As we start 2025, we wanted to take a moment to highlight some of the greatest AppGov moments of 2024. From blog posts written by Microsoft MVPs to webinars orchestrated by ENow, we have much to celebrate from the year.
This blog was written by MVP Louis Mastelinck, a security consultant at The Collective. Louis specializes in incident response and the Microsoft Security stack (MDE, MDO, MDI, MDCA, Sentinel, ...), he excels at neutralizing threats and protecting organizations.
The blog focuses on Microsoft Graph API, a powerful tool that allows developers and IT professionals to interact with various Microsoft 365 services, including OneDrive, Outlook, Teams, and more, through a unified endpoint. Louis demonstrates the importance of securing API access, specifically when applications have broad permissions, such as the ability to send emails on behalf of any user, which can lead to significant security vulnerabilities if compromised.
He explains the two types of permissions for interacting with the Microsoft Graph API: delegated and application permissions. He stresses the risks of granting excessive permissions and provides methods for managing permissions. He suggests using the ENow App Governance Accelerator for reporting on API permissions and PowerShell scripts to audit app registrations. You can read the blog in its entirety here: How to Restrict Microsoft Graph API Access to Mailboxes.
The second top blog from 2024 was also written by MVP Louis Mastelinck. Louis talks about the challenges and best practices for authenticating automation scripts and applications with Microsoft services, particularly through Azure and the Graph API.
He mentions Microsoft’s plan to move away from user-based service accounts in 2025 and instead using MFA. The blog provides a detailed guide on how to authenticate to the Graph API via PowerShell, covering both client secret and certificate-based authentication methods. Louis demonstrates this by emphasizing the importance of securely storing secrets and certificates and following best practices for managing authentication credentials. Read the full blog here: Authenticating to the Microsoft Graph API with PowerShell.
In this blog, Thijs Lecomte, a M365 Senior Consultant at The Collective and Security MVP, reviewed Microsoft’s article about the January Midnight Blizzard attack. Based on the article he concludes that:
Thijs goes through step-by-step what happens and then lists missed opportunities that could have prevented the attack. The missed opportunities simultaneously provide organizations with proactive steps to prevent future attacks.
He concludes with a list of recommendations to strengthen your security posture including using ENow’s free AppGov Socre tool. Check out the recommendations list in the full blog here: Insecure App Registrations Breached Microsoft.
The next top blog was written by Alistair Pugin, a Microsoft M365 and Security MVP in South Africa and Owner of YMD. He starts by recognizing how IT teams’ responsibilities were clear before the cloud. Today, it is often now the responsibility of Identity management admins to concern themselves with applications registered and deployed into their cloud environment, which in this case is the Azure Cloud. If they are not managed properly attacks can occur.
Alistair describes public client flow as a feature used in conjunction with a public client application. Public applications are essentially applications that run on devices or desktop machines, or even a single page web application. Attackers can exploit device codes. Once the attacker has a device code, it can use this code to access the application and access resources that the application itself has access to.
He suggests admins take steps to secure these applications by following Microsoft’s best practices, which include managing Redirect URIs, access tokens, and client secrets. Furthermore, ENow’s AppGov Score tool can assist admins in identifying and addressing applications with insecure public client flows. To learn about public client flows, read the full blog here: Public Client Flows: What You Need to Know.
This blog was part of a series written by Matthew Levy, a Security MVP and Principal Architect at NBConsult. In the first blog he explains the principles that apply to Microsoft Entra ID Application Consent. In part two he provides some best practices, tips and recommendations to govern and secure your Microsoft Entra ID application landscape.
Best practices include:
He concludes that managing app consent is a balance between security and productivity, and requires administrators to carefully evaluate consent policies, monitor usage, and educate users on security best practices. Check out the full blog here: Entra ID Application Consent: What Identity Admins Need to Know – Part Two.
Application Lifecycle Management (ALM) is a crucial framework for ensuring your organization's applications remain efficient, secure, and compliant throughout their entire lifecycle. From initial development to retirement, ALM provides a structured approach that aligns IT objectives with business goals.
In this blog post from Microsoft MVP John O'Neill, Sr., he explored the key phases of ALM—governance, development, and operations—and why organizations must invest in tools and strategies to optimize this process. Proper ALM can lead to improved resource allocation, enhanced application security, and better collaboration across teams, ensuring applications meet evolving business needs.
Discover how leveraging ALM can help your organization streamline processes, maintain compliance, and boost overall productivity. Read the full article here: The Importance of Application Lifecycle Management (ALM).
In this session, Microsoft MVPs Alistair Pugin and Nicolas Blank explored the top 5 risks associated with application security and more, including:
Watch the full recording here: Identify and Fix Application Security Vulnerabilities in Microsoft Entra ID.
In this session Microsoft MVPs and experts Alistair Pugin and Nicolas Blank cover:
Watch On-Demand here: Entra ID Governance – Best Practices for Real-World Success.
In this webinar, Alistair Pugin and Nicolas Blank discussed the key benefits of Zero Trust, including:
Watch the full webinar here: Zero Trust for Application Security in Entra ID.
Sander Berkouwer, Eric Woodruff, and Raymond Comvalius discuss Eric’s UnOAuthorized’ session from the Black Hat Sessions. They also talk about the need for community education and support around Entra ID Security & Identities and backup solutions that play a role in Entra application management. They each share their recommendations for IT Pros charged with securing Entra ID and outline resources that will help guide Identity and Security pros toward securing their Microsoft Entra tenant(s).
Watch the full interview here: UnOAuthorized: Microsoft App Vulnerabilities, Entra ID App Misconfigurations & Community Solutions
Stephen Rose sits down with Sean Hurley and ENow CEO and Technical Founder, Jay Gundotra in this UnplugIT episode. Stephen talks to Sean, who oversees Application Security for the world’s largest iconic media and entertainment company and destination (think products, parks, attractions, superhero and sci-fi movies, wink wink) and we learn all about how he protects and secures Entra ID Applications for over 200k employees, across hundreds of thousands of devices every year.
Jay Gundotra shares his story about the inception of the product; how ENow collaborated with Sean and his team to co-innovate, making product improvements and advancing the App Governance tool forward to its latest v2.0 iteration with new features that were inspired by Midnight Blizzard.
We’ve enjoyed sharing this content with you and hope these resources have helped simplify your work! We look forward to sharing more in 2025 and are always open to suggestions! To receive more content like this and hear about our latest updates, subscribe at https://www.appgovscore.com/blog.
If you have questions about Entra ID, application governance, and security, join our community of MVPs and other tech leaders on our AppGov Community Forum!
If you want to kickstart your Entra ID Enterprise Application Governance in 2025, request your AppGov Score!