Policy Best Practices
Follow these best practices to implement effective policy-based governance in your organization.
Start with a lenient default policy
When first implementing policies, start with minimal requirements and gradually increase strictness:
Phase 1 (Initial deployment):
- Minimum 1 application owner
- 3 notifications, 7 days apart
- Email escalation to IT team
Phase 2 (After 30 days):
- Add technical owner requirement
- Maintain same notification schedule
- Monitor compliance rates
Phase 3 (After 60 days):
- Add business owner requirement for production apps
- Tighten notification intervals if needed
- Enable webhook escalation to ITSM
This gives teams time to adapt without disrupting operations.
Configure notification intervals wisely
Configure notification intervals that give owners time to respond:
| Strategy | Configuration | Total time | Best for |
|---|---|---|---|
| Recommended | 3 notifications, 7 days apart | 21 days | Most organizations |
| Aggressive | 5 notifications, 3 days apart | 15 days | High-security environments |
| Lenient | 2 notifications, 14 days apart | 28 days | Transitioning to governance |
Consider your organization's responsiveness and change management culture when choosing intervals.
Combine ownership and activity rules
For enterprise applications, use both rule types together for comprehensive governance:
Ownership rules ensure accountability:
- Someone is always responsible
- Contact information is current
- Administrative access is maintained
Activity rules identify optimization opportunities:
- Find unused integrations
- Reclaim licenses
- Reduce security risks
Example combined policy:
- Minimum application owner: 1
- Minimum technical owner: 1
- Activity rule: 90 days
- Notifications: 3, every 7 days
- Escalation: Create ServiceNow ticket
Set realistic activity windows
Consider the application's actual usage pattern when setting activity rules:
| Usage pattern | Recommended window | Examples |
|---|---|---|
| Daily usage | 30-60 days | Email clients, productivity tools, dashboards |
| Weekly usage | 90 days | Reporting tools, internal portals |
| Monthly usage | 120-180 days | Batch jobs, scheduled tasks, periodic reports |
| Quarterly usage | 180-270 days | Compliance tools, audit applications |
False positives from overly aggressive thresholds reduce trust in the system.
Communicate policy changes
Before activating a new policy or changing an existing one:
- Communicate the change to affected teams via email, Teams, or town halls
- Provide guidance on how to become compliant (documentation, training, office hours)
- Set a grace period for compliance (e.g., 30 days before enforcement begins)
- Monitor compliance rates and address common blockers
- Gather feedback and adjust policies based on real-world experience
Surprises create resistance. Transparency builds buy-in.
Use different policies for different application types
Don't apply one-size-fits-all governance. Tailor policies to application characteristics:
By sensitivity level
High-sensitivity applications (customer data, financial systems, HR):
- Minimum 2 application owners (redundancy)
- Business owner required
- Activity monitoring: 60 days
- Aggressive notification schedule
Standard applications (internal tools, reporting):
- Minimum 1 application owner
- Technical owner required
- Activity monitoring: 90 days
- Standard notification schedule
Development/test applications:
- Minimum 1 application owner
- No activity monitoring (frequently dormant)
- Lenient notification schedule
By integration type
Third-party SaaS (Salesforce, ServiceNow):
- Business owner required (license accountability)
- Activity monitoring: 90 days
Service principals (automation, CI/CD):
- Technical owner required
- Activity monitoring: 180 days (batch jobs run infrequently)
Identity providers (SAML, OIDC):
- Multiple owners required
- Activity monitoring: 30 days (critical for authentication)
By department
IT department:
- Technical owners emphasized
- Flexible activity windows
Business units:
- Business owner approval required
- Standard activity monitoring
DevOps teams:
- Technical owners required
- Longer activity windows for automation
Integrate with ticketing systems
Use webhook escalation to create tickets in your IT service management system when applications remain non-compliant:
Benefits:
- Governance issues tracked systematically
- SLA accountability
- Audit trails
- Integration with existing workflows
Example integrations:
- ServiceNow: Create incident or change request
- Jira: Create issue in governance project
- Azure Logic Apps: Trigger automated remediation
- Power BI: Send data to compliance dashboard
Review non-compliant applications regularly
Schedule regular reviews of non-compliant applications:
Weekly: Check applications approaching escalation
- Identify blockers
- Offer assistance
- Escalate to management if needed
Monthly: Review all non-compliant applications
- Analyze trends
- Identify systemic issues
- Adjust policies if patterns emerge
Quarterly: Audit policy effectiveness
- Review compliance rates
- Assess notification response times
- Adjust rules based on organizational changes
Handle false positives
Some applications may appear inactive even when they're needed:
Background services: May not generate sign-in events
- Solution: Create exemption policy with no activity rule
Emergency tools: Used rarely but must remain available
- Solution: Manual activity extension or longer activity window
Seasonal applications: Only used during specific periods
- Solution: Activity window longer than seasonal gap
Batch jobs: Run on schedules longer than activity threshold
- Solution: 180-270 day activity windows
Document exemptions and review them periodically to ensure they remain valid.
Maintain policy hygiene
Keep your policy configuration manageable:
Limit the number of policies:
- Too many policies are hard to maintain
- Aim for 3-7 policies per application type
- Use policy assignment strategies instead of creating many similar policies
Use descriptive names and documentation:
- Clear titles: "Production App Registrations - High Security"
- Detailed descriptions explaining purpose and scope
- Document assignment criteria
Review policies quarterly:
- Remove unused policies
- Consolidate similar policies
- Update rules based on organizational changes
Related concepts
- Policies - Understand how policies work conceptually
- Ownership Rules - Detailed configuration for ownership rules
- Activity Rule - Detailed configuration for activity monitoring