แก้ไข

แชร์ผ่าน


Microsoft Entra recommendation: Remove unused credentials from apps (preview)

Microsoft Entra recommendations is a feature that provides you with personalized insights and actionable guidance to align your tenant with recommended best practices.

This article covers the recommendation to remove unused credentials from apps. This recommendation is called StaleAppCreds in the recommendations API in Microsoft Graph.

Prerequisites

There are different role requirements for viewing or updating a recommendation. Use the least-privileged role for the type of access needed. For a full list of roles, see Least privileged roles by task.

Microsoft Entra role Access type
Reports Reader Read-only
Security Reader Read-only
Global Reader Read-only
Authentication Policy Administrator Update and read
Exchange Administrator Update and read
Security Administrator Update and read
DirectoryRecommendations.Read.All Read-only in Microsoft Graph
DirectoryRecommendations.ReadWrite.All Update and read in Microsoft Graph

Some recommendations might require a P2 or other license. For more information, see Recommendation availability and license requirements.

Description

Application credentials can include certificates and other types of secrets that need to be registered with that application. These credentials are used to prove the identity of the application. Only credentials actively in use by an application should remain registered with the application.

A credential is considered unused if:

  • It has not been used in the past 30 days.
  • It's a credential that was added to an application to be used for OAuth/OIDC flows or to the service principal for SAML flow.

The following credentials are exempted from the recommendation:

  • Expired credentials do not show in the Impacted resources list.
  • Credentials that were identified as unused but have expired since being flagged show as Completed in the Impacted resources list.

Value

Removing unused application credentials helps reduce the attack surface area and helps declutter the app portfolio of a tenant.

Action plan

This recommendation is available in the Microsoft Entra admin center and using the Microsoft Graph API.

Applications that the recommendation identified appear in the list of Impacted resources at the bottom of the recommendation.

  1. Sign in to the Microsoft Entra admin center as at least a Security Administrator.

  2. Browse to Identity > Overview.

  3. Select the Recommendations tab and select the Remove unused credentials from applications recommendation.

  4. Take note of the following details from the Impacted resources table.

    • The Resource column displays the application name
    • The ID column displays the application ID
  5. Select More Details from the Actions column to view more details.

    Screenshot of the recommendation with the More details options highlighted.

    Note

    If the origin of the credential is Service Principal, follow the guidance in the Service principals section.

  6. From the panel that opens, select Update Credential to navigate directly to the Certificates & secrets area of the app registration to remove the unused credential.

    1. Alternatively, browse to Identity > Applications > App registrations and select the application that was surfaced as part of this recommendation.

      Screenshot of the Microsoft Entra app registration page.

    2. Then navigate to the Certificates & Secrets section of the app registration.

      Screenshot of the Certificates and secrets section of Microsoft Entra ID.

  7. Locate the unused credential and remove it.

Service principals

If the origin of the credential is service principal, there are a few considerations and extra steps to follow.

Because there's often multiple service principals for a single application, it may be easier to navigate to Enterprise apps to view everything in one place.

  1. In the Microsoft Entra admin center, browse to Identity > Applications > Enterprise applications.

  2. Search for and open the application that was surfaced as part of this recommendation.

  3. Select Single sign-on from the side menu.

    If the credential is a service principal but there are SAML certificates in use, you can identify the details of the credential using the Microsoft Graph API. To use the Microsoft Graph API, you need the DirectoryRecommendations.Read.All and DirectoryRecommendations.ReadWrite.All permissions. For more information, see How to use Identity Recommendations.

  4. Sign in to Graph Explorer.

  5. Select GET as the HTTP method from the dropdown.

  6. Set the API version to beta.

  7. Query the keyCredential and passwordCredential endpoints.

  8. Use the removePassword or removeKey endpoints to remove the credential from the service principal.