Get Ahead of App Risk in Microsoft Entra ID: Lessons from the Frontlines

Identity has become the new battleground for attackers in today's world. As organizations expand their use of cloud services and embrace SaaS applications, the risks associated with identity providers like Microsoft Entra ID (formerly Azure Active Directory) have escalated. In our supplemental webinar, part of the Preventive Maintenance webinar series, Jay and Al focused on proactive preventative maintenance for Entra ID, delivering timely insights about application governance challenges, threats, best practices, and real-world lessons learned from securing enterprise environments.

This post distills the core themes and practical guidance outlined in our session, 'Get Ahead of App Risk in Microsoft Entra ID,' giving IT, identity, and security professionals an actionable blueprint for getting and staying ahead of app risk in Microsoft Entra ID.

Why App Governance in Entra ID Is Urgent

While digital transformation has supercharged productivity and connectivity, it has also created fertile ground for attackers seeking to exploit weak identity and application governance. Over the past five years, the IC3 (Internet Crime Complaint Center) has received an average of 836,000 complaints annually, with losses totaling billions of dollars. Many of these incidents have origins in compromised identities, insecure application configurations, or exploitation of OAuth app registrations; risks that often go undetected until significant damage is done.

Figure 1: IC3 Statistics 

OAuth Abuse and Modern Attack Chains

Recent breaches, including the high-profile Midnight Blizzard attack on Microsoft, and more recently, Commvault highlight just how attackers exploit app governance gaps. Threat actors increasingly target Microsoft Entra ID using techniques such as:

• Gaining initial access via VPN and compromised credentials.
• Creating malicious OAuth applications or modifying existing ones.
• Elevating privileges, deploying malware via privileged apps, and using non-expiring or over-permissioned secrets to persist in environments.
• Leveraging app registrations to access sensitive mailboxes and data, with little or no oversight from defenders.

Figure 2: OAuth Abuse example 

Common App Governance Challenges
Entra ID Is Not “Secure by Default”

Many organizations assume Microsoft’s default settings provide strong security. Entra ID requires deliberate configuration and ongoing governance to mitigate risks. Default policies often leave doors open for excessive permissions, weak credentials, and unchecked app sprawl.

SaaS and Citizen Development are Expanding the Attack Surface

The popularity of SaaS applications and the rise of “citizen developers” within business units mean apps can proliferate with little central oversight. This leads to:

• Rapid growth in app registrations.
• Orphaned or ownerless applications that are left unmonitored.
• Apps with long-lived, high-privilege secrets.
• Data outflows that may not be visible to security teams.

Lack of Formal Off-Boarding and Lifecycle Management

Vendors often do not remove their app registrations after uninstallation. Just because you’ve uninstalled/deleted that web app/app service plan does not mean that the application registration associated with that service gets deleted as well. Many organizations lack strong off-boarding processes, resulting in abandoned apps that can be hijacked by attackers. Orphaned apps, expired secrets, and misconfigured permissions compound exposure.

Manual and Reactive Processes

Without centralized, automated tools, security and identity teams are stuck in reactive mode. App risk identification, remediation, and compliance remain manual and error-prone, often relying on spreadsheets instead of actionable dashboards.

The Real-World Impact: What Keeps Engineers Up at Night

The day-to-day pain points for identity, security, and IT operations teams include:

• Lack of central visibility into app permissions, usage, and risk levels.
• Undefined app ownership leading to unclear stewardship and gaps in accountability.
• No ongoing risk scoring to flag high-risk or misconfigured apps.
• Inefficient manual processes and difficult root cause analyses during incidents.
• Frequent productivity and security impacts from expired secrets, non-expiring permissions, and shadow IT.

Figure 3: Application Sprawl

This result is a minefield where attackers can exploit the smallest misconfiguration for outsized gains. 

Case Study: Lessons from the Field

A tangible example comes from Liberty Group Ltd, part of Standard Bank Group. Before implementing formal app governance using ENow’s AppGov Score and Accelerator tools, Liberty faced:

• Over 774 enterprise apps, with more than 70% ownerless.
• Frequent service outages triggered by expired app secrets.
• An app governance maturity score of just 47%.
• 1-2 years of projected manual work to remediate.

After deploying App Governance Accelerator, Liberty:

• Reduced orphaned/ownerless apps to 14% and are shrinking further.
• Proactively managed secrets and expired credentials via alerting.
• Increased their app governance score to 70% and rising.
• Cut manual effort down to six months, with minimal business disruption since implementation.

Figure 4: AppGov Statistics 

This transformation did not happen by accident. It required top-down commitment, focused cleanup, and a shift in workload from identity teams to distributed app owners.

The Path Forward: Closing Gaps and Empowering Teams

ENow AppGov Score: Proactive App Risk Evaluation

AppGov Score provides a free, actionable tool to give organizations an at-a-glance risk score of their Entra ID environment. It spotlights the scope of apps with:

• High-risk application registrations and excessive permissions.
• Vulnerable tenant settings.
• Ownerless or orphaned apps in need of remediation.
• Expired or non-expiring secrets that require urgent attention.

Organizations leveraging this approach can prioritize “quick wins” to shore up security before investing in more advanced features.

App Governance Accelerator 3.0 in Action

For organizations needing ongoing, automated governance, App Governance Accelerator 3.0 introduces a suite of capabilities:

• Continuous app monitoring with automated risk scoring.
• Automated remediation workflows for common findings.
• Automated feedback campaigns and notifications for app owners.
• Shifting the governance workload from central identity teams to distributed app owners, enabling scalability.

The result is a sustainable, continuous approach to minimizing app risk and ensuring compliance.

Best Practices for Strong App Governance

Proactive app governance in Microsoft Entra ID is a journey, not a one-and-done project. Based on lessons from over 1,000 assessed environments, here are proven best practices:

1. Establish and Enforce Policies & Standards

1. • Create clear app registration, permission, and ownership policies.
   • Require periodic access reviews and prompt removal of unnecessary or unused apps.

1. • Leverage tools that offer risk scoring, automated notifications, and actions.
   • Reduce manual, reactive processes wherever possible.

1. • Require least privilege by default for all application permissions.
   • Deploy conditional access policies and multi-factor authentication for app owners.
   • Regularly audit expiring and non-expiring secrets.

1. • Set formal onboarding and off-boarding procedures, including app decommissioning protocols.
   • Track app ownership, ensuring every application has a responsible business or technical owner.
   • Periodically audit for orphaned or legacy apps and remove or reassign as needed.

1. • Schedule recurring reviews of app governance maturity and tenant health.
   • Use standardized scoring (like AppGov Score) to track improvement over time.

Building Community and Resources for Ongoing Success

No organization is alone in this battle. ENow and the broader Microsoft community offer resources:

• Community forums moderated by experts for peer troubleshooting and best practices.
• Free tools like AppGov Score to baseline risk and drive conversation with leadership.
• Ongoing webinars, blog series, and support channels to keep teams educated on evolving threats and governance techniques.

Final Thoughts: Making App Governance a Strategic Priority

Application risk in Microsoft Entra ID is a moving target. Attacker sophistication is rising, and regulatory scrutiny is increasing. The organizations that succeed will be those that embrace continuous governance, automation, and distributed ownership.

By using the right tools, like AppGov Score and App Governance Accelerator, and prioritizing strong policies, automated monitoring, and ongoing education, IT and security teams can drastically reduce the risk of costly breaches, streamline compliance, and protect their organizations’ most valuable assets.

As the success story illustrates, the payoff is real: reduced manual effort, fewer business disruptions, higher security maturity, and an identity environment that enables, rather than hinders, digital transformation.

Take your first step today: establish a baseline, automate where you can, and make app governance a central pillar of your Microsoft Entra ID security strategy.