Entra ID application governance is no longer optional. As ENow CEO Jay Gundotra shared on Microsoft’s Entra.Chat podcast with Merill Fernando and Sander Berkouwer, today’s admins face an expanding landscape of non-human identities, applications, and service principals that demand structured governance. Want to watch the podcast episode? Scroll down to the bottom of this post, or head over to Merill's Entra.Chat page: The Hidden Risks of Non-Human Identities in Your Tenant
At its core, application governance means visibility, control, and lifecycle management for every application integrated with Entra ID in your Entra tenant: Microsoft-native, third-party SaaS, or custom internal apps. Without visibility and clear consent policies, even well-intentioned Entra ID applications can open the door to privilege escalation and OAuth-based compromise.
As Sander and Jay often say, “If you’re trying to mop the floor, you must turn off the faucet first.” That’s what Entra ID application governance does; it helps you turn off the faucet.
The shift from on-premises to cloud apps has expanded the attack surface for every Microsoft 365 customer. Gundotra and Berkouwer highlighted a wave of OAuth app abuse in Microsoft 365, including incidents like threat actor Midnight Blizzard’s attack on Microsoft and the Commvault breach, where attackers exploited over-permissioned or test-tenant applications to gain access.
Even seemingly harmless permissions can expose sensitive data if not appropriately scoped. That’s why least privilege and consent scoping must be baked into every Entra ID application onboarding process.
Key takeaway: If your admins or vendors use “directory.readwrite.all”, “mail.readwrite”, or other broad permissions without justification, your Entra tenant is vulnerable.
When asked how admins should manage service principals, Sander Berkouwer drew a parallel to Active Directory’s “service accounts gone wild” era.
Best practices for Entra ID service principal security:
Jay and Sander agreed that governance fails when ownership of the Entra ID application governance discipline is unclear. Identity teams, security, and collaboration admins often pass the “hot potato” because no single group owns the process.
To build a sustainable Entra ID application governance lifecycle:
ENow’s AppGov Score provides a lightweight application governance tool to get started; five low-privilege permissions deliver a full tenant-level score and actionable report.
Jay emphasized that policy and tooling must evolve together.
ENow’s App Governance Accelerator builds on the free AppGov Score by adding detailed usage analytics reporting, actionable recommendations, alerting, and workflow automation.
Still, Jay and Sander cautioned that no tool can replace policy. Without governance rules, the application sprawl problem simply returns.
With Microsoft introducing agents, Copilot extensions, and Power Platform connectors, organizations are creating more low-code apps than ever. Citizen developers now contribute to the Entra ID application landscape, often without security training.
This surge amplifies the need for clear Entra ID consent policy best practices, least-privilege design, and continuous service principal monitoring.
App governance is not about slowing innovation. It is about enabling innovation safely by managing identity sprawl before it becomes the next breach headline.
What is Entra ID application governance?
Entra ID application governance is the process of controlling, monitoring, and securing all Entra ID applications and service principals integrated with your Microsoft Entra tenant. It ensures Entra ID applications follow least-privilege principles, proper consent, and defined lifecycle management.
Why should I care about OAuth app abuse in Microsoft 365?
Attackers increasingly exploit poorly governed OAuth apps to gain access without triggering MFA or password protections. These attacks can expose email, SharePoint, and Teams data.
How can AppGov Score help?
AppGov Score analyzes your Entra ID environment for risky apps, excessive permissions, and missing owners, producing a governance score and free assessment report.
What are some Entra ID consent policy best practices?
Disable default user consent (Microsoft recently helped with changing their default tenant setting), define a formal Entra ID application approval workflow, review permissions at a regular cadence, and use least-privilege scopes.
How do I remove inactive enterprise applications safely?
Use audit logs to confirm usage, notify owners, and deactivate in stages before deletion. ENow’s automation engine helps prevent accidental outages and deletion during cleanup. We recently shared a couple of blogs about the downsides of using the ‘scream test’ and better ways to identify and clean up stale apps.
You can watch the full interview here: