Skip to main content
Version: Angophra

Tagging Compliance

Menu path: Observe → Application Governance → Tagging Compliance
URL: /en/insights/dashboard/appGov/compliance

Purpose

The Tagging Compliance page assesses how well your application registrations meet the governance metadata requirements configured in Apporetum. "Tagging" in this context refers to the application properties and metadata that your organisation has decided are mandatory for a well-governed application - such as an Asset ID (linking the app to your CMDB or asset register), a Security ID (linking to a security review), a Ticket ID (linking to a change management record), and an SSO mode configuration.

An application that is missing this metadata cannot be properly governed, audited, or owned - it is effectively "dark matter" in your application estate. This page shows the good (audit-ready applications passing all checks), the bad (recently created apps that haven't been brought into compliance yet), and the ugly (the majority of the estate that has never been tagged and has unresolved compliance gaps).

Key finding in the example environment: Zero out of 657 applications pass all compliance checks. Every single application in this environment is non-compliant. This is the "ugly" - it represents a governance programme that has not yet been able to bring its application estate into compliance.

Observation Cards

Total Managed Applications

What it means: The total count of service principals (applications) in your Entra ID tenants that Apporetum is tracking. This is your universe for compliance reporting.

New Apps (Last 12 Months)

What it means: Applications created in the last 12 months that may need compliance review. New applications are often the ones that should be easiest to get into compliance - they are recent enough that the owners and creation context are known. If newly created applications are immediately non-compliant, it suggests your onboarding process does not enforce tagging before an application goes into service.

SSO-Enabled New Apps

What it means: Of the recently created applications, 4 have a delegated SSO sign-in configured. These are applications where users authenticate through Entra ID - they represent user-facing applications and should have the most rigorous governance review.

Audit-Ready Applications

What it means: The number of applications passing all compliance checks. Zero means no application in the estate meets the full set of governance requirements. This is a critical baseline measure for your application governance programme - the goal is to drive this number towards 100% of in-scope applications.

Charts

Compliance Posture Overview

Chart type: add example --> Donut chart
What it shows: 657 total applications, with the non-compliant segment shown in red (100% in this example).

Why it matters: This is the stark visualisation of your compliance posture. A fully red donut means every application is non-compliant. As your governance programme matures, you would expect to see a growing green (compliant) segment.

Compliance Gaps by Onboarding Year

Chart type: add example --> Bar chart
What it shows: Non-compliant applications grouped by the year they were onboarded (created in Entra ID).

Why it matters: This chart identifies the age of the compliance backlog. If the tallest bars are for older years, you have a significant legacy remediation challenge - applications that have been running for years without governance metadata. If recent years dominate, your onboarding process is the problem. Typically, older years have the largest backlogs because they predate governance programmes.

What to do: Use this chart to prioritise your compliance remediation programme. Start with the most recent years (where owners are easiest to identify) and work backwards, or start with the highest-risk applications regardless of age.

The Compliance Table

The table lists all applications with their compliance status and key metadata:

  • Display Name - Application name
  • Created - When the application was created in Entra ID
  • Asset ID - Your organisation's asset/CMDB identifier (blank = not set)
  • Ticket ID - The change management ticket for this application (blank = not set)
  • SSO Mode - The configured sign-in mode (oAuth, saml, or blank = not configured)
  • Last Activity - Most recent sign-in date
  • SP Compliance - "Non-Compliant" or "Compliant"

Using the table

Sort by "Created" descending to see the newest applications first - these should be your easiest wins for compliance. Use the "Asset ID", "Is Compliant", "Security ID", and "Ticket ID" filters to focus on specific gaps. Applications with an SSO Mode configured but no Asset ID or Ticket ID are in use but ungoverned - these should be prioritised for tagging.

The "Is Compliant" filter is particularly useful: filtering to Non-Compliant will show you all the work to be done, while filtering to Compliant (when some exist) shows you the pattern to replicate.