General
This check verifies whether there are Service Principals registered with an owner who is a user without administrative rights.
Rationale
Service Principals pose a potential backdoor into the Microsoft 365 environment. Because service principals can have their own permissions — which may differ from those of their owner — a service principal could theoretically have elevated privileges, enabling the owner to grant themselves access beyond what is intended.
Manual instruction
Follow these steps to review the app registration:
- Open the Entra ID Admin Center at https://entra.microsoft.com
- Select the Service Principal you want to inspect
- Review the permissions of the Service Principal
- Click on the Owners tab to see which users are listed as owners of the Service Principal
- Verify whether these users should have access to the Service Principal's permissions. If not, remove them from the list of owners
It is also possible to register a specific service principal in Attic as an ignored service principal to prevent new alerts from being triggered.
Comments
0 comments
Please sign in to leave a comment.