Every Microsoft 365 tenant has hundreds of registered applications. Most have no documented owner, no review date, and broader permissions than anyone intended to grant.
June 2026 | 7 min read
At a Glance
1. The Entra ID App Governance Problem in 2026
Every time a user clicks “Accept” on an OAuth consent screen, they grant a third-party application access to their Microsoft 365 data. Email. Calendar. Files. In some cases, the ability to send on their behalf. The permission is recorded in Entra ID. The application appears in the enterprise application list. And in the vast majority of organisations, that is where the governance trail ends.
Research from 2025 found that 51% of organisations have 250 or more Entra ID applications with read-write access to Microsoft 365 data. Most of those applications have no documented owner, no access review schedule, and no expiry. Some were granted access during a project that has since concluded. Others were consented to by users who no longer work at the organisation. A few are connected to vendor accounts that have been inactive for years.
This is not a failure of security policy. It is a failure of Microsoft 365 governance tooling. The access was granted in good faith. The problem is that nobody built a system to review it.
2. How OAuth Consent Grants Create Invisible Access Risks
OAuth consent in Microsoft 365 works in two modes. Delegated permissions act on behalf of the signed-in user, with the user’s level of access. Application permissions act independently of any user, often with tenant-wide scope. Both are legitimate. Both create risk when they are not reviewed.
The risk is not theoretical. An application granted read access to Exchange Online mailboxes can access every email in every mailbox it has permission to reach, including sensitive HR correspondence, legal communications, and executive email, without any authentication event that would trigger a conditional access alert.
Application permissions with write access are higher risk still. An application that can create or modify calendar events, send emails, or update SharePoint content can cause significant damage if its credentials are compromised, or if it is operated by a vendor whose own security posture has weakened since the original consent was granted.
Microsoft’s consent framework includes controls for restricting user consent and requiring admin approval. But controls on new consents do not address the permissions that are already in place. The historical estate is where the exposure sits.
“An application granted read access to Exchange Online mailboxes can access every email in scope without triggering a conditional access alert.”
3. Entra ID App Governance and the Lifecycle Problem: Apps That Nobody Owns
The immediate risk from misconfigured OAuth consents is significant. But the structural problem is lifecycle. Applications accumulate faster than they are decommissioned. And without a formal ownership and review process, the accumulation is one-directional.
A project team integrates a third-party project management tool with Microsoft 365. The OAuth consent is granted by the IT admin on request. The project completes eighteen months later. The team moves on. The tool subscription lapses. The Entra ID application registration and the OAuth consent remain, along with whatever access permissions were configured during the integration.
Multiply this pattern across three years of projects, vendor integrations, and user-initiated tool adoptions, and the result is an application estate where a significant proportion of the access grants are serving no active business purpose. They represent pure risk: access that nobody needs, owned by nobody, reviewed by nobody.
Microsoft provides Entra ID access reviews as a mechanism for periodic recertification. These are effective when configured and used. The gap is that most organisations have not extended their access review programmes to cover application permissions, only user and group memberships.
4. What Over-Permissioned Apps and Privileged Credentials Have in Common
The connection between Entra ID app governance and breach risk is direct. Forrester research found that 80% of security breaches involve privileged or over-permissioned credentials. IBM’s Cost of a Data Breach report puts the average cost of a credential-based breach at $4.67 million, with an average detection time of 246 days.
An Entra ID application with tenant-wide read-write access to Exchange Online is, in effect, a privileged credential. If the application’s client secret is compromised, leaked through a vendor’s own breach, or left in a code repository, the attacker inherits all of the permissions that were granted to the application. The access is persistent, has no multi-factor authentication requirement, and may not trigger conditional access policies that would flag a human login from an unusual location.
RISK: Application credentials with read-write access to Exchange Online or SharePoint do not require MFA and may not be subject to conditional access policies. A compromised app secret provides persistent, undetected access for an average of 246 days. (IBM, 2025)
5. Entra ID app governance: Building an Entra ID Application Governance Programme
An effective Entra ID app governance programme addresses four areas.
Inventory and classification. A complete list of every registered application and enterprise application in the tenant, with its permission scope, consent type, last activity date, and assigned owner. Without this baseline, nothing else is possible.
Ownership assignment. Every application needs a named owner who is responsible for reviewing its access annually, confirming whether it is still in use, and initiating decommissioning when it is not. Applications without an active owner should be flagged immediately.
Periodic access reviews. Extending the Entra ID security access review process to cover application permissions, not just user and group memberships. High-risk applications, those with write access, tenant-wide scope, or access to sensitive data, should be reviewed more frequently.
Consent policy controls. Restricting user-initiated consent to low-risk, verified publisher applications. Requiring admin approval for any application requesting write permissions or access to sensitive data categories. These controls prevent new accumulation while the existing estate is reviewed.
6. How TeamsFox Surfaces Entra ID Governance Gaps Across Your Tenant
TeamsFox provides tenant-wide visibility into Entra ID application registrations, OAuth consent grants, and permission scopes alongside the rest of the Microsoft 365 estate. Orphaned applications, those with no recent activity and no active owner, are surfaced automatically. Applications with high-risk permission combinations, write access combined with broad scope, are flagged for review.
The connection to licence management is also visible: applications that are no longer in use often correspond to lapsed vendor subscriptions or completed projects, creating an opportunity to reclaim both the access and any associated licence costs.
For IT security teams and CISOs assessing their exposure, a free Microsoft 365 tenant analysis from TeamsFox shows the current Entra ID application estate, including permission scope, activity status, and ownership gaps, without requiring any configuration changes or agent installation.
About TeamsFox
TeamsFox is the Microsoft 365 governance and optimisation platform that gives IT and security teams real-time visibility into licence usage, Entra ID access risk, storage waste, and agent sprawl. Headquartered in Düsseldorf and trusted in 20+ countries, TeamsFox helps organisations reduce Microsoft 365 licence spend by up to 30%, cut storage costs by 40%, and close governance gaps before they become breaches.