MT.1063 - All app registration owners should have MFA registered
Overviewβ
This test checks if all owners of app registrations have Multi-Factor Authentication (MFA) registered. App registration owners without MFA pose a significant security risk as credential stuffing attacks can lead to privileged access and potential privilege escalation or data loss.
Why This Mattersβ
App registration owners have powerful permissions that attackers actively target:
- Credential Stuffing Risk: Without MFA, compromised passwords from data breaches provide immediate access
- Privileged App Access: Owners can modify app permissions, certificates, and redirect URIs
- Privilege Escalation: Compromised owners can grant themselves or malicious apps excessive permissions
- Lateral Movement: Access to one app registration can be leveraged to compromise other resources
Attack Scenarioβ
- Initial Compromise: Attacker uses leaked credentials to access owner account (no MFA protection)
- App Manipulation: Attacker modifies app registration to add malicious redirect URIs, certificates or secrets
- Broader Access: Compromised app is used to access sensitive data across the organization or to escalate privileges
Remediation actionβ
Register MFA for all app registration owners listed. Use conditional access policies to enforce MFA for all application owners.
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | MT.1063 |
| Severity | High |
| Suite | Maester |
| Category | App |
| PowerShell test | Test-MtAppRegistrationOwnersWithoutMFA |
| Tags | App, Entra, LongRunning, MT.1063 |
Sourceβ
- Pester test:
tests/Maester/Entra/Test-MtAppRegistrationOwnersWithoutMFA.Tests.ps1 - PowerShell source:
powershell/public/maester/entra/Test-MtAppRegistrationOwnersWithoutMFA.ps1