Applications are the lifeblood of productivity in today's Cloud-first world. From collaboration tools to CRM systems, specialized software powers every aspect of modern business. With the explosion of Cloud applications comes a critical question many organizations struggle to answer: Who exactly should own application governance in Microsoft Entra ID?
At its core, application governance in Entra ID encompasses the policies, procedures, and controls that manage the entire lifecycle of applications connected to your Entra ID identity environment. This includes:
Application registration and approval processes
Permissions management and scope controls
Regular access reviews and attestation
Security monitoring and threat detection
Compliance oversight and documentation
Deprovisioning and eventual decommissioning
Effective governance ensures that applications access only the data they need, adhere to organizational security policies, comply with regulatory requirements, and align with overall business objectives. Simply put, it's the structured approach that prevents the application environment from becoming the wild west of your IT landscape.
If you've worked in IT for a while, you've likely witnessed the app governance 'hot potato'. That moment when a new app needs to be integrated and teams look at each other with wide-eyes wondering who's going to catch it. Like an actual hot potato, nobody wants to hold onto it for too long, yet someone must ultimately take responsibility.
The hot potato problem occurs because application governance:
Crosses multiple traditional IT boundaries
Requires diverse expertise in identity, security, and business operations
Involves ongoing maintenance rather than one-time setup
Often lacks clear budget allocation and resource assignment
Can be perceived as a roadblock to business agility
This four-part in-depth blog series explores the challenges and solutions surrounding application governance ownership in Entra ID:
Part 1 gives an introduction and then presents details on the current state of application governance
Part 2 investigates key stakeholders and why ownership is challenging
Part 3 dives into the real-world risks of unclear governance
Part 4 provides tactical and strategic solutions along with practical governance models
Microsoft's Entra ID has become the de-facto identity backbone for most organizations using Azure and Microsoft 365. It serves as the core authentication and authorization service connecting an organization's users to applications, both from Microsoft and third parties. According to Okta's 2022 Businesses at Work report, large organizations use an average of 187 apps, while BetterCloud's 2024 State of SaaSOps report indicated that companies use an average of 112 SaaS applications, a number that, while down from 130 in 2022, has still increased significantly over the past five years. We see these averages scale up with the size of an organization and an increased number of users.
The rapid adoption of SaaS applications has fundamentally changed how organizations manage their application ecosystem:
Decentralized purchasing: Business units can acquire applications without IT involvement
Simplified integration: Modern authentication standards make connecting to Entra ID easier than ever
API-driven ecosystems: Applications increasingly connect to multiple data sources via APIs, for instance, the Microsoft Graph API
Self-service management: Many applications allow business owners to manage their own integrations
Frequent updates: SaaS applications update continuously, often changing security requirements on-the-fly
This explosion of app diversity creates significant governance challenges as each application:
Requires proper configuration in Entra ID
Needs appropriate access controls and permissions
Requires active monitoring for security and compliance
Demands ongoing patching and updates
Requires lifecycle management from onboarding to retirement
Despite these critical requirements, clear ownership of application governance is surprisingly rare. Instead, organizations often have:
Disjointed processes: Different procedures for different application types
Inconsistent standards: Varying levels of security review based on who handles the request
Reactive management: Focus on fixing problems rather than preventing them
Blurred/unclear responsibilities: Ambiguity about who handles which aspects of governance
Inadequate documentation: Poor records of approval decisions and security reviews
This creates fertile ground for operational inefficiencies, compliance gaps, and security vulnerabilities.
The fundamental issue is that application governance in Entra ID sits at the intersection of multiple disciplines:
Identity management: Authentication protocols, credential management, and directory integration
Security: Threat monitoring, vulnerability management, and data protection
Compliance: Regulatory requirements, audit evidence, and risk management
Business enablement: Supporting productivity and innovation
User experience: Ensuring seamless access and usability
No single team traditionally covers all these aspects, creating an ownership vacuum leading to the hot potato scenario we see so often. Organizations typically respond in a couple of ways:
They allow fragmented, ad-hoc ownership to continue (risk acceptance)
Applications are managed by whoever set them up
No consistent governance framework exists
Teams focus only on their specific responsibilities
Formal governance structure with defined roles
Documented processes for the entire application lifecycle
Cross-functional collaboration model
If your organization experiences any of the following warning signs, an application governance ownership issue likely lurks in the shadows:
No one can provide a complete inventory of applications connected to your Entra ID
Application owners can't articulate what permissions their applications have
No formal process exists for reviewing and approving new application integrations
Multiple teams give different answers about who's responsible for application security
Application monitoring is reactive rather than proactive
Decommissioning unused applications rarely happens
Security incidents involve excessive application permissions
Business units implement shadow IT solutions because formal processes are unclear or burdensome
Application owners change frequently without proper knowledge transfer
The first step toward solving any problem is recognizing it exists. Begin by asking some simple questions in your organization:
"Who is responsible for reviewing application permissions in our environment?"
"What's our process when a business unit requests a new application integration?"
"How do we monitor application behavior after it's been approved?"
"Who decides when an application should be decommissioned?"
If these questions yield inconsistent answers or blank stares, it's time to address your application governance model.
In the next part of this series, we'll explore the different teams typically involved in application governance and examine why clear ownership has become such a challenge in modern organizations.
If you're looking for an immediate next step to streamline and simplify your application governance journey, request your ENow AppGov Score. ENow's AppGov Score is a free security assessment tool that quantifies your organization’s Microsoft Entra ID application governance state. It gives an organization a starting point to understand potential risks associated with enterprise applications, app registrations, permissions, and default tenant settings within your Entra environment. Strengthen your application governance and security posture - start now!