MT.1077 - App registrations with privileged API permissions should not have owners
Overviewβ
Especially, owners with lower privilege than the application should be removed from ownership.
Microsoft also mentions this risk of elevation of privilege over what the owner has access to as a user.
Those delegations can be identified by the Tier breach flag in the test results.
But even owners with the same or higher privilege should not be delegated ownership because of missing support for just-in-time access (eligibility in PIM), enforced step-up authentication (authentication context by PIM in Entra ID roles), or assignment via group membership.
Side Note: Currently, due to limitations of XSPM data, only assignments on application objects are identified.
How to fixβ
Remove ownership and replace it (if necessary) by using object-level role assignments, and avoid any lateral movement paths by delegating to administrators with lower privilege classification (tier breach).
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | MT.1077 |
| Severity | Medium |
| Suite | Maester |
| Category | Privileged |
| PowerShell test | Test-MtXspmAppRegWithPrivilegedApiAndOwners |
| Tags | Entra, EntraOps, Graph, LongRunning, MT.1077, Privileged, XSPM |
Sourceβ
- Pester test:
tests/XSPM/Test-XspmPrivilegedIdentities.Tests.ps1 - PowerShell source:
powershell/public/xspm/Test-MtXspmAppRegWithPrivilegedApiAndOwners.ps1