Knowledge base

August 21, 2025

Application Permission Defaults – preventing Shadow-IT

 

Microsoft recently introduced Application Permission Defaults – a measure where only administrators can still grant permission to apps in Microsoft 365. Users are no longer allowed to do this themselves.

📅 The rollout started July 15, 2025 and affects all new tenants as well as existing high-risk environments.

This change is no small thing. In our poll on LinkedIn, we asked what gives IT professionals the most headaches for users who are allowed to approve apps themselves. The results:

  • ❗ Insecure apps active – 45%

  • 🔐 Data outside policy – 28%

  • 🌫️ Shadow-IT everywhere – 17%

  • 🚫 No view of access – 10%

The concerns are clear: uncontrolled access leads to risks to data, security and compliance.

Free IT Scan – Prevent Downtime and Frustration

💡 What are Application Permission Defaults?

Application Permission Defaults are default settings in Microsoft 365 that determine who can grant access to third-party apps within the tenant.

Previously: Users could give apps access to corporate data (such as email, files, Teams) themselves.
As of now: Only administrators may do this – unless otherwise set.

For Dutch organizations, this means:

  • No proliferation of unverified apps

  • Reduced risk of data breaches and Shadow-IT

  • Get a better grip on compliance (AVG, NEN7510)

This change is not optional. Every organization with a Microsoft 365 tenant faces it.

 

🛠️ How do you successfully implement this change?

✅ Step 1: Inventory current permissions

  • Use Microsoft Cloud App Security to discover which apps have access.

  • Prioritize risk with access to mailboxes, files and user profiles.

✅ Step 2: Shadow-IT mapping

  • Monitor apps used outside of IT (via firewall logs or CASB).

  • Link user feedback to actual usage.

✅ Step 3: Centralize approval via admin workflows

  • Activate the “admin consent workflow” in Azure AD.

  • Establish unified policies for different app categories (CRM, marketing, AI, etc).

✅ Step 4: Communication and training

  • Inform users why app permission changes.

  • Provide a list of approved alternatives.

  • Train IT support on the new request process.

✅ Step 5: Continuous monitoring and optimization

  • Use audit logs in Microsoft 365.

  • Schedule quarterly reviews on all third-party apps.

 

⚠️ Dutch challenges in app permissions management

  1. AVG compliance risks
    Consent by users undermines “Privacy by Design” principles.

  2. Shadow-IT culture
    Many SMB organizations use tools like Slack, Notion or Dropbox without IT insight.

  3. No centralized app governance
    In many organizations, there is no clear list of approved tools or criteria.

  4. IT departments overloaded
    Managing dozens of approval requests requires capacity and standardization.

  5. Lack of user awareness
    Users often think “I’m just doing my job” – but underestimate the risks.

 

📈 ROI of central app management

✔️ Fewer data breaches and compliance fines
✔️ Fewer support tickets due to faulty apps
✔️ Less vendor lock-in and license waste
✔️ More control over data and workflows
✔️ Better audit score for ISO27001/NEN7510

An average organization with >100 users saves thousands of dollars annually by centrally managing app approval.

 

🟪 ALTA-ICT: Our approach to controlled app use

At ALTA-ICT we ensure that your organization meets the latest Microsoft standards and Dutch compliance requirements:

✅ Only secure, authenticated apps via admin approval
✅ Shadow-IT detection and prevention
✅ Permission by group and role management
✅ Logging and auditing at NEN7510 level
✅ Full guidance from implementation to adoption

Our approach is ISO27001, ISO9001 and NEN7510 certified.

 

❓ Frequently asked questions (FAQ)

What is the difference between user and admin consent?
User consent lets end users approve apps, admin consent shifts this to the IT administrator.

Can I make exceptions by group?
Yes, through Azure AD Conditional Access and group-based policies.

What if I already have hundreds of approved apps?
If so, a cleanup audit is highly recommended – we offer a free audit.

Is this mandatory?
New tenants already have this active by default. Existing tenants with risk are migrated.

Does ALTA-ICT also support the technical implementation?
Yes indeed – including configuration, training and documentation.

 

🔚 Conclusion: More control, less risk

Microsoft’s new Application Permission Defaults are not a restriction – but an opportunity. An opportunity to regain control, reduce risk and professionalize IT security.

ALTA-ICT helps you with a manageable transition: from Shadow-IT to a secure, controlled digital work environment.

 

📞 Schedule your free app audit today

🔍 Receive an audit report of all allowed apps
📞 Free 30-minute consultation with an ALTA security specialist
🌐 Visit: alta-ict.co.uk/ModernWorkplace

 

Reference

¹https://www.linkedin.com/posts/altaict_mkb-msp-microsoft365-activity-7354374855716208641-8YjH

Want to know more?

Get in touch
ALTA-ICT visual App Beveiliging Geen Shadow-IT