No Service Principal with Client Secret and permanent role assignment on Control Plane

Description

Permanent Assignments of high-privileged Entra ID directory roles will be checked to identify privileges service principals with client secrets. Related roles will be identified based on the classification model from the EntraOps project which helps to identify directory roles with Control Plane (Tier0) permissions.

How to fix

It's recommended to use certificates for Service Principals. Review if you can replace client secrets by certificates or use managed identities instead of a Service Principal.

Learn more

• Securing service principals in Microsoft Entra ID
• Best practices for all isolation architectures - Service Principal Credentials