APP-09Moderate

How to Fix: Enforce Certificate Credentials for Applications

Step-by-step guide to implement enforce certificate credentials for applications in your Microsoft 365 environment.

15-20 minutes

Estimated Time

4

Steps

medium

Severity

Recommended Secure

Baseline Level

Why This Matters

Client secrets are frequently compromised through accidental commits to source code, exposure in application logs, phishing attacks targeting developers, or insecure sharing via email and chat. Certificate credentials eliminate these risks by using cryptographic key pairs where the private key remains secured on your infrastructure and never needs to be transmitted or shared. Microsoft's Baseline Security Mode now blocks password-based credentials on applications.

Prerequisites

  • 1Global Administrator or appropriate admin role in Microsoft Entra ID
  • 2Access to Microsoft Entra admin center (entra.microsoft.com)

Expected Configuration

  • Applications use certificate credentials instead of client secrets
  • Client secrets are only used during certificate migration periods
  • No applications rely solely on client secrets for authentication

Remediation Steps

1

Audit Current Applications

Review the applications in your Entra ID tenant.

  • Navigate to Microsoft Entra admin center
  • Go to Applications > Enterprise applications
  • Review app registrations and permissions
2

Identify Required Changes

Determine which applications need modification.

  • Compare against expected configuration
  • Identify risky or non-compliant apps
  • Plan remediation approach
3

Apply Remediation

Make the necessary changes to application configurations.

  • Update consent settings as needed
  • Modify application permissions
  • Configure app governance policies
4

Verify Compliance

Confirm applications meet security requirements.

  • Run TrueConfig scan
  • Review any remaining findings
  • Document changes made

Related Resources

Control Reference

Full control documentation

FAQ

Common questions answered

Full Guide

Detailed implementation guide

Workload Identity & Applications Controls

Related security controls

Automate Your Security Configuration

TrueConfig continuously monitors your Microsoft 365 environment and can automatically fix configuration drift. Start your free trial today.

Start Free Trial
← All ControlsView Control Details →