Managing application governance in Microsoft Entra ID has become increasingly difficult for organizations operating large Microsoft 365 environments. Administrators are expected to maintain visibility into thousands of enterprise applications, service principals, OAuth permissions, and Microsoft Graph access relationships, often without clear operational insight into how permissions are actually being used.
App Governance Accelerator 3.3 focuses on two key priorities:
Increased visibility into Microsoft Graph permissions and activity
Easier day-to-day governance administration
This release introduces expanded Microsoft Graph activity reporting, more flexible consent management controls, streamlined reporting experiences, and usability improvements designed to help administrators investigate and manage application risk more efficiently.
One of the most common challenges in Microsoft Entra ID application governance is determining whether applications actually use the Microsoft Graph permissions they request.
Over time, enterprise applications often accumulate additional permissions as new features are enabled, integrations expand, or vendors request broader access “just in case.” In many environments, administrators approve these requests to avoid disrupting business operations but rarely have visibility into whether those permissions are ever exercised.
App Governance Accelerator 3.3 introduces Graph Activity Least-Privilege Insights, providing visibility into Microsoft Graph API activity to help administrators identify the permissions granted to applications that are not being used.
This gives security and identity teams stronger operational insight into:
permissions that exist but are never exercised
applications with broader Graph access than operationally necessary
opportunities to reduce unnecessary Microsoft 365 data exposure
whether application permission sets align with actual usage patterns
For organizations working to enforce least-privilege access across Microsoft 365 environments, this helps move permission reviews beyond static consent inventories and into actual usage validation.
Instead of asking only, “What permissions has this app been granted?”, administrators can now evaluate, “Which permissions does this app truly require to operate?”
Enterprise applications and service principals used for automated user or group provisioning are often difficult to identify during governance reviews.
In many Microsoft Entra ID environments, administrators rely heavily on sign-in activity when evaluating whether applications are still active. However, provisioning-focused applications may continue performing operational tasks without generating traditional user sign-in patterns.
App Governance Accelerator 3.3 adds visibility into service principals with configured provisioning jobs, helping administrators more accurately identify applications that remain operationally active.
To support this capability, Professional and Enterprise Editions now require the Microsoft Graph permission: Synchronization.Read.All
ENow uses this permission to identify enterprise applications and service principals with provisioning jobs configured. The platform reads provisioning job metadata only, supporting governance reporting and operational visibility.
This helps administrators:
avoid incorrectly classifying provisioning applications as stale
improve accuracy during application lifecycle reviews
better understand operational dependencies tied to automated provisioning workflows
The new provisioning activity field will appear within sign-in activity reporting views.
App Governance Accelerator 3.3 introduces more flexibility around organization-wide consent requirements for Microsoft Graph permissions.
In previous releases, organizations were required to consent to all permissions associated with their licensed App Governance Accelerator edition. This included permissions tied to optional functionality, even when those capabilities were not actively used within the environment.
With App Governance Accelerator 3.3, administrators can now exempt selected Microsoft Graph permissions from organization-wide consent evaluation on a per-tenant basis. The first supported permission is Mail.Send, which is used by the App Governance Accelerator ServiceNow integration to allow the platform to send email notifications.
This change gives organizations more flexibility when deploying App Governance Accelerator by allowing administrators to:
exclude optional permissions from consent evaluations
align consent decisions to actual feature usage
reduce unnecessary consent requirements for unused integrations
stored at the tenant level
incorporated into Organization Consented calculations
visible as read-only within the Admin Console for auditability and operational transparency
Importantly, the Mail.Send permission does not impact reporting functionality within App Governance Accelerator.
Exempted permissions are:
For administrators managing strict governance or least-privilege requirements within Microsoft Entra ID, this helps simplify deployment decisions while maintaining visibility into approved permission exceptions.
Application governance investigations often involve navigating large datasets across multiple reporting views.
App Governance Accelerator 3.3 standardizes default report column sets across major reporting categories, including:
Unified App View
Activity
Application Registrations
Enterprise Applications
Global Tenant Settings
Hunting
Users and Privileges
removing unnecessary expand/collapse controls
streamlining Client Secrets reporting views
reducing interface clutter during investigations
Each report category now uses purpose-built default columns designed to surface the most operationally relevant information immediately.
The release also simplifies workflow query results by:
These changes help administrators spend less time adjusting reports and more time reviewing application governance data.
App Governance Accelerator 3.3 also introduces a modernized portal experience focused on improving readability and navigation consistency.
Updates include:
refreshed visual styling
improved workflow consistency
cleaner navigation experiences
simplified interface presentation
These usability improvements are designed to support faster investigations and reduce operational friction during routine governance tasks.
App Governance Accelerator 3.3 supports ENow’s focus on helping organizations improve operational visibility and governance across Microsoft environments.
This release delivers:
expanded visibility into Microsoft Graph permission usage
more flexible consent governance controls
simplified reporting and investigation workflows
improved administrative usability
For Microsoft 365 and Entra ID administrators responsible for application governance, App Governance Accelerator 3.3 helps improve oversight while making day-to-day governance operations easier to manage.
See how organizations are using App Governance Accelerator to reduce governance risks and operational disruptions that inhibit growth and AI adoption. Request a demo >>