Get started with app governance
To activate a license for the app governance add-on for Defender for Cloud Apps, first check that you satisfy the following prerequisites:
- Verify your account has the appropriate level of licensing. App governance is an add-on feature for Defender for Cloud Apps, and so to activate the app governance license Defender for Cloud Apps must be present in your account as either a standalone product or as part of the various license packages.
- You must be a Global, Company, or Billing Admin to activate a license. You must have one of the roles listed to access the app governance portal.
- Your organization's billing address must be in a region other than Brazil, South Korea, Switzerland, Norway, South Africa, or United Arab Emirates.
If you satisfy the prerequisites, you can navigate to the sign up page for the free trial and complete the steps to add the app governance free trial to your tenant.
If you aren't already a Defender for Cloud Apps customer, you can sign up for a free trial of Defender for Cloud Apps by navigating to the sign-up page for the free trial for Defender for Cloud Apps and completing the steps for sign-up. Then navigate to the sign-up page for the free trial for app governance and complete the steps to add a free trial of app governance to your tenant.
To purchase a subscription for app governance, go to Buy app governance or reach out to your sales account team.
You can purchase app governance as an add-on license to any license that entitles you to use Defender for Cloud Apps. To use app governance in compliance with the terms of service, purchase an add-on license for each protected user. Each protected user must have both the app governance add-on license and one of the Defender for Cloud Apps licenses.
For a list of these licenses, see the Defender for Cloud Apps licensing datasheet. You can confirm the licenses in your tenant at Microsoft 365 admin center.
Only Global Admin, Company Admin, or Billing Admin role can activate the app governance free trial.
One of the following administrator roles is required to see app governance pages or manage policies and settings:
- Application Administrator
- Cloud Application Administrator
- Company or Global Administrator
- Compliance Administrator
- Compliance Data Administrator
- Global Reader
- Security Administrator
- Security Operator
- Security Reader (read-only)
Here are the capabilities for each role.
|Role||Read the dashboard||Read all apps||Read policies||Create, update, or delete policies||Read alerts||Update alerts||Read settings||Update settings||Read Remediation||Update Remediation|
|Cloud Application Administrator|
|Company or Global Administrator|
|Compliance Data Administrator|
For more information about each role, see Administrator role permissions.
Enable Defender for Cloud Apps sync
To enable app governance sync with Defender for Cloud Apps, follow these steps:
- Ensure Office 365 is connected in Defender for Cloud Apps.
- Ensure Office 365 Azure AD apps are enabled.
- Go to your Defender for Cloud Apps portal – https://portal.cloudappsecurity.com
- Select the gear icon (top-right corner) and select Settings.
- Under Threat Protection, select App Governance.
- Select Enable App Governance integration, and then select Save.
To verify the integration with Defender for Cloud Apps is active, look for the app governance policies listed below to appear in Defender for Cloud Apps. The new policies might take few minutes to appear once integration is enabled.
- Microsoft 365 OAuth app Reputation
- Microsoft 365 OAuth Phishing Detection
- Microsoft 365 OAuth App Governance
App governance alerts will not flow to Microsoft 365 Defender until app governance is enabled in Defender for Cloud Apps and you have provisioned both Defender for Cloud Apps and Microsoft 365 Defender by accessing their respective portals at least once.
Submit and view feedback for