Free tool · 5 minutes · Identity governance
Service principals are the blind spot in most Microsoft 365 tenants. Storm-0558 and Midnight Blizzard both pivoted through workload identities. Score how exposed your app registrations, consented apps and Graph permissions are in five minutes.
10 questions · 5 domains
Service principals are the blind spot in most M365 tenants. Score how exposed your app registrations, consented apps, and workload identities are — across the five areas that nation-state actors actually exploit. Pick the option closest to how your tenant is configured today.
Domain 1
Inventory, ownership and lifecycle of App Registrations (the publisher of a service principal). Most tenants have apps registered years ago by people who left the company.
Do you have a maintained inventory of every App Registration in your tenant, with a named owner?
Source: Microsoft Learn: Application and Service Principal objects in Microsoft Entra ID; ASD Essential Eight Maturity Model — Restrict Administrative Privileges.
How are App Registrations decommissioned when no longer needed?
Source: Microsoft Learn: Microsoft Entra app management best practices.
Domain 2
Whether users can consent to third-party apps freely, or whether admin consent is required and reviewed. The single most-exploited misconfiguration in M365.
Can users in your tenant consent to third-party apps without admin approval?
Source: Microsoft Learn: Configure user consent settings; Microsoft Entra Admin consent workflow.
How is admin consent for new apps reviewed?
Source: Microsoft Learn: Microsoft Entra admin consent workflow; Cloud Application Administrator role.
Domain 3
Whether app permissions follow least-privilege, are reviewed, and avoid the well-known dangerous permissions (Mail.ReadWrite.All, Files.ReadWrite.All, Directory.ReadWrite.All, RoleManagement.ReadWrite.Directory).
How do you audit dangerous Graph application permissions (Mail.ReadWrite.All, Files.ReadWrite.All, Directory.ReadWrite.All, RoleManagement.ReadWrite.Directory)?
Source: Microsoft Learn: Microsoft Graph permissions reference; Microsoft Entra Permissions Management.
When a developer requests Graph permissions for a new app, what's the default posture?
Source: Microsoft Learn: Microsoft Graph least privileged permissions reference.
Domain 4
Whether service principals use certificates rather than long-lived secrets, whether credentials rotate, and whether secrets are inventoried.
How do service principal credentials (client secrets, certificates) get rotated?
Source: Microsoft Learn: Add and manage application credentials in Microsoft Entra ID; Azure Key Vault key rotation.
What credential type do your service principals predominantly use?
Source: Microsoft Learn: Workload identity federation; Federated Identity Credentials for Microsoft Entra apps.
Domain 5
Whether Conditional Access for Workload Identities is enforced (P2 / Workload Identities Premium), and whether sign-in and admin-consent activity is monitored.
Is Conditional Access for Workload Identities enforced on your service principals?
Source: Microsoft Learn: Conditional Access for Workload Identities (requires Workload Identities Premium / Entra ID P2).
How is anomalous service principal behaviour detected?
Source: Microsoft Learn: App governance in Microsoft Defender for Cloud Apps; Microsoft Entra service principal sign-in logs.
This is an indicative self-assessment. It is not a substitute for a tenant-level workload identity audit. For verified results Frontrow Technology offers an in-tenant workload identity governance review.
What the check covers
Area 1
Every Entra ID App Registration creates a publisher identity that other tenants can consent to. Without an inventory and a quarterly review, App Registrations accumulate. Orphaned App Registrations with overprivileged Graph permissions are the precursor to app-impersonation attacks. ASD Essential Eight ML2 (Restrict Administrative Privileges) implies a need for ownership of every privileged identity, including workload ones.
Area 2
By default, Entra ID lets users consent to third-party apps requesting low-risk Graph scopes. Adversary-in-the-middle phishing campaigns now route through OAuth consent rather than password capture. The fix is the admin consent workflow — but most tenants either leave user consent on, or turn admin consent off without staffing the queue.
Area 3
Microsoft Graph application permissions are tenant-wide and unattended — there is no user-context check. An app with Mail.ReadWrite.All can read and write every mailbox in the tenant. The standard pattern of overprivileged consent (developer asked for everything 'just in case') compounds when the secret leaks. Microsoft's Permissions Management product surfaces overpermissioned apps; ASD's Essential Eight expects access to be appropriately restricted.
Area 4
Service principal client secrets are routinely created with 24-month expiry and never rotated. Storm-0558 abused a leaked Microsoft account signing key. The Frontrow standard is: certificates over secrets where supported, Federated Identity Credentials (workload identity federation) where the workload runs on Azure or GitHub, mandatory expiry within 12 months, monitored expiry, and inventoried storage in Key Vault.
Area 5
Conditional Access for Workload Identities (Entra ID P2 / Workload Identities Premium) lets you scope service principal sign-ins by IP, country, and risk. Most tenants do not turn this on. Combined with App Governance (Defender for Cloud Apps) for behavioural detection, this closes the gap between 'app has the credential' and 'app is using the credential as expected'.
Frequently asked questions
A workload identity is any non-human identity in Microsoft Entra ID — service principals (the tenant-side instance of an app), app registrations (the publisher-side definition), managed identities (Azure-hosted workloads), and federated identity credentials. Workload identities authenticate and call APIs the same way users do, but with no user interaction. They have no MFA. They have no human typing a password. They have credentials — usually a client secret or certificate — that, if leaked, give the attacker the same access the app has.
Because the human attack surface (passwords, phishing) is well-defended in modern tenants — MFA, Conditional Access and phishing-resistant credentials have raised the cost. Workload identities haven't. Storm-0558 (the 2023 Microsoft attack) pivoted via a leaked signing key. Midnight Blizzard (the 2024 Microsoft attack) compromised an OAuth application. Both bypassed user-centric controls. Most AU mid-market tenants have hundreds of consented apps, dozens with overprivileged Graph permissions, and zero review cadence. That is the new front line.
An app registration is the publisher-side definition (created once, in the home tenant). A service principal is the tenant-side instance (created per-tenant when the app is consented to). When you give consent to a third-party app — say a Slack integration — Entra creates a service principal in your tenant that grants the permissions the app asked for. The app registration lives in the third party's tenant. The service principal lives in yours. You govern service principals (in your tenant) and your own app registrations (which you publish).
The high-risk Application (tenant-wide, unattended) permissions include: Mail.ReadWrite.All (read and write every mailbox), Files.ReadWrite.All (every file in OneDrive and SharePoint), Directory.ReadWrite.All (modify every Entra object), RoleManagement.ReadWrite.Directory (assign privileged roles), and Sites.FullControl.All (full control of every SharePoint site). Microsoft publishes least-privileged alternatives for almost every scenario. Most apps that hold Mail.ReadWrite.All only need Mail.Read on a specific mailbox.
A Microsoft Entra feature (requires Workload Identities Premium / Entra ID P2) that lets you scope service principal sign-ins by IP address, country, and sign-in risk. Without it, a service principal credential leaked in a GitHub repo can be used from anywhere in the world. With it, the credential only works from your known IP ranges or designated countries. Microsoft introduced this in 2022 and most AU tenants still have it disabled.
Yes. This Frontrow self-assessment uses your existing knowledge of your tenant rather than reading from it directly. The verified review (Frontrow's managed engagement) does pull data via Microsoft Graph using delegated, read-only scopes that you control end-to-end. Either way, no third-party tool retains tenant data.
Every scoring threshold cites a primary source: Microsoft Learn for app registration, consent, Graph permissions and Conditional Access for Workload Identities; ASD Essential Eight Maturity Model for the Australian baseline. The methodology is authored by Daniel Brown (5x Microsoft MVP), Graeme Lodge (Managing Director), and Sam Williams (Investor & Executive Consultant).
Quarterly review of every workload identity, app registration and consent grant in your tenant. Drift detection on Graph permissions. Credential rotation tracking. Conditional Access for Workload Identities deployment and tuning. App Governance (Defender for Cloud Apps) configuration and triage. Monthly delta report for the IT lead, quarterly board-grade summary.
