Khurram, a key member of the internal App Governance assessment team at Microsoft, joins the show to pull back the curtain on how Microsoft manages application security at a massive corporate scale and the rigorous internal security measures Microsoft employs to protect its corporate Entra ID tenant from risky applications.
In this deep dive, Khurram reveals Microsoft’s custom-built App Governance blueprint. He details the process for reviewing and consenting to the hundreds of new application requests the organization receives monthly.
Key Takeaways
Permission Risk Rating: Learn how Microsoft’s team assesses and assigns a severity rating—Low, Moderate, Important, or Critical—to permissions. This rating is based on the permission’s capability, whether it’s delegated or application, and its potential for PII exposure (e.g., Application permission or a
.allscope will score higher).The Weighting Model: Discover how the Microsoft app assessment team has proactively risk-rated between 3,000 and 3,500 permissions. This approach dictates when an app is automatically approved (for low-risk requests like
User.Read) versus when it is flagged for manual, scenario-based review.Holistic Risk Review: Khurram explains how the app’s overall risk is calculated beyond just permissions. This includes mandatory security controls like banning high-risk reply URLs (e.g.,
azurewebsites.netandaka.ms) , enforcing the use of certificates over secrets , and requiring multiple owners.Multi-Team Veto Power: Understand the critical approval workflow where requests for higher-risk permissions are routed to specific organizational data owners (like the DLP, Identity, or Exchange teams). All teams must approve the request as a whole, giving each team a critical veto power over access to their services.
Subscribe with your favorite podcast player or watch on YouTube 👇
About Khurram Chaudhary
Khurram is a Principal Security Assurance Eng on the internal assessment team at Microsoft. He specializes in App Governance and was instrumental in developing the systems and risk-rating methodologies used to manage thousands of application requests within Microsoft’s corporate tenant.
🔗 Related Links
Entra Application Management - https://learn.microsoft.com/en-us/entra/identity/enterprise-apps
Sponsored by:
Shadow IT and SaaS sprawl are outpacing IT teams
It can feel impossible to tackle these app governance challenges:
📦 Entra ID isn’t secure by default
💥 SaaS adoption & sprawl isn’t slowing down
⌨️ Citizen Development keeps rising (hello, Copilot Studio!)
🗑️ Vendors often don’t remove apps after uninstall
🔃 Offboarding is inconsistent or doesn’t happen at all
🥔 App governance is passed around like a hot potatoENow AppGov Score shines a light on lurking risks, providing a free App Governance Benchmark Report for your Entra tenant. Reclaim control and protect against breach & disruptions. Free upgrade to Standard Tier for 7 days once you get your score.
📗 Chapters
01:21 The Shift to Admin Consent
03:38 Factors for Reviewing App Risk
06:35 How We Rate Permission Severity
09:25 Automating Low-Risk Approvals
14:17 The Internal Review Workflow
21:40 The App Governance Scoring System
29:01 The Localhost Redirect Debate
39:35 Handling Stale Apps and Permissions
49:34 Advice for Identity Admins
Podcast Apps
🎙️ Entra.Chat → https://entra.chat
🎧 Apple Podcast → https://entra.chat/apple
📺 YouTube → https://entra.chat/youtube
📺 Spotify → https://entra.chat/spotify
🎧 Overcast → https://entra.chat/overcast
🎧 Pocketcast → https://entra.chat/pocketcast
🎧 Others → https://entra.chat/rss
Merill’s socials
📺 YouTube → youtube.com/@merillx
👔 LinkedIn → linkedin.com/in/merill
🐤 Twitter → twitter.com/merill
🕺 TikTok → tiktok.com/@merillf
🦋 Bluesky → bsky.app/profile/merill.net
🐘 Mastodon → infosec.exchange/@merill
🧵 Threads → threads.net/@merillf
🤖 GitHub → github.com/merill
