Open Enterprise Applications in any mature Microsoft 365 tenant. You will find hundreds, sometimes thousands, of service principals. Most have not signed in for a year. Some hold Mail.ReadWrite or Directory.ReadWrite.All. Almost none have an owner.

This is the identity class nobody audits. It is also where the next breach is going to come from.

Why tenants drown in them

Every "Sign in with Microsoft" click creates one. Every Logic App, CI/CD pipeline and forgotten PowerShell script needs one. Users consent without thinking. Test apps never get deleted. When the engineer who created them leaves, the credentials stay behind.

The result: a parallel directory bigger than your user directory, with no offboarding and no access reviews.

The four risks that bite

Excessive Graph permissions. A service principal with Mail.ReadWrite tenant-wide is a mailbox breach waiting to happen. Most tenants have at least one.

Long-lived secrets. Client secrets get issued for two years, the portal maximum. Nobody rotates them. When a CI runner leaks one, the attacker gets up to two years of access.

Owner-less apps. Ownership does not transfer when people leave. The app keeps running. No human is responsible.

End-user OAuth consent. Default settings let any user grant Mail.Read to a malicious app pretending to be a productivity tool. No MFA prompt. No admin in the loop.

What to do this week

Pull every service principal. Anything with application-level Graph permissions like Mail.ReadWrite, Files.ReadWrite.All or Directory.ReadWrite.All needs a written justification. No justification, no permission.

Sort by last sign-in. 90 days idle: disable. 180 days: delete.

Pull credentials. Anything older than 12 months gets rotated. Anything expiring in 60 days gets owned by someone or removed.

Lock down tenant consent. Restrict end-user consent to low-risk permissions from verified publishers only. Turn on the admin consent workflow.

Why this never stays clean

New apps register every week. Permissions get added in normal work. Secrets never get rotated. The directory drifts the moment you stop watching.

SecValley CSPM flags excessive permissions, stale credentials, owner-less apps and risky consent grants as part of 500+ controls across Microsoft 365, Entra ID and Azure. Drift gets caught the day it happens, not the day after the breach.

The user directory is the front door. Service principals are the side door nobody locked.