What happens when users can consent to almost anything across more than 3,000 Entra ID enterprise applications? Over the course of this session, we’ll share how we turned a “permissions wilderness” into a governed, secure, and manageable application ecosystem. You’ll see how we built an application governance framework with executive sponsorship, clear ownership, and tools and processes that reduced risk and Global Admin workload while improving response times to access requests.  We’ll go through building an application governance charter, using App Risk Scores to evaluate apps and consent requests, and triaging existing apps to eliminate the “Unholy Trio”: the unused, the overly permissioned, and the unevaluated. We’ll also show how Custom Security Attributes help apply Conditional Access at scale and clarify the difference between application and delegated permissions—and between user-level and tenant-wide consent—so you can bring order to your own app landscape.