Version: Angophra

App Role Permissions

Menu path: Observe → Application Governance → App Role Permissions
URL: /en/insights/dashboard/appGov/api-permissions

Purpose

The App Role API Permissions page analyses the application-level (daemon) permissions granted to applications in your Entra ID tenants. Application permissions - also called "app roles" - are granted by an administrator to allow an application to access APIs (primarily Microsoft Graph) directly, without a user present. This is also known as app-only or daemon access.

Application permissions are among the most powerful permissions in an Entra ID tenant. An application with User.ReadWrite.All can read and modify every user in your directory. An application with AppRoleAssignment.ReadWrite.All can assign permissions to any application. These are not permissions to be granted casually - each one represents a significant amount of trust placed in that application and its credentials.

This page shows the good (low-risk permissions necessary for business operations), the bad (high-risk permissions that need justification and review), and the ugly (critical-risk permissions that represent the most powerful access in your tenant and must be carefully governed).

Filters

The page filters to show Microsoft Graph permissions by default (+12 resource APIs are also available). Filters include: In Scope, Inactive, Unused, App Role, Data Source, Resource, and Risk Level.

Observation Cards

Removal Candidates by Risk

Chart type: add example --> Donut chart
What it shows: 6 inactive or unused applications grouped by their highest app-role risk level (High and Critical in the example).

Why it matters: An inactive application with High or Critical permissions is particularly dangerous. The application has powerful access but is not being actively monitored because it is dormant. If an attacker obtains the application's credentials, they can use those permissions without triggering any activity alerts (since the application normally shows no activity, the malicious activity might not stand out).

Permission Risk Distribution

Chart type: add example --> Donut chart
What it shows: 79 total app role permissions, distributed across Medium, High, and Critical risk levels.

Why it matters: This gives you a portfolio view of your permission risk. A predominance of Critical permissions means your applications have been granted extremely powerful access, increasing your blast radius if any application is compromised.

Charts

Permission Sprawl Over Time

Chart type: add example --> Area chart
What it shows: How the total count of application permissions has grown over time, broken down by risk level (Medium, High, Critical).

Why it matters: Permission sprawl means permissions accumulate over time without a corresponding removal process. If the critical and high-risk permission lines are consistently growing, it means your environment is accumulating more and more powerful application access without a corresponding review or reduction process. A well-governed environment would show permissions being removed as applications are decommissioned.

Monthly Permission Grant Activity

Chart type: add example --> Stacked bar chart
What it shows: The number of new permissions granted each month, by risk level.

Why it matters: Spikes in monthly grant activity correspond to application onboarding events. Large monthly grants of High or Critical permissions should be reviewed to ensure they were properly authorised (typically via admin consent in Entra ID).

Risk by Application

Chart type: add example --> Bar chart (top 50)
What it shows: Which applications hold the most critical permissions, ranked by their overall permission risk profile.

Why it matters: This chart identifies your highest-risk applications from a permission perspective. These are the applications where a credential compromise would cause the most damage. They should have the most rigorous security controls: frequent credential rotation, strong monitoring, access to secrets via Key Vault, and regular permission reviews.

Applications Granted App Roles

Chart type: add example --> Bar chart
What it shows: How widely used each specific app role (permission) is across the application estate.

Why it matters: Permissions that are widely granted across many applications indicate that permission is considered "normal" in your environment. Permissions that are very rarely granted but held by inactive applications may be candidates for removal - perhaps the permission was granted for a specific project and never removed.

The Permissions Table

Each row represents a single permission granted to an application:

Principal - The application holding the permission
Risk Level - Medium, High, or Critical
Value - The specific permission (e.g., User.ReadWrite.All, AppRoleAssignment.ReadWrite.All)
Resource - The API the permission is for (e.g., Microsoft Graph)
Granted Date - When the permission was administratively consented
Security ID - Your organisation's security review tracking reference (blank = no security review recorded)
Last Client Sign-In - When the application last authenticated

Understanding permission risk levels

Risk Level	Examples	Why it matters
Critical	`AppRoleAssignment.ReadWrite.All`, `Directory.ReadWrite.All`, `UserAuthenticationMethod.ReadWrite.All`	Can modify security controls, permissions, or authentication methods across the entire tenant. Compromise = full tenant takeover potential.
High	`User.ReadWrite.All`, `Group.ReadWrite.All`, `Mail.Send`, `User.Invite.All`, `User.EnableDisableAccount.All`	Can read or modify all user accounts, groups, send email as any user, or disable accounts. Significant blast radius.
Medium	`User.Read.All`, `Directory.Read.All`, `AuditLog.Read.All`, `Application.Read.All`	Read-only access to directory data or audit logs. Less destructive but still sensitive - can be used for reconnaissance or data exfiltration.

Key findings from the example data

Several critical findings are visible in the example:

Multiple production applications (Apporetum Integration, apporetum-prod-iwcum4x, Apporetum-prod-nmdakbh) hold AppRoleAssignment.ReadWrite.All - the most dangerous permission in a tenant, as it allows modifying any application's permissions
BeyondTrust - BeyondInsight holds UserAuthenticationMethod.ReadWrite.All - giving it the ability to reset MFA factors for any user
Test Directory Read Write All holds Directory.ReadWrite.All - the broadest possible directory access, equivalent to a super-admin
Applications with "Security ID: -" have no security review on record - these grants were made without a formal review process

Recommended review process

For each Critical-risk permission grant:

Verify it was approved through your formal admin consent process
Confirm the business justification is still valid
Check whether a lower-privileged permission could fulfil the same need
Ensure the application's credentials are securely managed
Set up monitoring/alerting for sign-in activity on these applications

Purpose​

Filters​

Observation Cards​

Removal Candidates by Risk​

Permission Risk Distribution​

Charts​

Permission Sprawl Over Time​

Monthly Permission Grant Activity​

Risk by Application​

Applications Granted App Roles​

The Permissions Table​

Understanding permission risk levels​

Key findings from the example data​

Recommended review process​