APP-02Moderate
How to Fix: Enforce Application Credential Expiration
Step-by-step guide to implement enforce application credential expiration in your Microsoft 365 environment.
30-60 minutes
Estimated Time
4
Steps
critical
Severity
Recommended Secure
Baseline Level
Why This Matters
Long-lived or non-expiring secrets are a supply chain attack risk. If a secret is leaked, it remains valid indefinitely. Rotating credentials limits the window of exposure from compromised secrets.
Prerequisites
- 1Global Administrator or appropriate admin role in Microsoft Entra ID
- 2Access to Microsoft Entra admin center (entra.microsoft.com)
Expected Configuration
- All application secrets (client secrets) have expiration dates
- Maximum secret lifetime is 12 months or less
- Certificate-based authentication is preferred over secrets
- No non-expiring secrets exist
Remediation Steps
1
Audit Current Applications
Review the applications in your Entra ID tenant.
- •Navigate to Microsoft Entra admin center
- •Go to Applications > Enterprise applications
- •Review app registrations and permissions
2
Identify Required Changes
Determine which applications need modification.
- •Compare against expected configuration
- •Identify risky or non-compliant apps
- •Plan remediation approach
3
Apply Remediation
Make the necessary changes to application configurations.
- •Update consent settings as needed
- •Modify application permissions
- •Configure app governance policies
4
Verify Compliance
Confirm applications meet security requirements.
- •Run TrueConfig scan
- •Review any remaining findings
- •Document changes made
Related Resources
Automate Your Security Configuration
TrueConfig continuously monitors your Microsoft 365 environment and can automatically fix configuration drift. Start your free trial today.
Start Free Trial