Get started with app governance

To activate a license for the app governance add-on for Defender for Cloud Apps, first check that you satisfy the following prerequisites:

  1. Verify your account has the appropriate level of licensing. App governance is an add-on feature for Defender for Cloud Apps, and so to activate the app governance license Defender for Cloud Apps must be present in your account as either a standalone product or as part of the various license packages.
  2. You must be a Global, Company, or Billing Admin to activate a license. You must have one of the roles listed to access the app governance portal.
  3. Your organization's billing address must be in a region other than Brazil, South Korea, Switzerland, Norway, South Africa, or United Arab Emirates.
  4. Your organization must use commercial cloud, not government cloud (i.e., GCC, GCC-H, DoD, Fairfax). App governance is not yet available in government clouds

If you satisfy the prerequisites, you can navigate to the sign up page for the free trial and complete the steps to add the app governance free trial to your tenant.

If you aren't already a Defender for Cloud Apps customer, you can sign up for a free trial of Defender for Cloud Apps by navigating to the sign-up page for the free trial for Defender for Cloud Apps and completing the steps for sign-up. Then navigate to the sign-up page for the free trial for app governance and complete the steps to add a free trial of app governance to your tenant.

Sign up for the free trial of app governance

To purchase a subscription for app governance, go to Buy app governance or reach out to your sales account team.

Licensing

You can purchase app governance as an add-on license to any license that entitles you to use Defender for Cloud Apps. To use app governance in compliance with the terms of service, purchase an add-on license for each protected user. Each protected user must have both the app governance add-on license and one of the Defender for Cloud Apps licenses.

For a list of these licenses, see the Microsoft 365 licensing datasheet. You can confirm the licenses in your tenant at Microsoft 365 admin center.

App governance is currently not available as an add-on for Microsoft Defender for Cloud Apps Discovery, and Microsoft Office 365 Cloud App Security.

Roles

Note

Only Global Admin, Company Admin, or Billing Admin role can activate the app governance free trial.

One of the following administrator roles is required to see app governance pages or manage policies and settings:

  • Application Administrator
  • Cloud Application Administrator
  • Company or Global Administrator
  • Compliance Administrator
  • Compliance Data Administrator
  • Global Reader
  • Security Administrator
  • Security Operator
  • Security Reader (read-only)

Here are the capabilities for each role.

Role Read the dashboard Read all apps Read policies Create, update, or delete policies Read alerts Update alerts Read settings Update settings Read Remediation Update Remediation
Application Administrator Check mark. Check mark. Check mark. Check mark Check mark Check mark Check mark Check mark Check mark Check mark
Cloud Application Administrator Check mark
Company or Global Administrator Check mark. Check mark. Check mark Check mark Check mark Check mark Check mark Check mark Check mark Check mark
Compliance Administrator Check mark. Check mark Check mark Check mark Check mark Check mark Check mark Check mark
Compliance Data Administrator Check mark. Check mark Check mark Check mark Check mark Check mark Check mark Check mark
Global Reader Check mark. Check mark Check mark Check mark Check mark
Security Administrator Check mark. Check mark Check mark Check mark Check mark Check mark Check mark Check mark
Security Operator Check mark. Check mark Check mark Check mark Check mark Check mark Check mark Check mark Check mark
Security Reader Check mark. Check mark Check mark Check mark Check mark Check mark

For more information about each role, see Administrator role permissions.

Note

App governance alerts will not flow to Microsoft 365 Defender or show up in app governance until you have provisioned both Defender for Cloud Apps and Microsoft 365 Defender by accessing their respective portals at least once.