App Governance

How IdentityOps monitors, scores, and surfaces risk across every app registration and service principal in your Microsoft Entra tenant.

Applies to: All plansModule: App Governance

What the Apps page shows

The Apps page lists every app registration and service principal in your tenant. Each app is assigned a composite risk score from 0 to 100, and apps are categorized by lifecycle stage so you can focus on what needs attention first.

Scores update with each scan. When something changes — a credential expires, an owner is removed, a new permission is granted — the score adjusts automatically and the change is logged.

Understanding risk scores

Every app receives a composite score from 0 to 100 based on weighted signals. The score is fully deterministic — not AI or LLM generated. Every point in the score traces directly to a computed field, so you can always understand exactly why an app scored the way it did.

Scoring signals

Credential health: Expired secrets or certificates, credentials approaching expiry within 30 days.

Ownership: No owners assigned increases risk significantly. A single owner is a moderate risk (bus-factor of one).

Permission scope: High-privilege API permissions like Directory.ReadWrite.All, Mail.ReadWrite, or RoleManagement.ReadWrite.Directory increase the score.

Activity: Unused apps with high permissions represent dormant risk — elevated privilege with no justification.

Risk levels

Scores are grouped into four risk levels, each with a distinct color throughout the interface.

Level	Score range	Meaning
CRITICAL	75–100	Immediate attention required. Multiple high-severity findings.
WARNING	40–74	Moderate risk. One or more findings that should be addressed.
INFO	1–39	Low-severity findings. Informational, no urgent action needed.
HEALTHY	0	No findings detected. App is well-maintained.

Lifecycle stages

Every app is assigned a lifecycle stage. Apps move between stages automatically as scans detect changes, and every transition is logged in the activity trail.

Active

App is in active use with recent credential activity or sign-ins.

At Risk

App has risk findings that need attention (expired credentials, missing owners, etc.).

Ownerless

No owners assigned. Nobody is accountable for this app registration.

Cleanup

Marked for cleanup by an admin. Pending removal or archival.

Archived

Soft-archived. Retained for audit trail but no longer monitored actively.

Risk findings

Each app receives specific findings based on what IdentityOps detects during a scan. Findings are the individual issues that contribute to the composite risk score.

Expired credentials: Secrets or certificates that have passed their expiry date. These may cause app failures and indicate neglected lifecycle management.

No owners assigned: The app has no designated owners in Entra ID. If something breaks or needs rotating, there is nobody accountable.

High-privilege API permissions: Write scopes, admin-level access, or permissions that exceed what the app likely needs (e.g., Directory.ReadWrite.All on a reporting app).

Permission drift: New permissions added since the last scan that were not present before. May indicate unauthorized scope expansion.

IdentityOps Recommendation

If more than 10% of your app registrations are ownerless, remediation should be prioritized before Conditional Access tuning. Ownership gaps create blind spots that CA policies cannot compensate for.

Risk explanations

Every app gets a plain-English risk explanation describing why it scored the way it did and what to do about it. These are generated from deterministic templates — no LLM, no external API calls. Each sentence in the explanation traces to a specific computed field, so you can always verify the reasoning.

Example explanation: “This app has 2 expired client secrets and no assigned owners. It holds Directory.ReadWrite.All permission but has had no sign-in activity in 90 days. Consider rotating credentials and assigning an owner, or archiving the app if it is no longer needed.”

Actions you can take

IdentityOps is read-only — it never writes to your tenant. Actions either link you to the right place in Entra or record decisions within IdentityOps for your team's audit trail.

Assign owner: Opens a direct link to the app registration in the Entra Admin Center so you can assign an owner.

Acknowledge a finding: Mark a finding as reviewed. Tracks who acknowledged it and when, so your team has an audit trail.

Export findings: Download a CSV of all findings for the app or across all apps for compliance reporting.

Move lifecycle stage: Manually move an app to Cleanup or Archive to signal intent to your team.

Where teams usually go next

→ Review License Governance findings → Set up daily scans for drift detection → Enable Pro remediation guidance