose excessive access. Regular review ensures your own apps only have necessary permissions.
QHow do I implement APP-03 in my tenant?▼
TrueConfig provides one-click remediation for APP-03. TrueConfig can revoke a flagged high-risk Graph permission in one click (revoke_app_permission). The manual alternative is reviewing flagged internal applications and removing unnecessary permissions.
QWhat license do I need for APP-03?▼
This control can be implemented with any Microsoft 365 subscription, including free Azure AD.
QWhich security baseline includes APP-03?▼
APP-03 is included in the Enhanced Security baseline (Level 2). This level adds stricter controls for security-conscious organizations.
5
Questions
1
Related Controls
—
Categorized
Related Resources
Still have questions?
Our security experts are here to help. Start a free trial and get personalized guidance for your Microsoft 365 environment.
Start Free Trial