Principals with the Application Admin role can control tenant-resident apps.
Abuse Info
Create a new credential for the app, then authenticate to the tenant as the app's service principal, then
abuse whatever privilege it is that the service principal has.
Opsec Considerations
The Azure portal will create a log even whenever a new credential is created for a service principal.
Updated