Why Enterprise Application Owners Matter in Entra ID Governance

In Microsoft Entra ID, enterprise applications and app registrations are critical components for managing access to SaaS applications, internal tools, and APIs. A key aspect of application governance is the designation of application owners—individuals or groups responsible for managing these applications. However, the role of an enterprise application owner is often misunderstood, particularly when non-IT personnel, such as business unit leaders, are assigned ownership. 

This blog post explores why enterprise application owners are critical, the potential risks of their actions, and the business and security considerations for choosing IT versus non-IT owners. We also outline challenges and provide recommendations for secure application governance, with a focus on risks like scope changes, pop-up fatigue, and combating threat actors like Midnight Blizzard. If you’d like an overview of application ownership and app registrations, take a minute to read this blog first: The Incredible Power of App Registration & Application Ownership. 

The Role and Importance of Enterprise Application Owners 

Enterprise application owners in Entra ID are responsible for managing the configuration, permissions, and access policies of their owned applications, integrated with the tenant. They play a pivotal role in ensuring that applications function correctly while adhering to organizational security policies. For apps they own, owners can: 

• Manage application settings: Configure single sign-on (SSO), user provisioning, and conditional access policies (if permitted by their role). 
  
  
• Assign access to users and groups: Grant or revoke application access for users and groups. 
  
  
• Modify delegated API permissions: Add, remove, or update delegated permissions within their permission scope, such as access to Microsoft Graph APIs, but cannot modify app-only permissions without elevated roles. 
  
  
• Approve consent requests: Allow applications to access organizational data within the owner’s permission scope through delegated permissions on behalf of users. 

While these responsibilities are essential for application functionality, they also grant owners significant control, which can lead to unintended consequences if mismanaged. Let’s explore three key risks associated with enterprise application owners:

Owners Modifying Application Permissions
One of the significant risks in application management is an owner modifying an application’s delegated permissions without fully understanding the implications. For example, an owner might grant additional delegated API permissions, which could allow the application to operate beyond its intended purpose when used by a user with sufficient permissions. While only Global Administrators or Privileged Role Administrators can assign app-only permissions, which enable an application to act independently with elevated privileges, delegated permissions still pose risks if the user or owner has access to sensitive resources. A poorly configured application with excessive delegated permissions can be exploited by attackers, who may leverage these permissions through a compromised user account to access sensitive data or perform unauthorized actions. 

Non-IT owners, such as business app owners, may lack the technical expertise to evaluate the risks of modifying delegated permissions. For instance, approving an additional Microsoft Graph delegated permission could allow an application, when used by a sufficiently privileged user, to read user data across multiple services throughout the organization, potentially leading to unintended data exposure if not properly scoped or monitored.

Pop-up Fatigue for Users and Owners

Pop-up fatigue, where users or owners become desensitized to frequent consent prompts, poses a significant risk in Entra ID. Owners may face prompts to approve delegated permissions for applications, which are limited to the scope of their own permissions. Non-IT owners, unfamiliar with the technical implications, may approve these prompts without scrutiny to avoid disruption, similar to how users may automatically accept multi-factor authentication (MFA) prompts due to repeated requests. 

This fatigue increases the risk of approving malicious or overly permissive applications, especially for non-IT owners who lack the expertise to distinguish legitimate from suspicious requests. For example, a compromised application, such as an AI app or agent, might request broad delegated permissions, like access to a user’s sensitive data, depending on the owner’s permission scope. An untrained owner might approve this, assuming it’s routine, potentially enabling data breaches or unauthorized access within the scope of their permissions. 

Lessons from Midnight Blizzard: Pop-up Fatigue and Compromised Accounts

A sophisticated attack campaign attributed to a Russian-based threat actor known as Midnight Blizzard (also APT29, NOBELIUM, Cozy Bear, and UNC2452) highlighted the dangers of OAuth abuse and compromised accounts. In early 2024, Microsoft disclosed that attackers exploited a legacy test tenant account with elevated permissions to access corporate email accounts. The attackers used techniques like OAuth application abuse, leveraging consent prompts to gain unauthorized access. 

This attack highlights the risks of non-IT owners managing enterprise applications. If an owner’s account is compromised through phishing, weak passwords, or MFA fatigue, the attacker can inherit the owner’s delegated permissions. They could then modify application settings, such as SSO configurations or user assignments, or add credentials to maintain persistence within the scope of the owner’s permissions. However, they cannot grant excessive API permissions, such as app-only permissions, as these require elevated roles like Global Administrator or Privileged Role Administrator. Non-IT owners, who may not prioritize security hygiene, are particularly vulnerable to such attacks, increasing the potential impact of a breach if they approve overly permissive delegated permissions or fail to recognize suspicious activity. 

Challenges in Application Ownership 

Organizations face several challenges when assigning enterprise application owners: 

• Lack of Technical Expertise: Non-IT owners often lack the experience to assess API permissions, understand OAuth flows, or recognize suspicious consent prompts. 
  
  
• Decentralized Ownership: Many organizations assign ownership to users in different business units to decentralize management, but this can lead to inconsistent governance and oversight. 
  
  
• Popup Fatigue: Both owners and end-users may approve prompts without review, increasing the risk of unauthorized access.
   
• Insufficient Monitoring: Without centralized monitoring, changes made by owners, such as adding credentials to maintain persistence within their delegated permissions scope, may go unnoticed until a breach occurs. 
  
  
• Balancing Usability and Security: Organizations must ensure applications are accessible while enforcing strict security controls, which can be challenging for non-IT owners to navigate. 

Business and Security Case: IT vs. Non-IT Owners 

Non-IT Owners: The Business Perspective 

Assigning non-IT personnel as application owners is often driven by business needs. Business unit leaders or application stakeholders understand the functional requirements of SaaS applications and can make informed decisions about user access and workflows. Decentralizing ownership reduces the burden on IT teams, allowing faster deployment and management of applications. However, this approach assumes that non-IT owners can handle security responsibilities, which is often not the case. 

IT Owners: The Security Perspective 

IT personnel, particularly those with security and identity expertise, are better equipped to manage enterprise applications. They understand API permissions, OAuth consent flows, and risks. IT owners are more likely to recognize suspicious prompts, enforce least-privilege principles, and align application settings with organizational security policies. However, centralizing ownership with IT can strain resources and slow down business processes, as IT teams may lack context for application-specific requirements. 

Finding the Balance 

The ideal approach lies in balancing business agility with security. IT teams should oversee governance and provide training to non-IT owners, ensuring they understand their responsibilities. Alternatively, organizations can adopt a hybrid model where IT retains ultimate control (e.g., approving API permissions) while non-IT owners handle day-to-day tasks like user access management. 

Recommendations for Secure Application Governance 

To mitigate risks and ensure robust application governance in Entra ID, organizations should adopt the following practices: 

1. Centralize Oversight with IT Involvement: 
   1. Designate IT or security teams as co-owners of critical applications to review changes and approve permissions. 
   2. Use Microsoft Entra ID’s consent settings to restrict who can grant consent or modify application permissions. 
2. Educate Non-IT Owners: 
   1. Provide training on OAuth, API permissions, and the risks of pop-up fatigue. 
   2. Teach owners to recognize suspicious consent prompts and verify application legitimacy. 
3. Use Microsoft Privileged Identity Management (PIM): 
   1. Use PIM to monitor and audit role assignments that impact application management, such as elevated roles like Application Administrator. 
   2. Enable User Consent permission classifications to restrict consent to admin-approved applications only. 
4. Enforce Least-Privilege Principles: 
   1. Regularly review and minimize API permissions for each application. 
   2. Use Entra ID’s application roles to assign granular permissions instead of broad access. 
5. Strengthen Account Security: 
   1. Enforce MFA for all owners and enable Conditional Access policies to block risky sign-ins. 
   2. Monitor anomalous owner activities, such as unusual permission grants or login locations. 
6. Leverage Automation and Monitoring: 
   1. Use Microsoft Sentinel or similar tools to detect and alert on suspicious application changes. 
   2. Automate permission reviews using scripts or tools like Microsoft Graph PowerShell SDK. 
   3. Use tools like Microsoft Graph or third-party solutions like ENow App Governance Accelerator to easily search for ownerless applications, app-only permissions, and high-risk permissions. 
7. Conduct Regular Audits: 
   1. Perform quarterly audits of enterprise applications, owners, and permissions. 
   2. Remove inactive owners and revoke unnecessary access. 
8. Limit Non-IT Owner Permissions: 
   1. Restrict non-IT owners to user assignment tasks and prevent them from modifying API permissions or consent settings. 
   2. Require IT approval for any scope changes. 

Conclusion 

Enterprise application owners in Entra ID wield power, making their role both critical and risky. The ability to manage delegated permissions, combined with vulnerabilities like pop-up fatigue and real-world threat actors like Midnight Blizzard, underscores the need for careful owner selection and governance. While non-IT owners bring business context, IT owners offer the security expertise needed to mitigate risks. By centralizing oversight, educating owners, enforcing least-privilege principles, and leveraging monitoring tools, organizations can strike a balance between usability and security. 

Robust application governance is not just a technical requirement—it’s a business imperative to protect sensitive data and maintain trust in an increasingly connected world. 

You can take control of your application governance by using tools like Microsoft Graph PowerShell SDK or third-party solutions like ENow App Governance Accelerator to quickly identify ownerless apps and assign the right owners, ensuring secure and compliant management. Take meaningful action to strengthen your organization’s security posture!