App registrations with highly privileged directory roles should not have owners
Why This Matters
When an app registration has owners assigned, those owners can modify the application and potentially inherit the privileges of the service principal. If the service principal has highly privileged directory roles, this creates a lateral movement path where lower-privilege owners might escalate their permissions. Removing unnecessary owners reduces the attack surface and enforces least privilege access.
What Aether365 Checks
Aether365 scans your Microsoft Entra ID tenant to identify service principals with Control/Management Plane or other privileged directory roles that also have owners assigned on the corresponding application object. This check appears in the Aether365 dashboard under the entra-id checks section.