Policies
As application portfolios grow, manual governance becomes impossible. Without enforced standards, applications lose their owners, integrations sit unused consuming licenses, and your Entra ID tenant fills with unaccountable, potentially risky applications that nobody maintains.
The business problem:
- Hundreds or thousands of applications without consistent governance
- No enforcement mechanism for ownership requirements
- Unused applications waste licenses and increase attack surface
- Manual compliance checks don't scale
- Inconsistent standards across different application types
- No automated escalation when applications fall out of compliance
Benefits
Policy-based governance delivers automated compliance at scale:
✅ Enforce ownership standards - Ensure every application has required owners
✅ Identify unused applications - Automatically detect dormant integrations
✅ Reduce manual oversight - Automated daily compliance checks replace manual audits
✅ Support risk management - Enforce stricter rules for critical applications
✅ Optimize license costs - Find and remove unused SaaS integrations
✅ Enable scalable governance - Manage thousands of applications with consistent rules
✅ Provide audit evidence - Demonstrate automated compliance enforcement
✅ Integrate with ITSM - Trigger tickets and workflows for non-compliant apps
How policies work
As environments grow, application management can quickly become inconsistent without clear standards. Policies allow administrators to define and enforce those standards, ensuring that applications remain owned, accountable, and actively used.
In EasyLife 365 Identity, a policy is a set of rules that applications must comply with. Policies help prevent neglected applications and support governance at scale.
This section explains:
- What policies are and why they matter
- Which rules are available
- How compliance is evaluated
- What happens when applications are not compliant
What is a policy
A policy is a collection of compliance rules evaluated against applications.
Policies answer questions such as:
- Does every application have enough owners?
- Is someone accountable from a technical and business perspective?
- Is an application still actively used?
Policies are defined and managed by administrators and can be applied selectively or globally.
Policy rules
Each policy consists of one or more rules. An application is considered compliant only if it satisfies all rules defined in the policy.
Available rules
| Rule | Plan | Description |
|---|---|---|
| Minimum application owner | BasicProfessional | Requires an application to have at least X application owners sourced from Microsoft Entra ID. Ensures that full administrative responsibility is never concentrated in a single account or missing entirely. |
| Minimum technical owner | BasicProfessional | Requires an application to have at least X technical owners. Provides delegated operational coverage and ensures credentials and technical issues can be handled without granting full Entra ID ownership. |
| Minimum business owner | BasicProfessional | Requires an application to have at least X business owners. Establishes non-technical accountability and ensures every application has a clear business sponsor. |
| Activity rule (enterprise applications only) | Professional | Requires an enterprise application to have been signed in to within the last X days. Applies only to enterprise applications. Helps identify unused or obsolete integrations and supports cleanup and rationalization initiatives. |
Compliance evaluation
EasyLife 365 Identity performs daily compliance checks for all applications covered by a policy.
- Each rule is evaluated independently
- An application is marked as non-compliant if any rule fails
- Compliance status is continuously re-evaluated as application data changes
Notifications and escalation
When an application is found to be non-compliant, EasyLife 365 Identity initiates a controlled escalation process.
Owner notifications
- Initial warnings are sent to the application's owners
- Notifications are repeated based on administrator-defined intervals
- Notifications stop once the application becomes compliant again
Escalation actions
If an application remains non-compliant after a configurable number of notifications, escalation actions are triggered.
Administrators can configure one or more escalation actions:
- Email notifications sent to a specified email address
- Webhook calls to external systems
Escalation allows organizations to integrate policy enforcement with ticketing systems, automation workflows, or governance processes.
Policy configuration
Administrators can configure policy behavior in detail, including:
- Minimum number of required owners per role
- Activity time windows
- Number of notifications sent before escalation
- Time between successive notifications
This flexibility allows policies to be tailored to different application categories and risk profiles.
Policy assignment
Once created, policies can be applied in two ways:
- Explicit assignment: Administrators assign a policy to specific applications
- Default policy: A policy can be marked as the default and will apply to all applications without an explicitly assigned policy
This ensures that no application is left unmanaged, even as new apps are introduced.
Policies provide the governance layer that complements expiration tracking, ownership, notifications, and tasks. Together, they help keep large Entra ID environments structured, accountable, and secure.