App registrations with privileged API permissions should have no owners
Why This Matters
App registrations with highly privileged API permissions can be a critical security risk if ownership is not properly controlled. When multiple owners exist for such registrations, it increases the attack surface and creates potential lateral movement paths for attackers. Administrators should ensure privileged app registrations have no owners and instead use object-level role assignments to delegate management.
What Aether365 Checks
Aether365 verifies that app registrations with Control/Management Plane or highly critical API permissions do not have any owners assigned. This check appears in the Aether365 dashboard under the entra-id category.