AppGov Score Blog

Check out our latest updates!

Hot Potato – Who Should Own Application Governance in Entra ID? (Part 1)

March 6, 2025 John O’Neill Sr

Security Microsoft 365 Entra ID Governance

Who Should Own Application Governance in Entra ID?

Applications are the lifeblood of productivity in today's Cloud-first world. From collaboration tools to CRM systems, specialized software powers every aspect of modern business. With the explosion of Cloud applications comes a critical question many organizations struggle to answer: Who exactly should own application governance in Microsoft Entra ID? 

What exactly is application governance?

At its core, application governance in Entra ID encompasses the policies, procedures, and controls that manage the entire lifecycle of applications connected to your Entra ID identity environment. This includes: 

        • Application registration and approval processes 

        • Permissions management and scope controls 

        • Regular access reviews and attestation 

        • Security monitoring and threat detection 

        • Compliance oversight and documentation 

        • Deprovisioning and eventual decommissioning

Effective governance ensures that applications access only the data they need, adhere to organizational security policies, comply with regulatory requirements, and align with overall business objectives. Simply put, it's the structured approach that prevents the application environment from becoming the wild west of your IT landscape. 

If you've worked in IT for a while, you've likely witnessed the app governance 'hot potato'. That moment when a new app needs to be integrated and teams look at each other with wide-eyes wondering who's going to catch it. Like an actual hot potato, nobody wants to hold onto it for too long, yet someone must ultimately take responsibility. 

The hot potato problem occurs because application governance: 

        • Crosses multiple traditional IT boundaries 

        • Requires diverse expertise in identity, security, and business operations 

        • Involves ongoing maintenance rather than one-time setup 

        • Often lacks clear budget allocation and resource assignment 

        • Can be perceived as a roadblock to business agility 

This four-part in-depth blog series explores the challenges and solutions surrounding application governance ownership in Entra ID: 

        • Part 1 gives an introduction and then presents details on the current state of application governance 

        • Part 2 investigates key stakeholders and why ownership is challenging 

        • Part 3 dives into the real-world risks of unclear governance 

        • Part 4 provides tactical and strategic solutions along with practical governance models 

Microsoft's Entra ID has become the de-facto identity backbone for most organizations using Azure and Microsoft 365. It serves as the core authentication and authorization service connecting an organization's users to applications, both from Microsoft and third parties. According to Okta's 2022 Businesses at Work report, large organizations use an average of 187 apps, while BetterCloud's 2024 State of SaaSOps report indicated that companies use an average of 112 SaaS applications, a number that, while down from 130 in 2022, has still increased significantly over the past five years. We see these averages scale up with the size of an organization and an increased number of users.  

The SaaS Explosion 

The rapid adoption of SaaS applications has fundamentally changed how organizations manage their application ecosystem: 

        • Decentralized purchasing: Business units can acquire applications without IT involvement 

        • Simplified integration: Modern authentication standards make connecting to Entra ID easier than ever 

        • API-driven ecosystems: Applications increasingly connect to multiple data sources via APIs, for instance, the Microsoft Graph API 

        • Self-service management: Many applications allow business owners to manage their own integrations 

        • Frequent updates: SaaS applications update continuously, often changing security requirements on-the-fly 

This explosion of app diversity creates significant governance challenges as each application: 

        • Requires proper configuration in Entra ID 

        • Needs appropriate access controls and permissions 

        • Requires active monitoring for security and compliance 

        • Demands ongoing patching and updates 

        • Requires lifecycle management from onboarding to retirement 

The Governance Reality 

Despite these critical requirements, clear ownership of application governance is surprisingly rare. Instead, organizations often have: 

        • Disjointed processes: Different procedures for different application types 

        • Inconsistent standards: Varying levels of security review based on who handles the request 

        • Reactive management: Focus on fixing problems rather than preventing them 

        • Blurred/unclear responsibilities: Ambiguity about who handles which aspects of governance 

        • Inadequate documentation: Poor records of approval decisions and security reviews 

This creates fertile ground for operational inefficiencies, compliance gaps, and security vulnerabilities.

The Root Causes

The fundamental issue is that application governance in Entra ID sits at the intersection of multiple disciplines: 

        • Identity management: Authentication protocols, credential management, and directory integration 

        • Security: Threat monitoring, vulnerability management, and data protection 

        • Compliance: Regulatory requirements, audit evidence, and risk management 

        • Business enablement: Supporting productivity and innovation 

        • User experience: Ensuring seamless access and usability 

No single team traditionally covers all these aspects, creating an ownership vacuum leading to the hot potato scenario we see so often. Organizations typically respond in a couple of ways: 

        1. They allow fragmented, ad-hoc ownership to continue (risk acceptance) 

          • Applications are managed by whoever set them up

          • No consistent governance framework exists

          • Teams focus only on their specific responsibilities 

        2. They develop an intentional governance model with clear ownership designations (risk avoidance)  

          • Formal governance structure with defined roles 

          • Documented processes for the entire application lifecycle 

          • Cross-functional collaboration model 

The first approach may seem easier, because in the short term it is, but this approach creates significant long-term liabilities. The second approach requires investment and organizational change, but delivers substantial risk reduction and long-term operational benefits. With applications as a common threat vector in today's world, as reported in Microsoft's Digital Defense Report, it's critical to take a more proactive approach. 

Warning Signs of Entra ID Application Governance Issues 

If your organization experiences any of the following warning signs, an application governance ownership issue likely lurks in the shadows: 

          • No one can provide a complete inventory of applications connected to your Entra ID 

          • Application owners can't articulate what permissions their applications have 

          • No formal process exists for reviewing and approving new application integrations 

          • Multiple teams give different answers about who's responsible for application security 

          • Application monitoring is reactive rather than proactive 

          • Decommissioning unused applications rarely happens 

          • Security incidents involve excessive application permissions 

          • Business units implement shadow IT solutions because formal processes are unclear or burdensome 

          • Application owners change frequently without proper knowledge transfer 

Starting the Application Governance Ownership Conversation 

The first step toward solving any problem is recognizing it exists. Begin by asking some simple questions in your organization: 

          • "Who is responsible for reviewing application permissions in our environment?" 

          • "What's our process when a business unit requests a new application integration?" 

          • "How do we monitor application behavior after it's been approved?" 

          • "Who decides when an application should be decommissioned?" 

If these questions yield inconsistent answers or blank stares, it's time to address your application governance model. 

In the next part of this series, we'll explore the different teams typically involved in application governance and examine why clear ownership has become such a challenge in modern organizations. 

If you're looking for an immediate next step to streamline and simplify your application governance journey, request your ENow AppGov Score. ENow's AppGov Score is a free security assessment tool that quantifies your organization’s Microsoft Entra ID application governance state. It gives an organization a starting point to understand potential risks associated with enterprise applications, app registrations, permissions, and default tenant settings within your Entra environment. Strengthen your application governance and security posture - start now!  

Share This:

John O’Neill Sr

Written by John O’Neill Sr

John’s professional IT career began as a teenager, taking him on many wonderful adventures over the past 30 years. John’s IT path started with programming, but branched out quickly. Opportunities from the Help Desk to the Corner Office shape his IT journey. Specializing in Security, Systems, and Infrastructure technologies, John’s broad skillset includes Desktop and Server OS, Identity Management, Networking Services, Network Architecture, IP Telephony, and CyberSecurity. Passionate about giving back to the IT community, John develops relevant, timely content which IT Pros take advantage of immediately. Part of the MVPDays team, he develops both online and in-print content. In addition, John authored material as a contributing editor for the Petri.co.il online community as well as senior contributor to Tom’s IT Pro, Redmond Magazine, Netwrix, and both Thomson-Reuters' Aspatore Books and Exec Blueprints publications. Helping others succeed and advance in IT drives John to share knowledge. Speaking at conferences worldwide, developing technology training courses for Pluralsight’s online training library, and leading webinars are all regular investments by John in the current and next generation of IT professionals. Blending high-tech education with a bit of entertainment, attendees at John’s sessions regularly rate him one of their favorite speakers. Attendees rated John top speaker/best session at TechMentor Redmond 2019 and again at Techmentor Orlando 2021. John is proud to be honored by industry organizations, leaders, and especially his peers. A five-time recipient of Microsoft’s MVP Award, John received NEOSA’s CIO of the Year Award in 2012.

LinkedIn