top of page
Search

App Registration Ownership: A Silent Path to Persistence in Entra Id

  • Writer: Gabriel Delaney
    Gabriel Delaney
  • 12 minutes ago
  • 3 min read

I’ve been a part of a few small projects to create governance around app registrations. A common item that comes up is the “need” to assign an owner to app registrations.


The reasoning is straightforward: every application should have someone accountable for it.


That part is reasonable.


What deserves closer examination is what ownership actually grants inside Entra.


What Ownership Grants

An owner of an app registration can:

  • Add client secrets

  • Add certificates

  • Change redirect URIs


An owner can add a new client secret or upload a certificate to the application. If the application holds high-privilege application permissions, for example Directory.ReadWrite.All, User.ReadWrite.All, or AppRoleAssignment.ReadWrite.All, that new credential allows whoever possesses it to authenticate as the application and operate with whatever permissions have been assigned and admin consented.


That’s dangerous because, as most Entra ID administrators know, app registrations do not have the same defense-in-depth controls as users. There is no PIM activation. There is no MFA. There are no session controls.


Once the credential exists, it can be shared and reused.


Persistence Implications

If the app is highly privileged, ownership is control over a privileged identity that, in many environments, is not monitored with the same scrutiny as privileged user accounts. This makes app registrations practical avenues for persistence.


If a standard user owns a highly privileged app and that user account is compromised, an attacker can:

  • Add a secret

  • Store it externally

  • Use the application’s access to expand access throughout the tenant

  • Continue authenticating as the application even after the user account is investigated


During incident response, teams typically focus on the compromised user: disabling the account, resetting credentials, identifying privileged roles the user may have held. That’s expected. What is less common is reviewing whether that user owned any app registrations with application permissions.


How many incident response teams explicitly check for that?


That difference in scrutiny allows application credentials to remain active longer than a compromised user session would. That is why ownership of a highly privileged app registration carries more weight than it appears to at first glance.


How App Ownership Bypasses Admin Controls

Most organizations invest in hardening human administrative identities:

  • PIM for time-bound role activation

  • Phishing-resistant MFA

  • Separate admin accounts

  • Device and network restrictions


Those protections are built around user accounts.


Application identities operate outside that control plane. They do not activate roles. They do not reauthenticate on a session timer. They are not challenged for MFA once a credential exists.


If a standard user owns a high-privilege application, compromising that user does not require elevation through PIM to gain privileged capability. The attacker does not need to activate a directory role. Once they create a new secret or upload a new certificate they have access.


From a threat modeling perspective, standard user accounts are often more exposed than hardened admin identities. They interact with email, web content, and third-party platforms daily.


Assigning ownership of a high-privilege application to a standard user ties privileged credential authority to a more exposed identity.


Satisfying Governance Needs Without Assigning Owners

There are legitimate reasons to assign owners:

  • Secret lifecycle management

  • Operational support

  • Business accountability

  • Audit traceability


Those are governance goals.


Ownership, however, grants the ability to add authentication methods. When the application holds meaningful application permissions, that authority has security implications.


If the objective is accountability rather than credential control, there are alternatives.

Custom Security Attributes can be used to document:

  • Business owner

  • Technical owner


This separates accountability from operational authority. Governance metadata can exist without granting the ability to create new credentials.


Ownership, especially on applications with application permissions, should be treated as a privileged assignment.


Conclusion

To be clear, I’m not saying you shouldn’t give your app developer ownership of an app registration that has “harmless” OIDC-related delegated permissions assigned to it.


What I am saying is this:


You need to be mindful of the app registrations you are assigning owners to, especially when those owners are standard user accounts and the app registrations have high-impact application permissions assigned. App registrations are effective vectors for attack, and standard users being owners is one of many quiet risk multipliers.


There is a separate conversation to be had about ensuring you are not giving your Application Administrators and Cloud App Administrators a path to Global Administrator. That deserves its own write-up.


For applications with high-impact application permissions:

  • Treat ownership as a privileged capability

  • If you must assign an owner, avoid assigning ownership to standard accounts

  • Monitor audit logs for “Add credentials to application” events

  • Periodically review secret and certificate inventory for unexpected additions


If an application can act with tenant-wide authority, ownership of that application is part of your privilege model.


It should be governed accordingly.

 
 
 
Post: Blog2_Post

©2022 by thetolkienblackguy. Proudly created with Wix.com

bottom of page