---
name: App Registration and Secret Hygiene
description: Audit Microsoft Entra app registrations for expiring secrets, certificates, missing owners and over-permissioned API access.
---

# App Registration and Secret Hygiene

> **TL;DR:** This skill inspects every Microsoft Entra app registration for expiring or expired client secrets and certificates, missing owners, and over-broad API permissions, then produces a ranked risk report so you can renew, reassign or trim credentials before they cause an outage or breach.

## What is app registration and secret hygiene in Microsoft Entra?

A Microsoft Entra app registration defines how an application authenticates and what Microsoft Graph or other API permissions it holds, using client secrets or certificates as credentials. Poor hygiene, such as long-lived secrets, expired certificates, orphaned apps with no owner, or excessive delegated and application permissions, creates both availability risk and a real attack surface. This skill reads your tenant's registrations and service principals to surface those weaknesses, complementing Conditional Access and Microsoft Purview governance over identity and data.

## When should you run this skill?

- "Which app registrations have client secrets expiring in the next 30 days?"
- "Do any of our enterprise apps have expired certificates still attached?"
- "Show me app registrations that have no assigned owner."
- "Which applications hold high-privilege Microsoft Graph permissions like Directory.ReadWrite.All?"
- "We are preparing for an Essential Eight assessment and need an app credential inventory."
- "An app stopped working overnight; was it caused by an expired secret?"
- "Give me a prioritised list of over-permissioned applications to review."

## How this skill works, step by step

1. Connect read-only to Microsoft Entra and enumerate all app registrations and their associated service principals across the tenant.
2. For each registration, read every client secret and certificate credential, capturing the start and expiry dates.
3. Flag credentials that are already expired, and bucket the remainder by time-to-expiry (for example, under 7 days, under 30 days, under 90 days).
4. Retrieve assigned owners for each registration and flag any application that has no owner.
5. Read the configured API permissions (delegated and application) and identify high-privilege or write-scoped grants such as directory, mail or full-access permissions.
6. Check whether each high-privilege application permission has been admin-consented and is therefore active.
7. Derive a risk score per registration by weighting expired or imminently expiring credentials, missing ownership, and the sensitivity and breadth of granted permissions.
8. Rank all registrations by risk score, highest first.
9. Compile the findings into a structured report with remediation guidance for each flagged item.

## Output format

The skill returns a prioritised table of app registrations and their hygiene findings.

| App display name | App ID | Credential status | Owner | High-privilege permissions | Risk score |
| --- | --- | --- | --- | --- | --- |
| Contoso Reporting API | 8f3a...c21 | Secret expired 12 days ago | None assigned | Directory.ReadWrite.All | 95 (Critical) |
| Finance Connector | 1d7b...9e0 | Secret expires in 6 days | `finance-admin@contoso.com` | Mail.Read | 62 (High) |
| Marketing Dashboard | a44c...02f | Certificate valid (210 days) | `marketing-ops@contoso.com` | User.Read | 18 (Low) |

Summary of the report contents:

- Total registrations inspected, with counts of expired, expiring-soon and healthy credentials.
- Count of registrations with no assigned owner.
- Count of registrations holding high-privilege application permissions.
- The top-ranked registrations by risk score, with a suggested remediation action for each.

## Scope and safety

This skill is read-only by default and makes no changes to your tenant. It inspects configuration and credential metadata only and never reads secret or certificate values themselves.

This skill does NOT:

- Create, rotate, renew or delete any client secret or certificate.
- Add, remove or reassign application owners.
- Grant, revoke or modify any API permission or admin consent.
- Disable, delete or otherwise alter any app registration or service principal.

## Licensing and permissions

### Licences and add-ons

| Capability used | Minimum licence |
| --- | --- |
| Reading app registrations, service principals, credentials and owners | Microsoft Entra ID Free |
| Reading and auditing API permissions and admin consent grants | Microsoft Entra ID Free |

### Least-privilege roles

- Global Reader (read-only across directory configuration, including app registrations and service principals)
- Security Reader (read-only access to security-related properties of applications and enterprise apps)

### Microsoft Graph permissions (read-only)

- `Application.Read.All` reads app registrations, service principals, their client secret and certificate credentials, assigned owners and configured API permissions.
- `Directory.Read.All` reads directory objects and admin consent grants to confirm which high-privilege application permissions are active.

## Sources and compliance

- [Use the portal to create a Microsoft Entra application and service principal](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal)
- [Review permissions granted to enterprise applications](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/manage-application-permissions)
- Supports Essential Eight "Restrict administrative privileges" by surfacing over-permissioned applications and ensuring application credentials and ownership are governed.
- Aligns with ISM controls for privileged access management and the secure use of credentials and authentication secrets.
- [ASD Essential Eight Maturity Model](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model)
- Output in Australian English.