Manage OAuth apps
Microsoft Defender for Cloud Apps is now part of Microsoft 365 Defender and can be accessed through its portal at: https://security.microsoft.com. Microsoft 365 Defender correlates signals from the Microsoft Defender suite across endpoints, identities, email, and SaaS apps to provide incident-level detection, investigation, and powerful response capabilities. It improves your operational efficiency with better prioritization and shorter response times which protect your organization more effectively. For more information about these changes, see Microsoft Defender for Cloud Apps in Microsoft 365 Defender.
Many third-party productivity apps that might be installed by business users in your organization request permission to access user information and data and sign in on behalf of the user in other cloud apps, such as Office 365, Google Workspace and Salesforce. When users install these apps, they often click accept without closely reviewing the details in the prompt, including granting permissions to the app. This problem is compounded by the fact that IT may not have enough insight to weigh the security risk of an application against the productivity benefit that it provides. Because accepting third-party app permissions is a potential security risk to your organization, monitoring the app permissions your users grant gives you the necessary visibility and control to protect your users and your applications.
The Microsoft Defender for Cloud Apps app permissions enable you to see which user-installed OAuth applications have access to Office 365 data, Google Workspace data, and Salesforce data. Defender for Cloud Apps tells you what permissions the apps have and which users granted these apps access to their Office 365, Google Workspace, and Salesforce accounts. App permissions help you decide which apps you allow your users to access and which ones you want to ban.
For more information on investigating OAuth apps, see Investigate risky OAuth apps.
App Governance is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Azure Active Directory (Azure AD), Google, and Salesforce. For more information, see App governance add-on to Defender for Cloud Apps in Microsoft 365 Defender.
Defender for Cloud Apps only identifies apps that request "Delegated" permissions. For more information, see Client app permissions.
OAuth app management is available only after connecting one or more of the supported platforms - Office 365, Google Workspace, or Salesforce. Once connected, the OAuth apps menu option will appear under Investigate.
Working with the OAuth apps page
The OAuth page displays information about app permissions in your connected apps.
To access the OAuth tab:
In the Microsoft 365 Defender portal, under Cloud Apps select OAuth apps.
The OAuth apps page provides the following information about each OAuth app that was granted permissions:
|Item||What it means||Applies to|
|Basic icon in the app query bar||Switch to query in the basic view.||Office 365, Google Workspace, Salesforce|
|Advanced icon in the app query bar||Switch to query in the Advanced view.||Office 365, Google Workspace, Salesforce|
|Open or close all details icon in the app list||View more or less details about each app.|
|Export icon in the app list||Export a CSV file that contains a list of apps, number of users for each app, permissions associated with the app, permissions level, app state, and community use level.||Office 365, Google Workspace, Salesforce|
|App||Name of the app. Select the name to view more information, including the description, publisher (for Office 365), app website, and ID.||Office 365, Google Workspace, Salesforce|
|Authorized by||The number of users who authorized this app to access their app's account, and granted the app permissions. Select the number to view more information, including a list of user emails and whether an admin has consented the app previously.||Office 365, Google Workspace, Salesforce|
|Permissions Level||The permissions level icon and text indicating either High, Medium, or Low. The level indicates how much access this app has to app's data. For example, Low might indicate that the app only accesses user profile and name. Select the level to view more information, including permissions granted to the app, community use, or related activity in the Governance log.||Office 365, Google Workspace|
|App state||An admin can mark an app as approved, banned, or leave is as undetermined.||Office 365, Google Workspace, Salesforce|
|Community use||Shows you how popular the app is across all your users (common, uncommon, rare)||Office 365, Google Workspace, Salesforce|
|Last authorized||The most recent date on which a user granted permissions to this app.||Office 365, Salesforce|
|Publisher||The name of the vendor who provides the app.
Publisher verification - Publisher verification helps admins and end users understand the authenticity of application developers integrating with the Microsoft identity platform. For more information, see Publisher verification.
|Last used||The most recent date on which this app was used by anyone in your organization.||Salesforce|
Ban or approve an app
On the Google or Salesforce tabs on the App governance page, select the app to open the App drawer to view more information about the app and the permissions it was granted.
- Select Permissions to view a full list of permissions that were granted to the app.
- Under Community use, you can view how common the app is in other organizations.
- Select App activity to view the activities that are listed in the activity log related to this app.
To ban the app, select the ban icon at the end of the app row in the table.
- You can choose if you want to tell users the app they installed and authorized has been banned. The notification lets users know the app will be disabled and they won't have access to the connected app. If you don't want them to know, unselect Notify users who granted access to this banned app in the dialog.
- It's recommended that you let the app users know their app is about to be banned from use.
Type the message you want to send to the app users in the Enter a custom notification message box. Select Ban app to send the mail, and ban the app from your connected app users.
To approve the app, select the approve icon at the end of the row in the table.
- The icon turns green, and the app is approved for all your connected app users.
- When you mark an app as approved, there's no effect on the end user. This color change is meant to help you see the apps that you've approved to separate them from ones that you haven't reviewed yet.
Revoke app and notify user
For Google Workspace and Salesforce, it's possible to revoke permission to an app or to notify the user that they should change the permission. When you revoke permission it removes all permissions that were granted to the application under "Enterprise Applications" in Azure AD.
On the Google or Salesforce tabs on the App governance page, select the three dots at the end of the app row and select Notify user. By default, the user will be notified as follows: You authorized the app to access your Google Workspace account. This app conflicts with your organization's security policy. Reconsider giving or revoking the permissions you gave this app in your Google Workspace account. To revoke app access, go to: https://security.google.com/settings/security/permissions?hl=en&pli=1 Select the app and select 'Revoke access' on the right menu bar. You can customize the message that is sent.
You can also revoke permissions to use the app for the user. Select the icon at the end of the app row in the table and selecting Revoke app.
Query OAuth apps
You can query OAuth apps in either the Basic view or the Advanced view. select values from one or multiple drop-downs to display the specific apps in the Basic view. In the advanced view, use the Select a filter drop-down to narrow your search. Add operators, equals, or doesn't equal, to a selected value to complete your query.
Choose the Add a filter icon to add additional filters to further refine your query. The filters are applied automatically and the apps list is updated.
Choose the Remove a filter icon next to the filter to remove the filters.
OAuth app auditing
Defender for Cloud Apps audits all OAuth authorization activities to provide you with comprehensive monitoring and investigation of activities performed. You can also export the details of users that authorized a specific OAuth app, providing you with additional information on the users, which you can then use for further analysis.
To export the log, perform the following steps:
On the Google or Salesforce tabs on the App governance page, on the row where the relevant app appears, under Authorized by, select the link showing the number of users that authorized the app.
In the pop-up, select Export.
If there's an OAuth app discovered in your organization that seems malicious, you can send the Defender for Cloud Apps team feedback to let us know. This feature enables you to be part of our security community and enhance OAuth app risk score and analysis.
On the Google or Salesforce tabs on the App governance page, select the three dots at the end of the app row and select Report app.
In the Report this app screen, you can select whether to report the app as malicious or to report another issue with the way Defender for Cloud Apps perceives the app. For example, you could use Incorrect publisher, Incorrect permissions, or Other. The data you submit will be used to update the app's risk score and other analytics about the app.
If you run into any problems, we're here to help. To get assistance or support for your product issue, please open a support ticket.
Submit and view feedback for