As we head into 2026, we wanted to take a moment to reflect on some of the greatest AppGov moments of 2025. From our CEO being a guest on Merill Fernando's Entra.Chat podcast, to incredibly practical blogs written by Microsoft MVPs, we have so much to celebrate from the year.
Our very own CEO & Technical Founder, Jay Gundotra, and MVP friend Sander Berkouwer, joined Microsoft’s Merill Fernando on his Entra.Chat Podcast to unpack why bringing non-human identities under control in Entra ID is more critical than ever.
In this episode they uncovered:
✅ Why service principals and app identities pose real risks
✅ Lessons from Midnight Blizzard and other real-world breaches
✅ Practical steps to strengthen app governance
In March, we visited Bellevue, Washington, alongside the MVP Summit. The Summit is an event that brings together the Most Valuable Professionals (MVPs), Regional Directors (RDs), and Gold Microsoft Learn Student Ambassadors to learn, connect, and share.
Read more about our time spent in Washington!
We'd like to extend a huge THANK YOU to everyone who has contributed to the AppGov Score community in 2025! Our strength in supporting IT, Security, Identity teams, and learners lies in the collective knowledge and willingness to educate and share experiences as we all navigate the new and exciting changes Microsoft has made.
This blog was written by Matthew Levy, a Microsoft Security MVP. Matthew is a Solutions Architect at Threatscape, an IT security company that protects businesses from cyber threats.
In this blog, Matthew explains that Microsoft is retiring the Azure AD Graph API, a legacy interface for programmatically interacting with Azure Active Directory (now Entra ID). The Azure AD Graph API has been deprecated in favor of the Microsoft Graph API, which provides a unified, more secure, and broader set of capabilities across Microsoft cloud services.
What was affected by this retirement?
Starting February 1, 2025, applications that still used Azure AD Graph were blocked from making requests unless they were explicitly configured for extended access. appgovscore.com
Extended access could be enabled by modifying the app’s authenticationBehaviors settings (specifically setting blockAzureADGraphAccess to false), allowing usage until June 30, 2025. appgovscore.com
After June 30, 2025, Azure AD Graph API access ended entirely.
You can read the blog in its entirety here: Act Now: Tackling and Surviving Microsoft’s Azure AD Graph API Retirement
Louis Mastelinck, a Security Consultant at Proximus NXT and a Microsoft Security MVP wrote the second most popular blog from 2025. Louis talks about how Conditional Access (CA) can strengthen security for workload identities. Workload identities are non-human identities, such as service principals, used by apps and automation in Microsoft Entra ID. These identities often have persistent permissions and are frequently overlooked, making them attractive targets for attackers.
With the Workload Identities Premium license, organizations can apply Conditional Access policies to workload identities, similar to user accounts. The blog outlines how to enable service principal sign-in logs, analyze access patterns, and determine whether restrictions, such as IP-based access using named locations, can be safely enforced.
The key takeaway is that by gaining visibility into workload identity activity and applying Conditional Access where feasible, organizations can reduce risk, limit unauthorized access, and significantly improve their overall security posture without disrupting critical services.
Read the full blog here: Enhancing Security with Conditional Access for Workload Identities.
In this article, Louis Mastelinck explains how unused or stale app registrations and enterprise applications can accumulate in a Microsoft Entra ID tenant over time, increasing security risk and complexity. Before removing any apps, it’s important to review key characteristics such as ownership, redirect URIs, credentials (like secrets or certificates), and sign-in activity to avoid accidentally breaking business processes.
The post also highlights that tools like ENow’s App Governance Accelerator can help automate the discovery of ownerless, risky, or unused applications, making cleanup safer and more efficient.
Get the checklist outlining each step and the confidence level you can have when deciding to delete an app by reading the full blog: Removing Stale App Registrations and Enterprise Applications from Your Tenant
The next top blog was written by Sander Berkouwer, an Active Directory aficionado and Microsoft MVP in the Netherlands. On June 17, 2025, Microsoft announced a major security change (Message ID MC1097272) that updated default app consent settings in Microsoft Entra ID as part of its Secure Future Initiative.
Starting mid-July 2025 through August 2025, the default switched so that non-privileged users could no longer grant consent to third-party applications accessing their files and sites. Instead, by default, users must request that administrators approve consent on their behalf, and Microsoft-managed app consent policies are enabled.
Read the full blog here: Microsoft Disables User Consent By Default, Are You Ready For MC1097272?
The fifth most popular AppGov blog was also written by Matthew Levy, a Security MVP and Solutions Architect at Threatscape. The blog explains how to safely clean up applications in Microsoft Entra ID without disrupting business operations. It warns against the risky “scream test,” deleting or disabling apps indiscriminately, and seeing if anyone notices. Limited logs and incomplete data can lead to accidental outages or loss of critical services.
Instead of the risky “scream test,” the article emphasizes using reliable data and tools to guide cleanup rather than guesswork, helping admins reduce risk while keeping services operational.
Check out the full blog here: Microsoft Entra ID App Governance: How to Clean Up Apps Without the Chaos
In this webinar, Nicolas Blank and Alistair Pugin shared how to identify and mitigate threats with real-world examples, and practical strategies such as enforcing least privilege, hardening service principals, and strengthening Conditional Access.
Watch the full recording here: Privilege Escalation in Microsoft Entra ID: Risks, Exploits, and Solutions.
This session focused on the unique risks associated with workload identities, including their susceptibility to credential misuse and excessive permissions. Alistair Pugin and Nicolas Blank explore the parallels between securing workload identities and interactive user accounts, emphasizing the importance of applying consistent security measures across both.
Through practical demonstrations and actionable guidance, viewers will discover how to:
Watch On-Demand here: Protecting Workload Identities: Mitigating Risks in Microsoft Entra ID.
This session dug into the vulnerabilities associated with misconfigurations, such as assigning non-administrative accounts as application owners and granting unconstrained permissions like Mail.ReadWrite or Mail.Send.
Participants explored real-world examples, including the Midnight Blizzard attack, which exploited a compromised OAuth application to infiltrate Microsoft’s tenant. Viewers learned about actionable strategies to mitigate these threats and vulnerabilities.
Watch the full webinar here: Securing Microsoft Entra ID Applications: Addressing the Threat of Misconfigured Permissions.
We’ve enjoyed sharing this content with you, and we look forward to sharing more in 2026! To receive more content like this and hear about our latest updates, be sure to sign up at https://www.appgovscore.com/blog.
If you have a question about Entra ID application governance and security, join our community of tech leaders, experts, and peers on our AppGov Community Forum.
Join the hundreds of organizations that got a head start on App Governance in 2025 by using AppGov Score!
Measure what matters in Entra ID app governance.
Get a clear risk score, uncover your highest-impact gaps, and take action using real-world Microsoft governance standards.
Get your AppGov ScoreHere's to better app governance for all and a wonderful 2026!