MT.1079 - Privileged API permissions on service principals should not remain unused
Overview
Unused privileged permissions should not remain assigned to a service principal because they increase the attack surface and risk of unauthorized access. If these permissions are not required for the application's functionality, they can be exploited by attackers or misused, leading to potential privilege escalation or data exposure. Removing unnecessary privileged permissions helps maintain a stronger security posture and reduces the likelihood of security incidents.
How to fix
Review the findings in the Applications inventory in App Governance, and verify that there are no activities or use cases requiring the affected service principal to have assignments to these API permissions. Use hunting of app activities to review access and required permissions.
Test Metadata
| Field | Value |
|---|---|
| Test ID | MT.1079 |
| Severity | Medium |
| Suite | Maester |
| Category | Privileged |
| PowerShell test | Test-MtXspmAppRegWithPrivilegedUnusedPermissions |
| Tags | Entra, EntraOps, Graph, LongRunning, MT.1079, Privileged, XSPM |
Source
- Pester test:
tests/XSPM/Test-XspmPrivilegedIdentities.Tests.ps1 - PowerShell source:
powershell/public/xspm/Test-MtXspmAppRegWithPrivilegedUnusedPermissions.ps1