APP-03Moderate
How to Fix: Internal App Registration Permissions
Step-by-step guide to implement internal app registration permissions in your Microsoft 365 environment.
20-30 minutes
Estimated Time
4
Steps
high
Severity
Enhanced Security
Baseline Level
Why This Matters
Internal app registrations are applications you created and control. While you own the code, misconfigured permissions can expose excessive access. Regular review ensures your own apps only have necessary permissions.
Prerequisites
- 1Global Administrator or appropriate admin role in Microsoft Entra ID
- 2Access to Microsoft Entra admin center (entra.microsoft.com)
Expected Configuration
- Internal app registrations with high-privilege Graph permissions are documented and reviewed quarterly
- Permissions like Mail.ReadWrite.All, Directory.ReadWrite.All, and RoleManagement.ReadWrite.Directory are flagged
- Each internal app with elevated permissions has documented business justification
Remediation Steps
1
Audit Current Applications
Review the applications in your Entra ID tenant.
- •Navigate to Microsoft Entra admin center
- •Go to Applications > Enterprise applications
- •Review app registrations and permissions
2
Identify Required Changes
Determine which applications need modification.
- •Compare against expected configuration
- •Identify risky or non-compliant apps
- •Plan remediation approach
3
Apply Remediation
Make the necessary changes to application configurations.
- •Update consent settings as needed
- •Modify application permissions
- •Configure app governance policies
4
Verify Compliance
Confirm applications meet security requirements.
- •Run TrueConfig scan
- •Review any remaining findings
- •Document changes made
Related Resources
Automate Your Security Configuration
TrueConfig continuously monitors your Microsoft 365 environment and can automatically fix configuration drift. Start your free trial today.
Start Free Trial