New Locks, Old Keys: Testing Microsoft’s Latest Controls Against Service Principal Abuse
Abuse of Service Principals in EntraID has been a longstanding favorite of APT groups. In recent years, that knowledge has trickled down to eCrime actors and is leveraged for ransomware and extortion. Microsoft has introduced two new security controls to address this in 2025. Each has its pros and cons, but as with any security control an understanding of the risk it mitigates is crucial to balance the tradeoffs against potential business disruption.
In this talk, we'll go over three scenarios in which Service Principals are abused and which controls would be relevant to address this risk. We'll also explore how to perform your own testing to evaluate whether the controls you configure are functioning as expected.