The entity access check in Mendix is a bit misleading in this sense. It’s guiding but it’s not entirely correct and trying to resolve all yellow marked modules doesn’t necessarily IMPROVE your security.

Some entities are used by the application only, and in this case that entity requires no user roles to have access.
However this type or kind of entity doesn’t get excluded out of this entity security overview and the check that marks the module yellow.
In this case the entities: AuthenticateEnvironmentRequest, MendixSSOSettings, UserProfile, TokenRefreshResponse, AppRole and AuthRequest are examples of that.

MendixSSO is a module provided by Mendix with platform support and it’s maintained by one of the Mendix teams.
The module should not be altered in any way. As stated in the comment above the entity model
”Internal Implementation (do not change)” 

This is generally the best practice by the way, to not alter any marketplace content modules, but instead extend them in your own modules, either through specializations or references.

I just found the answer. When adding the moduleSSO, there are entities that have no user role being able to, at least, read. What you have to do is, for example, give read access to the administrator role.

Steps:

1. Go to MendixSSO security/entity access. You see the list of entities and which module roles have access to them. Some entities must be missing
2. Click on new and check which of the entities you can select are not listed, select them and then choose administrator and give it a read access
3. Now all your entities of the MendixSSO have at least one role who can at least read

Done, security complete. I hope it helps

Check if there are other entities for which the access rules have not been setup for that module. That’s when Mendix will tell you that the module has incomplete entity access.

Hope this helps!