In Microsoft Entra, a single misconfigured application setting can allow an adversary to escalate privileges and potentially compromise the entire tenant. As a refresher, these attacks are not just theoretical; they have happened and are happening today:
It took one setting in an unmonitored test tenant that allowed an adversary to add credentials and permissions, ultimately enabling them to own Microsoft’s production tenant and access employee email accounts, including those belonging to senior executives, cybersecurity personnel, and legal staff.
Adversaries exploited an OAuth permission vulnerability in Metallic to gain unauthorized access to Commvault’s internal infrastructure and downstream customer tenants.
An adversary gloated about gaining access to internal Microsoft apps because the required User Assignment option had not been set on them.
Recently, new options appeared in the Entra admin center that help prevent adversaries from gaining unauthorized access to enterprise applications (named service principals when managed through the Graph API) and application registrations (applications) within your Entra tenant.
Note:
Application policies have been available through Microsoft Graph, but now they are available in the Entra admin center. This addition makes these policies far more convenient to configure, communicate, and check.
These settings are under the Security header in the navigation menu. Previously, you would only see Conditional Access, and Consent and permissions there as an Entra admin, but now it features Application policies (as seen in Figure 1).
Application policies primarily focus on preventing the first type of attack mentioned above, where an adversary adds credentials or takes advantage of completely inappropriate credentials settings for applications. By default, no restrictions apply to applications in Entra, except that identifier URIs without unique tenant identifiers have been blocked since August 12, 2025. Application policies define tenant-wide and application-specific application management policies.
Application policies allow Entra admins to enforce best practices for configuring apps in their Entra tenant. Currently, application policies allow Entra admins to set password restrictions, certificate restrictions, and identifier URI restrictions:
Figure 1: Application policies in the Entra admin center
Password restrictions allow admins to limit the addition of new password credentials, block the addition of custom passwords, and/or set maximum lifetimes for password credentials added to application registrations and enterprise applications in an Entra tenant.
Certificate restrictions restrict the maximum lifetime of new certificates (asymmetric keys) added to application registrations and enterprise applications in an Entra tenant.
Identifier URI restrictions block the addition of non-default identifier URIs, forcing the use of autogenerated ones (api:// scheme) and/or identifier URIs that do not contain unique tenant identifiers (such as tenant ID, app ID, or verified domain).
Each of these restrictions can be applied to all applications with exclusions (blocklist), select applications (allowlist), or to applications that are created after a specific date.
Where password restrictions and certificate restrictions can be applied to both enterprise applications and application registrations, Identifier URI restrictions can only be applied to application registrations. The following table provides an overview:
|
Application Management Policy |
Enterprise Applications |
Application Registrations (Applications) |
|
Password restrictions |
Applicable |
Applicable |
|
Certificate restrictions |
Applicable |
Applicable |
|
Identifier URI restrictions |
Not applicable |
Applicable |
Table 1 Applicability of application management policies
Thus far, we’ve only discussed the theoretical side of application management policies. Now, let’s explore some practical, real-life scenarios where these policies can directly strengthen your governance and security posture, and, quite literally, save your bacon as an Entra admin.
Microsoft strongly recommends avoiding password authentication for Entra applications. However, for development, test, and acceptance purposes, password authentication often sneaks in while workload identity federation and certificate-based authentication is under review or in development. For development, test, and acceptance line of in-house developed apps (and when doing it right: for your non-production tenant), you could allow it, but for the production line (read: your production tenant), you could block it. As only the production app would access production data, blocking adversaries from adding a password to this app would prevent leakage of production data.
To achieve this, navigate to the Password addition restriction settings, and change its Status to On. For a separate production tenant, press Save and close at the bottom of the page. For an Entra tenant that serves both production and non-production applications, select the Select application or All applications with exclusions option and specify the non-production applications to blocklist or the production applications to allowlist and press Save and close at the bottom of the page.
Application policies only take effect when authentication methods are configured. However, existing applications may already use insecure authentication configurations, such as certificates with excessively long lifetimes (e.g., 20 years). Only when changing this authentication to something more secure would the application management policy be applied.
If such a certificate is never renewed, certificate restrictions will never take effect unless they are explicitly applied. This creates blind spots where insecure authentication persists indefinitely.
One practical approach is to use the “Only apply to apps created after” option in password and certificate restrictions. This allows you to phase in stronger controls for new applications while gradually bringing older ones into compliance. Backing this up with a written, approved policy document that outlines direction, cut-off dates, and enforcement expectations ensures developers know what’s required—and by when.
Even though certificates for Entra application authentication have their flaws, they should still be preferred over passwords. The Entra admin center enforces a maximum certificate lifetime of 6 months. But what if your corporate certificate policies dictate a shorter lifetime for (specific) apps?
What if you want to pre-emptively comply with the TLS Baseline Requirements? To do this, enable the Restrict certificate lifetime Status option to On, and in the field for Maximum lifetime (in days), specify 47 to comply. You can use the same filtering options as shown in the previous scenario for password restriction. However, the 'Only apply to apps created after' option might be a helpful way to have a policy apply between now and March 15, 2029.
App Management policies in the Entra admin center are a welcome addition to the security toolbox, and I strongly encourage Entra admins to adopt them. I foresee Microsoft managed for the status field for many of these policies, so that when Entra application authentication methods come under attack, Microsoft might configure application management policies for all tenants. Microsoft has used this method in the past to enable number matching throughout all tenants. That Microsoft managed setting might apply here, too
That said, there are still notable gaps at scale. Today, policies cannot be applied based on application type (for example, including Entra application proxy apps), filtered queries, tags, or even keywords in the Notes or Internal notes fields. These kinds of targeting capabilities would make policies far more powerful, especially in large, complex environments.
Until then, admins must rely on careful planning, consistent documentation, and manual processes to close these gaps. Application management policies are a solid step forward, but there’s still significant room for growth before they deliver the flexibility enterprises truly need.
The basis for applying application management policies in any Entra tenant is to determine which applications use passwords, which use certificates, and what the lifetimes are for these authentication mechanisms. ENow’s free AppGov Score provides the number of apps that have long-lived passwords and certificates. ENow’s App Governance Accelerator reports specify this information further, allowing you to identify specific apps with long-lived passwords and certificates, call them out, and apply Entra application management policies with confidence.