Managing application governance in Microsoft Entra ID has become increasingly difficult for organizations operating large Microsoft 365 environments. Administrators are expected to maintain visibility into thousands of enterprise applications, service principals, OAuth permissions, and Microsoft Graph access relationships, often without clear operational insight into how permissions are actually being used.
App Governance Accelerator 3.3 focuses on two key priorities:
This release introduces expanded Microsoft Graph activity reporting, more flexible consent management controls, streamlined reporting experiences, and usability improvements designed to help administrators investigate and manage application risk more efficiently.
Detect Unused Microsoft Graph Permissions - Professional, Enterprise Tiers
One of the most common challenges in Microsoft Entra ID application governance is determining whether applications actually use the Microsoft Graph permissions they request.
Over time, enterprise applications often accumulate additional permissions as new features are enabled, integrations expand, or vendors request broader access “just in case.” In many environments, administrators approve these requests to avoid disrupting business operations but rarely have visibility into whether those permissions are ever exercised.
App Governance Accelerator 3.3 introduces Graph Activity Least-Privilege Insights, providing visibility into Microsoft Graph API activity to help administrators identify the permissions granted to applications that are not being used.
This gives security and identity teams stronger operational insight into:
-
-
permissions that exist but are never exercised
-
applications with broader Graph access than operationally necessary
-
opportunities to reduce unnecessary Microsoft 365 data exposure
-
whether application permission sets align with actual usage patterns
For organizations working to enforce least-privilege access across Microsoft 365 environments, this helps move permission reviews beyond static consent inventories and into actual usage validation.
Instead of asking only, “What permissions has this app been granted?”, administrators can now evaluate, “Which permissions does this app truly require to operate?”
Improved Visibility into Provisioning-Based Application Activity – Professional, Enterprise Tiers
Enterprise applications and service principals used for automated user or group provisioning are often difficult to identify during governance reviews.
In many Microsoft Entra ID environments, administrators rely heavily on sign-in activity when evaluating whether applications are still active. However, provisioning-focused applications may continue performing operational tasks without generating traditional user sign-in patterns.
App Governance Accelerator 3.3 adds visibility into service principals with configured provisioning jobs, helping administrators more accurately identify applications that remain operationally active.
To support this capability, Professional and Enterprise Editions now require the Microsoft Graph permission: Synchronization.Read.All
ENow uses this permission to identify enterprise applications and service principals with provisioning jobs configured. The platform reads provisioning job metadata only, supporting governance reporting and operational visibility.
This helps administrators:
-
-
avoid incorrectly classifying provisioning applications as stale
-
improve accuracy during application lifecycle reviews
-
better understand operational dependencies tied to automated provisioning workflows
The new provisioning activity field will appear within sign-in activity reporting views.
More Flexible Microsoft Graph Consent Governance – Professional, Enterprise Tiers
App Governance Accelerator 3.3 introduces more flexibility around organization-wide consent requirements for Microsoft Graph permissions.
In previous releases, organizations were required to consent to all permissions associated with their licensed App Governance Accelerator edition. This included permissions tied to optional functionality, even when those capabilities were not actively used within the environment.
With App Governance Accelerator 3.3, administrators can now exempt selected Microsoft Graph permissions from organization-wide consent evaluation on a per-tenant basis. The first supported permission is Mail.Send, which is used by the App Governance Accelerator ServiceNow integration to allow the platform to send email notifications.
This change gives organizations more flexibility when deploying App Governance Accelerator by allowing administrators to:
-
exclude optional permissions from consent evaluations
-
align consent decisions to actual feature usage
-
reduce unnecessary consent requirements for unused integrations
-
stored at the tenant level
-
incorporated into Organization Consented calculations
-
visible as read-only within the Admin Console for auditability and operational transparency
Importantly, the Mail.Send permission does not impact reporting functionality within App Governance Accelerator.
Exempted permissions are:
For administrators managing strict governance or least-privilege requirements within Microsoft Entra ID, this helps simplify deployment decisions while maintaining visibility into approved permission exceptions.
Streamlined Reporting and Investigation Workflows – All Tiers
Application governance investigations often involve navigating large datasets across multiple reporting views.
App Governance Accelerator 3.3 standardizes default report column sets across major reporting categories, including:
-
Unified App View
-
Activity
-
Application Registrations
-
Enterprise Applications
-
Global Tenant Settings
-
Hunting
-
Users and Privileges
-
removing unnecessary expand/collapse controls
-
streamlining Client Secrets reporting views
-
reducing interface clutter during investigations
Each report category now uses purpose-built default columns designed to surface the most operationally relevant information immediately.
The release also simplifies workflow query results by:
These changes help administrators spend less time adjusting reports and more time reviewing application governance data.
Updated Administrative Experience – All Tiers
App Governance Accelerator 3.3 also introduces a modernized portal experience focused on improving readability and navigation consistency.
Updates include:
-
-
refreshed visual styling
-
improved workflow consistency
-
cleaner navigation experiences
-
simplified interface presentation
These usability improvements are designed to support faster investigations and reduce operational friction during routine governance tasks.
Governance Visibility and Operational Simplicity for Microsoft Environments
App Governance Accelerator 3.3 supports ENow’s focus on helping organizations improve operational visibility and governance across Microsoft environments.
This release delivers:
-
-
expanded visibility into Microsoft Graph permission usage
-
more flexible consent governance controls
-
simplified reporting and investigation workflows
-
improved administrative usability
For Microsoft 365 and Entra ID administrators responsible for application governance, App Governance Accelerator 3.3 helps improve oversight while making day-to-day governance operations easier to manage.
See how organizations are using App Governance Accelerator to reduce governance risks and operational disruptions that inhibit growth and AI adoption. Request a demo >>
