APP-07: Identify Unused Service Principals
Frequently asked questions about implementing and managing the APP-07 security control in Microsoft 365 and Entra ID.
QWhat is APP-07 (Identify Unused Service Principals)?▼
APP-07 is a security control that dormant service principals with valid credentials are invisible persistence mechanisms. attackers can use forgotten apps with stale credentials to maintain access long after initial compromise detection. It requires that service principals with no sign-in activity for 90+ days are identified and unused service principals are disabled or removed, exceptions are documented for service accounts with infrequent use.
QWhy is Identify Unused Service Principals important for Microsoft 365 security?▼
Dormant service principals with valid credentials are invisible persistence mechanisms. Attackers can use forgotten apps with stale credentials to maintain access long after initial compromise detection.
QHow do I implement APP-07 in my tenant?▼
APP-07 requires manual implementation. Requires sign-in activity data (P2 license for full visibility)
QWhat license do I need for APP-07?▼
This control requires Azure AD Premium P2 (included in Microsoft 365 E5) or standalone P2.
QWhich security baseline includes APP-07?▼
APP-07 is included in the Enhanced Security baseline (Level 2). This level adds stricter controls for security-conscious organizations.
5
Questions
1
Related Controls
—
Categorized
Related Resources
Still have questions?
Our security experts are here to help. Start a free trial and get personalized guidance for your Microsoft 365 environment.
Start Free Trial