Service principal ownership misuse: how does global admin takeover happen?

TL;DR: A compromised low-privilege user can pivot through owned service principal access, add a client secret, and use app-only authentication to reset a Global Administrator account, bypassing user-centric controls like MFA and Conditional Access, according to Semperis. The lesson is that application ownership is itself a privileged control surface, and unmanaged service principals can collapse the boundary between delegated and app-only access.

NHIMG editorial — based on content published by Semperis: Misowned and dangerous: An Owner’s Manual to Global Admin

By the numbers:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
• Only 5.7% of organisations have full visibility into their service accounts.

Questions worth separating out

Q: What breaks when a user can own a privileged service principal?

A: A user who owns a privileged service principal can often change credentials, pivot into app-only authentication, and exercise the application’s assigned role without using the user account directly.

Q: Why do service principals complicate IAM governance in cloud tenants?

A: Service principals complicate IAM because they are active identities, not passive configuration objects.

Q: How do security teams know if app-only access is becoming risky?

A: Risk rises when service principals have elevated roles, credential changes are common, ownership is unclear, or app-only sessions are not monitored separately from user activity.

Practitioner guidance

• Inventory privileged service principals and their owners Build a complete list of enterprise applications, the users or groups that own them, and any directory roles assigned to each service principal.
• Separate workload credential administration from general user ownership Require stronger governance for who can add secrets or certificates to applications that hold privileged roles.
• Review app-only paths as distinct from delegated user paths Monitor app-only sign-ins, credential changes, and role usage separately from user logons so that workload behavior is not hidden inside normal user telemetry.

What's in the full article

Semperis's full article covers the operational detail this post intentionally leaves for the source:

• Native PowerShell and Microsoft Graph commands used to enumerate ownership, roles, and service principal context
• Step-by-step walkthrough of how a client secret changes the authentication model from delegated to app-only
• Detailed explanation of why Privileged Authentication Administrator enables password reset and TAP issuance
• Cleanup and reset steps for the EntraGoat scenario environment

👉 Read Semperis's analysis of service principal ownership misuse in Entra ID →

Service principal ownership misuse: how does global admin takeover happen?

Explore further

View Full Forum →  |  NHI Foundation Course →