Application Security

Application and service principal findings

14 findings in this category.

• Medium Application credentials expiring soon Identifies app registrations with credentials expiring within 30 days
• High Application credentials without expiration Identifies app registrations with client secrets or certificates that have long or no expiration dates.
• High Applications using implicit grant flow Identifies app registrations using the deprecated implicit grant OAuth flow.
• Medium Applications using password credentials only Flags apps that use client secrets but no certificates
• High Applications with excessive permissions Identifies apps with high-risk Graph API permissions
• High Applications with high-privilege permissions Identifies apps requesting dangerous Graph API application permissions
• High Applications with insecure redirect URIs Identifies app registrations with wildcard or HTTP (non-HTTPS) redirect URIs.
• Medium Applications without owners Identifies app registrations with no assigned owners
• Medium Expired application credentials Identifies applications with expired secrets or certificates
• Low Multi-tenant applications Flags apps configured to accept sign-ins from other tenants
• Medium Multi-tenant applications Identifies app registrations configured as multi-tenant, which allow sign-in from external organizations.
• Low Orphaned application registrations Identifies app registrations without owners
• Critical Risky OAuth consent grants Identifies OAuth consent grants with high permissions such as Mail.ReadWrite, Files.ReadWrite.All, or Directory.ReadWrite.All.
• Medium Tenant-wide consent grants Detects OAuth2 grants with AllPrincipals consent type