Read this article to quickly get answers to your app governance questions. If you can't find answers or just want to learn more, join the free webinar sessions with the app governance team.
What is app governance?
App governance is a feature in Microsoft Defender for Cloud Apps. It provides expanded visibility and control over apps that access your Microsoft 365 data. For more information, see App governance in Microsoft Defender for Cloud Apps.
What types of apps does app governance secure?
App governance tracks non-Microsoft apps that use OAuth to authenticate to Microsoft Entra ID, as well as Google and Salesforce. For apps that authenticate to Microsoft Entra ID, app governance identifies and excludes Microsoft apps whose home tenant is the "first-party app" tenant owned by Microsoft (tenant ID: f8cdef31-a31e-4b4a-93e4-5f571e91255a).
These apps represent modern apps that can access various resources, including Microsoft 365 data in mailboxes, OneDrive folders, SharePoint sites, and Teams. End users regularly introduce these apps and can give them consent to access data.
While Defender for Cloud Apps also tracks apps that use OAuth to access Microsoft 365, app governance provides extra out-of-box detections and highly customizable policies that track various app attributes and behaviors.
How can I get app governance?
App governance is a feature in Defender for Cloud Apps. To use app governance, Defender for Cloud Apps must be present in your account either as a standalone product or as part of a license package. If you have the appropriate administrator role and satisfy all the prerequisites, you can navigate to Microsoft Defender XDR settings page and turn on app governance.
What can app governance detect?
App governance generates two types of alerts:
- Threat detection alerts are based on Microsoft threat intelligence and are designed to identify apps that are malicious. These out-of-box detections utilize machine learning and anomaly detection to find applications that are likely involved in an attack. View threat detection alert types
- Policy alerts track various app attributes and behaviors—certification, data use, API access errors, unused permissions—that can indicate misuse and risk. The policies themselves are either customizable (user-defined) or predefined:
- User-defined policies can use one or many conditions to identify risky apps. You can set custom thresholds to determine when these policies are triggered.
- Predefined policies track the same app attributes and behaviors, but look into other signals and dynamically adjust thresholds.
What types of actions can app governance take on cloud apps that trigger policy?
App governance can deactivate apps that match either user-defined or predefined policies. Deactivated apps aren't able to authenticate to Microsoft Entra ID and access resources, until they're activated manually. Learn about app governance policies
Can I customize my policies?
You can create policies by combining conditions that track various app attributes and behaviors. When these conditions are met, policies trigger alerts and take the action you've specified. App governance also provides predefined policies that you switch on or off. You can also set the action on predefined policies. Learn about app governance policies
Is app governance integrated with Microsoft Defender XDR?
App governance alerts and related incidents are available in the Microsoft Defender XDR queue. Microsoft Defender XDR correlates the alerts with signals from other solutions, such as Defender for Endpoint, to associate related attack activities and identify security incidents. App governance alerts and incidents are also integrated with Microsoft Sentinel.
What roles do I need to activate app governance
For the list of supported roles, see Get started with app governance.
What roles do I need to have to use app governance?
For the list of supported roles, see Get started with app governance.
Is app governance available in all regions?
App governance is currently not available in Brazil, South Korea, Switzerland, Norway, South Africa, and United Arab Emirates. To use app governance, your billing location must be in another country/region.
Why is app governance empty or showing inaccurate data?
It can take up to 10 hours to fully prepare app governance and retrieve data after you first initiate it. During this period data access statistics and app counts can be inaccurate.
How does app governance integrate with Microsoft Sentinel?
App governance is integrated with Microsoft Defender XDR for a unified alert experience. The Microsoft Defender XDR connector for Microsoft Sentinel (preview) sends all Microsoft Defender XDR incidents and alerts information to Microsoft Sentinel and keeps the incidents synchronized.
The Microsoft Defender XDR connector enables you to automatically detect, triage, investigate and remediate app governance incidents and alerts on Microsoft Sentinel. For more information, see Microsoft Defender XDR integration with Microsoft Sentinel and Connect data from Microsoft Defender XDR to Microsoft Sentinel
Where can I get more information about app governance?
You can find more information about app governance in the following resources:
- Protect your business with Microsoft Security's comprehensive protection
- Announcing Microsoft Defender for Cloud Apps
- How to Prevent App Cyber Attacks—Cloud & Hybrid
- Twitter: Microsoft is tracking a recent consent phishing campaign, reported by @ffforward, that abuses OAuth.
- Microsoft shifts to a comprehensive SaaS security solution - Microsoft Security Blog
- Improve your app posture and hygiene using Microsoft Defender for Cloud Apps
- App governance is a key part of customers’ zero trust journey