Skip to main content

App registrations with privileged API permissions should not have owners

Prerequisites

Assignments to Microsoft Entra will be analyzed by using the IdentityInfo in Microsoft Defender XDR. As documented in Microsoft Learn, the details of PrivilegedEntraPimRoles are only available for tenants with Microsoft Defender for Identity. Therefore, the checks are only available for tenants with onboarded MDI instance.

In addition, the table OAuthAppInfo will be used to get details about applications including unused permissions and permission scope / criticiality. This table is populated by app governance records from Microsoft Defender for Cloud Apps. You need to turn on app governance to use this check. To turn on app governance, follow the steps in Turn on app governance.

Description

Ownership of app registrations with high-privileged or sensitive API permissions should not be assigned.

High-privileged app registrations are identified using data from OAuthAppInfo in Microsoft Defender XDR, including enrichment by high privilege level status from MDA App Governance, as well as Control Plane and Management Plane classification by the community project EntraOps. Ownership of app registrations is identified by Microsoft Security Exposure Management. The flag Tier breach is set based on the classification of the owner (identified by assignment of directory roles) in comparison to the classification of the service principal.

Side Note: Currently, due to limitations of XSPM data, only assignments on application objects are identified.

Especially, owners with lower privilege than the application should be removed from ownership. Microsoft also mentions this risk of elevation of privilege over what the owner has access to as a user. Those delegations can be identified by the Tier breach flag in the test results.

But even owners with the same or higher privilege should not be delegated ownership because of missing support for just-in-time access (eligibility in PIM), enforced step-up authentication (authentication context by PIM in Entra ID roles), or assignment via group membership.

How to fix

Remove ownership and replace it (if necessary) by using object-level role assignments, and avoid any lateral movement paths by delegating to administrators with lower privilege classification (tier breach).