Share via

Why does Microsoft Defender for Cloud Apps mark some OAuth apps as ‘High Risk’ even when they come from trusted vendors?

Paulino Rod 20 Reputation points
2025-11-20T19:36:11.6566667+00:00

I’m noticing that in Microsoft Defender for Cloud Apps, several OAuth applications are being flagged as ‘High Risk’ even though they come from well-known vendors and have been in our tenant for a long time. The permissions don’t look unusual, and nothing was recently changed. Does anyone know what specific conditions trigger the ‘High Risk’ rating and how accurate this classification is? I’m trying to understand whether this is something we should treat as a real threat or simply a false positive

Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud
0 comments

Answer accepted by question author

Adam Zachary 2,265 Reputation points
2025-11-20T19:42:05.43+00:00

I’ve seen this happen before, and it’s usually not about the vendor being untrusted!

Defender for Cloud Apps rates OAuth apps mainly based on the permissions they request and how much access they could potentially have if misused. Even well-known apps can show up as ‘High Risk’ if they ask for broad scopes like reading mail, accessing files, or having offline access. It doesn’t always mean the app is unsafe, but it’s a good reminder to review the permissions and make sure the app is still needed.

In many cases it ends up being more of a caution flag than an actual threat

Was this answer helpful?

1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest

  1. AI answer

    2025-11-20T19:36:34.34+00:00

    Microsoft Defender for Cloud Apps may mark some OAuth applications as ‘High Risk’ due to several factors, even if they come from trusted vendors. The classification is influenced by the following conditions:

    1. Suspicious OAuth Scopes: If an OAuth app requests permissions that are deemed suspicious or excessive compared to its intended functionality, it may be flagged as high risk. This can include permissions that allow access to sensitive data or actions that could lead to data exfiltration.
    2. Behavioral Anomalies: The system uses machine learning algorithms to detect unusual activities associated with the app. For example, if an app creates suspicious inbox rules or makes anomalous calls to services like Exchange, it may trigger a high-risk alert.
    3. Changes in App Behavior: Even if the app has been in your tenant for a long time, any recent changes in its behavior, such as updates to its permissions or unusual access patterns, can lead to it being flagged.
    4. Integration with Security Policies: The app's behavior may be evaluated against your organization's security policies, and if it does not align well, it may be marked as high risk.

    Regarding the accuracy of this classification, it is essential to review the specific alerts and the context in which they were generated. Some flags may indeed be false positives, especially if the app's behavior can be justified or if it is functioning as intended without any security breaches. Therefore, it is advisable to investigate the flagged apps further and assess whether the detected behaviors are legitimate or pose a real threat.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.