Hi @Bob Pants
Thank you for reaching out!
I understand your concern about in Enterprise app registrations default role and security risk.
When you create a new Enterprise app registration in Azure, the "Cloud Application Administrator" role is assigned to the app registration by default. This role is a built-in role in Azure AD that allow permissions to manage the application registration itself, but it does not allow any permissions to the users or groups assigned to the application.
In the "Cloud Application Administrator" user role are allowed to manage and configuration of the app registration, for example like configuring SSO, assigning users and groups, changing its display name or updating its authentication settings.
Role assignment is not a security risk in itself, as it does not provide any elevated permissions to the users or groups assigned to the application.
Reference: https://learn.microsoft.com/en-us/azure/active-directory/roles/delegate-app-roles
https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/hallelujah-azure-ad-delegated-application-management-roles-are/ba-p/245420
Thanks,
Akhilesh
Please Accept the answer if the information helped you. This will help us and others in the community as well.