Skip to Content
DocsFeaturesApp Registrations

App Registrations

The App Registrations tab provides visibility into all non-human identities in your client’s Microsoft 365 tenant — including app registrations and enterprise applications. This is critical for identifying shadow IT, credential risks, and over-permissioned applications.

App Registration Health Summary

Health Summary

The top section displays an at-a-glance health summary with key metrics:

  • Total App Registrations — Total number of registered apps and enterprise applications
  • QUICK WIN - Unused — Applications that haven’t been used recently and may be safe to remove
  • Expired Credentials — Apps with credentials that have already expired
  • Expiring Soon — Apps with credentials expiring within a configurable window (default: 365 days)
  • High Risk (50+) — Apps with a risk score of 50 or above
  • Healthy — Apps with no significant risk factors

App Table

Each application is listed with detailed information:

  • Name — Application display name
  • Source Type — App Registration or Enterprise Application
  • Risk Score — Numeric score based on combined risk factors
  • App ID — The Microsoft application ID
  • Owners — Number of assigned owners (flagged if none)
  • Assigned Users — Number of users assigned to the app
  • Credentials — Credential status and count
  • App Permissions — Application-level (app-only) permissions granted
  • Delegated Permissions — Permissions granted on behalf of users
  • Last Used — When the app was last accessed
  • Expiration Date — When the app’s credentials expire (highlighted in red if soon)
  • Created Date — When the app was registered

You can search by name or app ID, filter results, export as CSV, and refresh data on demand.

Remediation Guide

App Registrations

App Registrations are custom applications registered in Microsoft Entra ID. They represent the application definition and can have credentials (secrets/certificates) and API permissions.

Expired or expiring credentials

  1. Navigate to the app in Microsoft Entra  → App registrations
  2. Go to Certificates & secrets
  3. Remove expired credentials
  4. If the app is still in use, generate a new secret or upload a new certificate
  5. Update the consuming application with the new credential

No owners assigned

  1. Navigate to the app in Entra → App registrations → Owners
  2. Add at least one owner — this ensures someone is accountable for the app and receives expiry notifications

Unused applications

  1. Verify the app is no longer in use by checking the Last Used date in Optimize365
  2. Check with the app owner or team before removing
  3. As a safe first step, disable the app rather than deleting it
  4. If confirmed unused, delete the app registration to reduce your attack surface

Over-permissioned applications

  1. Review the API permissions tab in Entra
  2. Identify permissions that are not required for the app’s function
  3. Remove unnecessary application and delegated permissions
  4. Pay special attention to high-privilege permissions like Mail.ReadWrite, Directory.ReadWrite.All, or RoleManagement.ReadWrite.Directory

Enterprise Applications

Enterprise Applications (Service Principals) represent an instance of an application in your tenant. These include third-party SaaS applications, Microsoft first-party apps, and any app consented to by users or admins.

Unknown or unreviewed third-party apps

  1. Navigate to Entra → Enterprise applications
  2. Review apps with delegated permissions — these were consented to by a user or admin
  3. Verify each app is a legitimate business tool
  4. Remove apps that are no longer used or were never authorized

Excessive delegated permissions

  1. Check what permissions users consented to on behalf of the organization
  2. Revoke consent for apps with permissions that exceed their intended use
  3. Consider configuring user consent settings in Entra to restrict future consent to admin-approved apps only

Disabled but not removed

  1. Disabled enterprise apps still retain their permissions and credentials
  2. If an app is no longer needed, fully remove it rather than leaving it disabled
  3. This prevents potential reactivation and reduces clutter

Managed Identities

Managed Identities are automatically managed by Azure and used by Azure resources to authenticate to services. They don’t have traditional credentials but can still be over-permissioned.

Over-permissioned managed identities

  1. Navigate to Entra → Enterprise applications → filter by Managed Identities
  2. Review the API permissions assigned
  3. Apply the principle of least privilege — only grant permissions the resource actually needs
  4. Use Azure RBAC role assignments to scope access to specific resources rather than broad API permissions

Orphaned managed identities

  1. If the Azure resource that created the managed identity has been deleted, the identity may still exist
  2. Check if the identity is still attached to an active resource
  3. Remove orphaned identities to reduce your attack surface

User-assigned vs system-assigned

  • System-assigned identities are tied to a single resource and are deleted when the resource is deleted
  • User-assigned identities can be shared across resources and must be managed independently
  • Review user-assigned identities regularly as they persist even if the resources using them are removed
Last updated on
Users PostureConditional Access Policies