Entra ID Enterprise Applications Governance — SaaS Consent Controls and Inventory Cleanup
Document Type: Reference Report
Date: 2026-02-22
Author: Lucas Shin — Security Director
Related Context: [Domain Context] Security Architecture §2.6 (SaaS Category), §3.1 (M365 License-Security Control Architecture)
1. Purpose
This report documents two changes to Entra ID Enterprise Applications governance:
- User Consent → Admin Consent — Disable user-initiated OAuth consent; enable Admin Consent Workflow so that all new SaaS registrations require admin approval.
- Existing App Cleanup — Triage the 78 third-party apps currently registered (mostly via uncontrolled User Consent) and remove unused or legacy entries.
2. Consent Configuration
| Item | Current State | Target State |
|---|---|---|
| User Consent Setting | Allow user consent for all apps (presumed) | Do not allow user consent |
| Admin Consent Workflow | Disabled (presumed) | Enabled |
| Registered third-party apps | 78 | Approved business apps only |
| SaaS Inventory | Unmanaged | Category mapping complete |
3. App Triage
Reference: The full application inventory (78 apps), triage decisions (Active / Pending / Disable / Delete), owner, and user assignments are tracked in the Enterprise App Triage Worksheet below.
- Confirmed business SaaS assets are managed in the Information Asset Register with licence details in the License Inventory.
4. Policy References
The analysis and recommendations in this report have been formally incorporated into ISMS policy documents:
- User Consent Controls / Asset Discovery: Asset Management & Information Classification Policy (SEC-POL-ASM-008) §4.3, §4.3.1
- SaaS Category Classification: SEC-POL-ASM-008 §3.5
- ISO 27001 Annex A Mapping: SEC-POL-ASM-008 §10 — A.5.9, A.5.10, A.5.12, A.5.13, A.5.14, A.8.26
[End of Report]