Microsoft Entra application owner added
Description
AlphaSOC detected a new owner being added to a Microsoft Entra ID application
registration via the Add owner to application audit action. Application owners
can modify the application's credentials, including client secrets and
certificates, and can alter consent grants. An attacker who adds themselves or a
compromised account as an application owner gains persistent, privileged access
to the application and can generate new credentials to authenticate as the
application.
Impact
An unauthorized application owner can add new credentials to an application and use them to authenticate silently, even after the originally compromised account is disabled. Depending on the application's permissions, the attacker may access sensitive APIs, read organizational data, or maintain persistent access to cloud resources without detection.
Severity
| Severity | Condition |
|---|---|
Low | New owner added to an application |
Investigation and Remediation
Review the Entra audit logs for the Add owner to application event. Identify
the user who performed the action, the target application, and the account that
was added as owner. Verify whether the change was authorized. Check whether new
credentials were added to the application after the ownership change. If
unauthorized, remove the added owner, rotate or remove any newly added
credentials, and investigate the acting account for further compromise.