Application sprawl refers to the proliferation of unmanaged or redundant applications within an organization's identity system. As organizations adopt more cloud services and integrate various third-party applications with Microsoft Entra ID, they often encounter challenges in controlling the growth of these applications. This uncontrolled expansion can lead to several risks and operational inefficiencies. 

Introduction 

When I was a systems administrator about 20 years ago (yes, I am an IT Dinosaur), I first heard about a term, then applied to objects in Active Directory. The term was “Group Sprawl”. I first discovered the negative side effect of assigning a user membership to a security group for every resource they ever needed access to. The side effect was, and still is called “Token Bloat”. Now I won’t go into the technical definition of token bloat, but essentially the impact on a user logging into a system becomes problematic. In that the user may be denied access to a resource or many resources. Furthermore, the nesting of groups within groups could potentially create a Denial of Service (DOS) for many users. 

Move on a few years and in an era of cloud environments, similar to group sprawl is a term called Team sprawl, and because of the way Teams (Microsoft Teams) relates to groups (Microsoft 365 Groups), it is a kind of group sprawl too. Teams sprawl happens when organizations lack control over creating new Teams. Microsoft Teams sprawl can have various consequences for an organization, such as abandoned, unused, or redundant Teams, ineffective organization or usage of Teams, and unnecessary or underused Teams in large numbers, which can increase Microsoft Teams storage costs. 

Improper governance or management of Teams can also raise security risks. 

So, the concept of Application sprawl, or App sprawl is not a new concept by any means. The implications of app sprawl may be different however, and I would argue more severe, but the remediation steps are quite similar to dealing with other types of sprawls. Let’s dig into application sprawl in Entra ID a little deeper to understand the risks and implications before discussing how to address app sprawl. 

Entra ID Application Proliferation 

Just like Teams sprawl or group sprawl, the default settings in Entra ID allow for virtually anyone to register an application to the organization’s Entra ID tenant: 

 
Figure 1: Default user consent setting in an Entra ID tenant 

“By default, all users are allowed to consent to applications for permissions that don't require administrator consent. For example, by default, a user can consent to allow an app to access their mailbox but can't consent to allow an app unfettered access to read and write to all files in your organization.” - Microsoft Entra ID documentation | Microsoft Learn 

Consider when you install a new application on your mobile phone, the phone requires you to consent to granting the permissions requested by the application. Say, to access the gallery of photos by a media app for example. 

 
Figure 2: Mobile phone application requesting access to photos 

With the adoption of new tools, services, or technologies such as “AI”, users add applications to Microsoft Teams, for example, that require consent to grant permissions requested by the application. This consent requires an application representation in the organization’s Entra ID. By default, users can consent to low-risk permissions without requiring administrator approval, but higher-risk permissions may need admin consent. 

When a Teams app is added, it is represented in the organization's Entra ID tenant as an enterprise application.  

Employees may independently adopt applications without IT approval, leading to unmanaged and unsecured applications in the organization. This is commonly referred to as “Shadow IT”. This represents a significant challenge in maintaining control over access management and protecting against data breaches. 

Just like with Active Directory Groups and Microsoft Teams sprawl, where numerous teams and channels are created without oversight, Entra ID application sprawl involves the unchecked addition of applications. Without proper governance policies, you as an Entra ID administrator may struggle to control the number of applications being added. If you are not “closing the tap” you are chasing your own tail. 

{Configure User Consent settings} 

An oversight that often leads to application sprawl is the excessive number of users with the Application Administrator role and the Application Developer role in your tenant. As I mentioned in my previous blog post about Microsoft Entra Roles, the Application Administrator role is a privileged role that can consent to delegated permissions and application permissions and the Application Developer role can register web APIs, mobile apps, single-page applications (SPAs), and other apps. So, while you may delegate application development tasks to developers, they too can register shadow IT applications or unmanaged apps. 

The Risks of App Sprawl

More applications mean an increase in the attack surface. Sure many applications will only have low risk permissions such as “openid” or “User.ReadBasic.All”,  but some applications, like third-party backup solutions for example, require extensive permissions. Apps with permissions that are considered high risk should be managed and monitored carefully. Not knowing how many apps have those high-risk permissions is a severe blind spot in your security purview.  

Managing multiple applications can lead to inconsistent application of security policies, such as user assignment, creating vulnerabilities. 

Unmanaged applications may not adhere to data protection standards, risking exposure of sensitive information. 

Applications may have certificates or secrets that expire, without prior notice of expiry, the application may stop working altogether, so there is a risk to business operations. 

Many apps store information elsewhere, in the third-party systems, as part of the application provider’s conditions to be able to provide a service.
The third-party may even use that data to train their machine learning or large language models on your company data. Some data may include personal identifiable information (PII) and therefore meeting regulatory requirements becomes more difficult with a large number of unmanaged applications. 

IT admins may become overwhelmed, leading to inadequate monitoring and maintenance of applications. 

How do you know if you have App Sprawl? 

How do you know if you have a problem? Well, if you can’t answer the five simple questions, you might have an App Sprawl problem:  

HOW many applications do you have in your tenant?  

WHO is responsible for that application?  

WHAT permissions do these applications have?  

WHERE does this application have access to?  

WHEN was this application added to my tenant? Or WHEN was this application last used? 

If you have a large number of applications integrated with Entra ID, it might be a sign of sprawl, especially if many of these applications are rarely used or redundant. 

You might have multiple applications that serve similar purposes and overlapping functionality. How many backup applications do you have? 

To find out the answers to these questions manually in the Microsoft Entra ID Portal requires you to first export the list of Enterprise Applications, this is a list of all applications integrated with your Entra ID. This list might be a few hundred or even thousands.
To understand usage, you have to view the usage and insights for each application individually. You will have access to 30 days worth of usage logs. 

Figure 3: Enterprise application | Usage & insights 

Then for each application, review the permissions and roles assigned. Ensure that they are necessary and not overly permissive, which can indicate potential security risks. 

Figure 4: Enterprise application | Permissions 

Finally, review the audit logs for detailed activity related to applications, this can help you identify unusual app creation activities or modifications. But you need to know what you are looking for. 

Figure 5: Enterprise application | Audit logs 

How to track it with AppGov Score & App Governance Accelerator  

ENow’s App Governance Accelerator provides two useful reports to help you track app sprawl. 

The first, “Applications Created in the Last 30 Days,” shows Enterprise Applications that were created in the last 30 days. 

Figure 6: Applications Created in the Last 30 Days

The number of enterprise applications created in the last 30 days indicates how often the organization is integrating applications and services with Microsoft Entra ID for single sign-on. The more enterprise applications an organization has, the more applications and/or services a user can sign in to using their Entra ID sign-in credentials.  

Secondly, “App Registrations Created in the Last 30 Days” highlights the number of application registrations created in the last 30 days. 

Figure 7: App Registrations Created in the Last 30 Days 

To see what permissions they have been provided, check out the App Registrations API Permissions report. 

Remediation 

• Who can create a group? 
• Should all those that have the ability to create groups really have it? 
• Is there a process in place to regularly review group membership and remove members that no longer require membership? 
• Is there a process in place to delete old groups that are no longer used? 

The process for addressing App Spawl starts with asking the same questions pertaining to the creation of Entra ID enterprise applications: 

1. Who can add or register applications in Entra ID? 
2. Should all those that have the ability to add or register an application in Entra ID really have that ability? 
3. Is there a process in place to regularly review applications? 
4. Is there a process in place to delete old applications that are no longer used? 

By understanding and addressing application proliferation, you can enhance the security and efficiency of your Entra ID tenant. 

Identity Governance is Application Governance 

Just as you may have an Identity Governance policy and mechanisms to ensure that policy is being adhered to, application governance needs a similar approach. The process of dealing with applications and preventing app sprawl requires structure for the following aspects of all applications in Entra ID: 

• Lifecycle 
  • Onboarding 
  • Changes 
  • Offboarding 
• Least Privilege 
  • Application permissions 
  • Users who have access 
• Access attestation 
  • Certify that the application is required frequently 
  • Certify that the permissions are still required frequently 
  • Certify that users granted access are still required frequently 
• Just-in-time (JIT) access 
  • Make sure that users have access to do only what they need to do when they need it and not left as standing access. 
  • The same applies to application permissions to resources 
• Auditing and Reporting 
  • Make sure you have an inventory of applications 
  • Frequently check the number of newly added applications 
  • Get alerts for new applications with permissions 
  • Application credentials that might expire should be generating alerts 
  • Assume breaches and use data from audits and reports to improve incident response plans, understand past incidents and refine strategies to prevent future breaches. 
  • Audit access controls and permissions. 
  • Conduct regular audits to identify and remove unnecessary applications. 
• User Training 
  • Educate employees on the risks of shadow IT and the importance of using approved applications. 

Your organization should establish and enforce governance policies to control application adoption. This starts with a proper usable inventory of the applications you currently have. To get a quantifiable risk score for your Entra ID application landscape, request your free AppGov Score!