Edit

Manage app governance alerts

  • Article

You can investigate alerts about malicious cloud apps and apps that may present risks to your organization in the Microsoft Defender XDR Alerts or Incidents pages.

For example:

Screenshot of the app governance alerts summary page in the Microsoft Defender XDR.

View alert details

By default, the Microsoft Defender XDR Alerts page lists new alerts generated by app governance based on threat detection rules and your active policies. View the details of a specific alert by selecting the alert. A page opens with additional information about the alert and options for managing the alert.

For example:

Screenshot of additional information about the alert and options for managing the alert.

In the page, you can get additional information from the Alert story section:

  • Exact details about why the alert was created under What happened
  • Information on how to remediate the alert under Recommended actions

Manage an app governance alert

To investigate and take action on an app in app governance, select the app entity card under Related entities, and then select View app details.

App policies that you configured for automatic remediation from the Action have a status of Resolved.

To manage the app governance alert:

  1. Investigation: Examine the information in the alert and change its status to Mark in progress.
  2. Resolution: After your investigation and, as needed, the determination of app policy changes or continued app support in your tenant, change its status to Resolved.

Based on app alert patterns, you can update the appropriate app policy and change its Action setting to perform automatic remediation. This removes your need to investigate and manually resolve future alerts that are generated by the app policy. For more information, see Manage your app policies.

Ban or approve an OAuth app connected to Salesforce and Google Workspace

Note

This section is only relevant for Salesforce and Google Workspace applications.

  1. On the Google apps or Salesforce apps tabs, select the app to open the App pane and view more information about the app and the permissions it was granted.

    • Select Permissions to view a full list of permissions that were granted to the app.
    • Under Community use, you can view how common the app is in other organizations.
    • Select Related activity to view the activities that are listed in the activity log related to this app.

  2. To ban the app, select the ban icon at the end of the app row in the table. For example:

    Screenshot of a ban app icon.

    • You can choose if you want to tell users the app they installed and authorized has been banned. The notification lets users know the app will be disabled and they won't have access to the connected app. If you don't want them to know, unselect Notify users who granted access to this banned app in the dialog.
    • It's recommended that you let the app users know their app is about to be banned from use.

    For example:

    Screenshot of banning an app.

  3. Type the message you want to send to the app users in the Enter a custom notification message box. Select Ban app to send the mail, and ban the app from your connected app users.

  4. To approve the app, select the approve icon at the end of the row in the table.

    Screenshot of the approve app icon.

    • The icon turns green, and the app is approved for all your connected app users.
    • When you mark an app as approved, there's no effect on the end user. This color change is meant to help you see the apps that you've approved to separate them from ones that you haven't reviewed yet.

Revoke OAuth app connected to Salesforce and Google Workspace and notify user

Note

This section is only relevant for Salesforce and Google Workspace applications. For Google Workspace and Salesforce, it's possible to revoke permission to an app or to notify the user that they should change the permission. When you revoke permission it removes all permissions that were granted to the application under "Enterprise Applications" in Microsoft Entra ID.

  1. On the Google apps or Salesforce apps tabs, select the three dots at the end of the app row and select Notify user. By default, the user is notified as follows: You authorized the app to access your Google Workspace account. This app conflicts with your organization's security policy. Reconsider giving or revoking the permissions you gave this app in your Google Workspace account. To revoke app access, go to: https://security.google.com/settings/security/permissions?hl=en&pli=1 Select the app and select 'Revoke access' on the right menu bar. You can customize the message that is sent.

  2. You can also revoke permissions to use the app for the user. Select the icon at the end of the app row in the table and selecting Revoke app.

    Screenshot of the revoke app icon.

Next steps

Secure apps accessing non-Graph APIs using app governance