High

Application credentials without expiration

Identifies app registrations with client secrets or certificates that have long or no expiration dates.

Category: Application Security
Default severity: High
Rule key: CHECK_APP_NO_EXPIRY_CREDENTIALS
Last updated: February 20, 2026

How to fix it

Set expiration dates on all application credentials (max 1-2 years). Use certificates instead of client secrets when possible.

Required Microsoft Graph permissions

EntraAnalyzer needs the following read-only Graph permissions to evaluate this rule:

Application.Read.All

Further reading

Microsoft documentation →

Run this check on your tenant

EntraAnalyzer evaluates this rule automatically on every scan and emails you the results.

Get started — free first scan →