Skip to main content

You Cannot Secure Software You Never Listed: Building the Approved Inventory Layer

Nick Ross4 min read

TL;DR

  • An approved software inventory is the baseline that lets you distinguish authorized from unauthorized software, which is a prerequisite for both zero-trust and incident investigation.
  • A vendor management policy splits vendors into low-risk, reviewed annually, and high-risk, vetted for SOC 2, encryption, and access controls and reviewed quarterly or biannually.
  • Microsoft 365 already maintains three application inventories: Entra enterprise apps, Defender vulnerability management, and Defender for Cloud Apps discovery.
  • Manually documenting governance is feasible for critical applications but not for the 100+ apps a typical organization runs, so the manual layer needs automated discovery behind it.
  • Poor software governance costs twice: redundant tool spend from sprawl, and exposure from applications with public exploits.

Ask a new client for their list of approved applications and watch the room go quiet. Between SaaS sprawl, missing governance, and users signing themselves up for tools nobody vetted, most organizations cannot say what software touches their data, let alone whether it should. That silence is where data leaks, unauthorized access, and exploitable software live.

This guide builds the foundational governance layer for software security using Microsoft 365 tools, a vendor management policy, and a sample software inventory template. It applies whether you are an IT leader, an MSP, or a business owner, and it is the first installment in a series on secure software inventory management, covering Layer 1 protections.

Layered model for secure software inventory management

Four questions that expose the governance gap

When onboarding a new customer or assessing your own posture, software inventory and governance basics come first. The diagnostic:

  • Is there a vendor management policy defining evaluation criteria for new software vendors?
  • Are periodic reviews happening to confirm applications remain secure and compliant?
  • Does a central inventory of approved software applications exist?
  • Can you distinguish authorized from unauthorized software on the network?

A maintained software inventory supports security investigations and reinforces zero-trust principles: only trusted applications run on the network, and even those stay monitored for risk.

The cost of skipping this is paid twice. On the business side, poor governance produces tool sprawl, redundant or unused applications quietly billing every month. On the security side, applications with public exploits or vulnerabilities hand attackers a path to compromise systems and run attacks like ransomware. A structured approach to software governance helps:

  • Reduce unnecessary software expenses
  • Minimize security vulnerabilities and attack surfaces
  • Prevent unauthorized applications from accessing sensitive business data

Sort vendors by risk, then review on a schedule

A vendor management policy defines how new software vendors get evaluated and how often they get re-reviewed. A workable classification:

  • Low-risk vendors: reviewed annually. Typically applications without access to critical business or customer data.
  • High-risk vendors: stricter vetting up front, including security certifications such as SOC 2, encryption standards, and strong access controls. Reviewed more frequently, quarterly or biannually.

Three screening questions place a vendor in a tier:

  • Will the vendor have direct access to company systems or software?
  • Will the vendor have access to customer or employee Personally Identifiable Information (PII) or Protected Health Information (PHI)?
  • Is the vendor critical to business operations?

Classifying by risk lets you spend security effort where it pays, instead of giving every tool the same once-over.

Vendor management policy template excerpt

Get the full vendor management policy template (opens in new tab)

The inventory record that anchors everything

The approved inventory itself can start as a simple spreadsheet or an automated system, as long as it captures the key details consistently:

Software inventory template columns

Get the full software inventory template (opens in new tab)

Document the governance layer manually for critical applications, but be honest about scale: running this process by hand for the 100+ applications a typical organization uses is not feasible. You still need to know what is on the network, which is where the inventories Microsoft 365 already maintains come in.

Three inventories Microsoft 365 already keeps for you

1. Enterprise (OAuth) apps

Enterprise applications list in the Entra admin center

Where: Entra Admin Center > Applications > Enterprise Applications

These apps typically hold API permissions into Microsoft 365. At the harmless end they enable SSO with Microsoft credentials; at the other end they carry excessive permissions into the environment. Attackers have used these apps, along with app registrations, to maintain persistence and extend attacks, so lock down who can register them and review the list over time. We cover the attack patterns and a hunting runbook in finding risky apps in Microsoft 365.

2. Defender vulnerability management

Software inventory in Defender vulnerability management

Where: Security Admin Center > Endpoints > Vulnerability Management > Inventories

Threat and vulnerability management with Defender for Business comes included in Business Premium. Whether or not Defender is your EDR, activating it on workstations provides an agentless software inventory with active vulnerability scanning across all of them.

3. Defender for Cloud Apps

Cloud Discovery dashboard in Defender for Cloud Apps

Where: Security Admin Center > Cloud Apps > Cloud Discovery

Cloud Discovery, also part of Business Premium, detects every application accessed over the network. It works when Defender is active on devices and can integrate with common networking appliances. This inventory is the most overwhelming of the three, which is why it sits last in priority. Its distinguishing feature is the ability to sanction or unsanction applications, marking them approved or unapproved, which improves tracking. A practical narrow focus: unapprove categories you never want in play, like third-party storage or webmail applications.

When the manual layer stops scaling

For automated software security assessments across customers, CloudCapsule scans Microsoft 365 tenants for security insights, software inventory tracking, and compliance mapping. The average tenant completes in around 90 seconds and returns a complete asset inventory of the environment.

CloudCapsule asset inventory results

Where this series goes next

The follow-up post covers the automation layer of software inventory management: autofilling inventory records from vendor requests, approval workflows in Microsoft Power Automate, and integrating security assessments into software governance. You can read it here: automating vendor onboarding requests.

The structured approach pays in three currencies at once: lower security risk, less wasted spend, and a software ecosystem you can actually answer questions about.

Frequently asked questions

Which questions decide whether a vendor is high risk?

Three screening questions do most of the work: will the vendor have direct access to company systems or software, will it touch customer or employee PII or PHI, and is it critical to business operations. A yes on any of these pushes the vendor into the high-risk tier with stricter vetting and more frequent reviews.

Where do you start when an organization has no inventory at all?

Document the governance layer for critical applications first, using a vendor policy and inventory template. Then lean on the native Microsoft 365 inventories, Entra enterprise apps, Defender vulnerability management, and Defender for Cloud Apps, to discover what is actually in use before deciding what to approve.

What does sanctioning an app in Defender for Cloud Apps do?

Cloud Discovery lets you mark applications as sanctioned or unsanctioned, which gives you approval tracking inside the tool. A practical starting point is targeting specific categories you want unapproved, like third-party storage or webmail applications.

Get the full asset inventory without the spreadsheet archaeology

CloudCapsule scans a Microsoft 365 tenant in around 90 seconds and returns a complete asset inventory with security insights and compliance mapping, across every customer you manage.

Run a free scan
Nick Ross

Written by

Nick Ross

CEO · Microsoft MVP · Founder, T-Minus 365

Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.

Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.

Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.

Keep reading