Entra ID Application Governance: Non-Human Identity Lessons from EntraChat

Understanding Entra ID Application Governance 

Entra ID application governance is no longer optional. As ENow CEO Jay Gundotra shared on Microsoft’s Entra.Chat podcast with Merill Fernando and Sander Berkouwer, today’s admins face an expanding landscape of non-human identities, applications, and service principals that demand structured governance. Want to watch the podcast episode? Scroll down to the bottom of this post, or head over to Merill's Entra.Chat page: The Hidden Risks of Non-Human Identities in Your Tenant

At its core, application governance means visibility, control, and lifecycle management for every application integrated with Entra ID in your Entra tenant: Microsoft-native, third-party SaaS, or custom internal apps. Without visibility and clear consent policies, even well-intentioned Entra ID applications can open the door to privilege escalation and OAuth-based compromise. 

As Sander and Jay often say, “If you’re trying to mop the floor, you must turn off the faucet first.” That’s what Entra ID application governance does; it helps you turn off the faucet. 

Why App Governance in Entra ID Matters More Than Ever 

The shift from on-premises to cloud apps has expanded the attack surface for every Microsoft 365 customer. Gundotra and Berkouwer highlighted a wave of OAuth app abuse in Microsoft 365, including incidents like threat actor Midnight Blizzard’s attack on Microsoft and the Commvault breach, where attackers exploited over-permissioned or test-tenant applications to gain access. 

Even seemingly harmless permissions can expose sensitive data if not appropriately scoped. That’s why least privilege and consent scoping must be baked into every Entra ID application onboarding process. 

Key takeaway: If your admins or vendors use “directory.readwrite.all”, “mail.readwrite”, or other broad permissions without justification, your Entra tenant is vulnerable. 

Service Principal Security Best Practices 

When asked how admins should manage service principals, Sander Berkouwer drew a parallel to Active Directory’s “service accounts gone wild” era. 

Best practices for Entra ID service principal security: 

1. Replace passwords with certificates or workload identities. 
   Never reuse legacy “service accounts” with static passwords. 
2. Apply least privilege to Entra ID application permissions. 
   Limit API access to the more granular mailbox, SharePoint site, or Teams group needed. 
3. Use PowerShell to scope precisely. 
   Some security boundaries cannot be enforced in the Entra admin center, you might have to script them. 
4. Audit usage regularly. 
   Look for inactive Entra ID applications or stale service principals that still hold global permissions. 
5. Offboard safely. 
   Implement a notification period before removal to prevent business disruption. 
   

Lifecycle Management: Turning Off the Faucet 

Jay and Sander agreed that governance fails when ownership of the Entra ID application governance discipline is unclear. Identity teams, security, and collaboration admins often pass the “hot potato” because no single group owns the process. 

To build a sustainable Entra ID application governance lifecycle: 

• Educate leadership. Show the risks of OAuth app abuse and the business impact of breaches. 

• Baseline the environment. Use a free AppGov Score assessment to identify Entra ID application and permission challenges. 

• Set consent policies. Adopt Entra ID consent policy best practices by optimizing default user consent and routing new application requests through review. 

• Establish a safe cleanup process. Use a systematic process or automation to contact owners, confirm inactivity, and remove unused Entra ID applications without risking outages. 

ENow’s AppGov Score provides a lightweight application governance tool to get started; five low-privilege permissions deliver a full tenant-level score and actionable report. 

Education and Automation Go Hand-in-Hand 

Jay emphasized that policy and tooling must evolve together. 

ENow’s App Governance Accelerator builds on the free AppGov Score by adding detailed usage analytics reporting, actionable recommendations, alerting, and workflow automation. 

Still, Jay and Sander cautioned that no tool can replace policy. Without governance rules, the application sprawl problem simply returns. 

The Growing Urgency for Entra ID Application Governance 

With Microsoft introducing agents, Copilot extensions, and Power Platform connectors, organizations are creating more low-code apps than ever. Citizen developers now contribute to the Entra ID application landscape, often without security training. 

This surge amplifies the need for clear Entra ID consent policy best practices, least-privilege design, and continuous service principal monitoring. 

App governance is not about slowing innovation. It is about enabling innovation safely by managing identity sprawl before it becomes the next breach headline. 

Frequently Asked Questions about Entra ID Application Governance 

What is Entra ID application governance? 
Entra ID application governance is the process of controlling, monitoring, and securing all Entra ID applications and service principals integrated with your Microsoft Entra tenant. It ensures Entra ID applications follow least-privilege principles, proper consent, and defined lifecycle management. 

Why should I care about OAuth app abuse in Microsoft 365? 
Attackers increasingly exploit poorly governed OAuth apps to gain access without triggering MFA or password protections. These attacks can expose email, SharePoint, and Teams data. 

How can AppGov Score help? 
AppGov Score analyzes your Entra ID environment for risky apps, excessive permissions, and missing owners, producing a governance score and free assessment report. 

What are some Entra ID consent policy best practices? 
Disable default user consent (Microsoft recently helped with changing their default tenant setting), define a formal Entra ID application approval workflow, review permissions at a regular cadence, and use least-privilege scopes. 

How do I remove inactive enterprise applications safely? 
Use audit logs to confirm usage, notify owners, and deactivate in stages before deletion. ENow’s automation engine helps prevent accidental outages and deletion during cleanup. We recently shared a couple of blogs about the downsides of using the ‘scream test’ and better ways to identify and clean up stale apps.  

You can watch the full interview here:

 Check out the AppGov Score Community!

• Find additional blogs and guides, written by Microsoft MVPs and experts. 
• Ask a question over on our AppGov Community Forum.
• Get your free AppGov Score for a helping starting benchmark of your Entra ID application governance.