Parts 1 and 2 of this series (Microsoft Entra extensibility is a gift. It is also Control Plane. and Securing the code that decides who Entra trusts) made two static decisions. Where the code lives: a dedicated Control Plane subscription, directly under the root management group or under a dedicated Control Plane management group, never in the platform identity subscription or an application landing zone. What credential it uses to call out: a managed identity by default, federated identity credentials when the call must leave Azure, certificates as a tolerated middle step, and static symmetric keys never.
Both decisions are one-time. You make them, you walk away, you do not touch them for months.
The third decision is not like that. It is continuous, and it is the one most teams quietly skip: how do you know the deployed code on that Function App is still the code your reviewers approved? How do you know the Logic App workflow definition has not been rewritten since last Tuesday? How do you know nobody added a federated identity credential to the managed identity at 3 a.m. on a Saturday?
The answer is monitoring. Not "we have Log Analytics turned on." Monitoring with a specific operating contract attached.






