The AppGov Origin Story: Confronting Application Governance Gaps in Entra ID

In 2023, Samsung experienced a data breach caused by a vulnerability in a third-party app. This breach affected people who purchased from Samsung’s UK store between 2019 and 2020. According to TechCrunch, Samsung did not discover the attack for three years. Attackers accessed customers' personal information, such as phone numbers, emails, and addresses. We all heard about last year's Midnight Blizzard attack on Microsoft as well. Breaches of this caliber can happen if organizations don't take action to improve poor security and governance of their applications.  

How can your organization improve its security posture in a world of data breaches?  

That’s where App Governance Accelerator stands out. ENow’s solution helps organizations gain and maintain control over their Entra ID application landscape, reducing the attack surface and strengthening security. It provides deep visibility into applications, identifies potential risks, and equips IT teams with the insights needed to:

• Make informed decisions about app security
• Balance productivity and security without compromising either
• Accelerate necessary changes to achieve and maintain a secure Entra ID environment

With App Governance Accelerator, organizations can proactively manage application security and stay ahead of evolving threats.

The AppGov 'Origin Story'

In the video above, Alistair Pugin sits down with ENow’s CEO, Jay Gundotra, to understand where the idea for AppGov came from.  Jay credits this tool as being born out of a problem needing a solution. One of Jay’s friends from the media/entertainment industry contacted him because their company was experiencing exponential growth in the volume of SaaS applications in their environment. There was a lack of visibility for enterprise applications; there was lots of citizen development, and the team was seeing it very quickly get away from them from a visibility and governance perspective... Voilà, the idea for AppGov was born!  

In the interview, Jay highlights Microsoft's constant innovation and frequent changes, emphasizing the need for IT Pros to stay informed to prevent these shifts from becoming a “blind spot” for their organizations. As awareness of this growing application risk increases, the next crucial step is ensuring organizations have the right support and frameworks in place to secure executive buy-in and effectively address the challenge.

Alistair Pugin, a Microsoft Security and Microsoft 365 Apps and Services MVP, highlighted a common blind spot: the lack of awareness about how identity connects to applications. Many organizations, users, and admins sign up for enterprise applications without fully considering the identity aspect or the permissions granted. There's often an assumption that apps from reputable vendors are inherently secure, but that’s not always the case. In our conversations, most companies are surprised to discover the extent of API permissions already present within their application landscape.

Jay and Al also discussed a key challenge: Who is responsible for app governance within an organization? Should it fall under collaboration, cybersecurity, or identity, or should there be a dedicated role bridging the involved teams? Of course, the appropriate choice will naturally depend on an organization's size and the maturity of its security strategy.

They pointed to last year’s attack on Microsoft systems—traced back to Midnight Blizzard—as a wake-up call. Following the attack, many organizations conducted audits of their environments. Jay stressed that if companies haven’t yet done so, they should use Microsoft’s tools or ENow’s free AppGov Score resource.

Looking ahead, Jay emphasized the need to 'assign' app governance to a dedicated collaborator—someone who can balance security, governance, and business productivity.

Key considerations for establishing clear ownership and best practices for application governance:

• What happens when you deploy Microsoft 365, and which apps are installed?
• What features should be enabled or disabled?
• What’s the policy for onboarding third-party apps?
• What’s the policy for offboarding third-party apps?
• What’s the remediation plan for security risks?
• Which teams or individuals are involved with the above workflows already?

By clearly defining ownership and addressing these questions, organizations can start to take a proactive and structured approach to application security and governance.

AppGov Community Resources  

In a world of innovation and rapid technological advancements, the community plays a huge role in keeping up with changes, navigating new systems, or, in this case, managing the security aspect of applications.  Jay emphasizes the community component of AppGov. It was built because someone in his community needed help solving a problem. We've continued to build out these community resources because we recognized a knowledge gap in application governance in Entra and how it relates to identity security. Looking for additional help in these areas? Aside from this AppGov blog, we have a few additional resources: 

AppGov Score  

One of the resources provided by ENow is the AppGov Score tool. AppGov Score is a free security assessment tool that quantifies an organization’s Microsoft Entra ID application governance state.  It gives an organization a starting point to understand potential risks associated with enterprise applications, app registrations, permissions, and default tenant settings within their Entra environment.   

AppGov Community Forum  

In addition to the AppGov Score tool, we’ve created the AppGov Community Forum, a dedicated space for discussing Application Governance & Security. Moderated by Microsoft Security & Identity MVPs and subject-matter experts, the forum provides answers to key questions about Entra ID, Enterprise Applications, Application Registrations, and the impact of Tenant Settings on an application’s lifecycle. It also allows IT professionals and experts to share how they’re addressing governance challenges, like in the discussion about Veeam’s free backup app.

Why this matters:

• AppGov Score equips organizations with insights to protect against data breaches caused by application-related risks.
• ENow’s App Governance Accelerator helps organizations strengthen security with continuous monitoring, alerting, and automated remediation.
• The AppGov Community Forum connects IT pros, experts, and professionals to share real-world experiences and get expert guidance as new security risks emerge.

By combining these resources, organizations can take a proactive approach to securing their Entra ID applications

We appreciate your involvement in the AppGov Score Community—whether you're reading a blog, asking a question, sharing insights, or exploring the AppGov Score tool. Every perspective contributes to a deeper understanding of application governance risks, helping us all navigate this evolving challenge together.