Manage OAuth apps using Office 365 Cloud App Security

Evaluation > Planning > Deployment > Utilization
Start evaluating
Start planning
Start deploying
You are here!
Next steps

People love apps and they download them often, especially apps that people think will save time by making it easier to get at their work or school information. However, some apps could potentially be a security risk to your organization, depending on what information they access and how they handle that information. With Office 365 Cloud App Security, if you are a global or security administrator, you can manage OAuth apps for your organization. You can see the apps people are using with Office 365 data, what permissions those apps have, and more.

This article describes where to go to manage OAuth apps, how to approve or ban an app, and how to create an app query.

How to find the Manage OAuth apps page

Note

OAuth apps are managed in the Office 365 Cloud App Security portal. You must be a global administrator or security administrator to perform the following task. To learn more see Permissions in the Office 365 Security & Compliance Center.

  1. Go to https://protection.office.com and sign in using your work or school account for Office 365. (This takes you to the Security & Compliance Center.)

  2. Go to Alerts > Manage advanced alerts.

  3. Click (or tap) Go to Office 365 Cloud App Security.
    In the Security & Compliance Center, choose Manage Advanced Alerts to go to Office 365 Cloud App Security
    NO****TE: If Office 365 Cloud App Security is not turned on yet, you can do that on this page. See Get ready for Office 365 Cloud App Security.

  4. Choose Investigate > OAuth apps.
    In the O365 CAS portal, choose Investigate.

What you'll see on the Manage OAuth apps page

The following table describes the controls and options available on the Manage OAuth apps page.

Item Description
Basic icon in the app query bar
Icon that indicates basic query view for querying
Select this to switch to the Advanced view.
(If you see Basic, you are using the Advanced view)
Advanced icon in the app query bar
Icon that indicates advanced query view for querying
Select this to switch to the Basic view.
(If you see Advanced, you are using the Basic view.)
Open or close all details icon in the app list
Click this icon to open or close all details for all apps
Select this icon to view more or fewer details about each app.
Export icon in the app list
Click this icon to export a csv file of all apps
Select this icon to export a CSV file that contains a list of apps, number of users for each app, permissions associated with the app, permissions level, app state, and community use level.
Name
Use this to see the name of an app. Select the name to view more information, such as its description, publisher, app website and app ID.
Authorized by
Use this to see how many users have authorized an app to access their Office 365 account. Select the number to view more information, such as a list of user accounts.
Permissions Level
Icon that indicates the permisiions level for an app
Use this to see how much access an app has to Office 365 data. Permissions levels indicate Low, Medium, or High, where Low might indicate that the app only accesses a user's profile and name. Select the level to view more information, such as permissions granted to the app, community use, and related activity in the Governance log.
App state ( Banned, Approved, or Undetermined)
icons after being allowed, blocked, or no action has been taken by an admin
Use this to mark an app as Approved or Banned, or leave it as undetermined.

Mark an app as approved

On the Manage OAuth apps page, locate the app you want to approve, and choose the Mark app as approved icon.

Choose the Mark app as approved icon

The icon turns green, and the app is approved for all your Office 365 users.

Note

When you mark an app as approved, there is no effect on the end user. Visually marking the apps that are approved helps to separate them from apps that haven't been reviewed yet.

Ban an app

  1. On the Manage OAuth apps page, locate the app you want to ban, and choose the Mark app as banned icon.
    Choose the Mark app as banned icon

  2. Choose whether to let users know that their app has been banned.

    • (Recommended) To let users know, select Notify users who granted access to this banned app, and add or edit a custom notification message.

    • To not let users know, clear Notify users who granted access to this banned app.
      The mail template for a banned app

  3. Choose Ban app.

Create an app query

  1. In the app query bar, if you see Advanced, click (or tap) it to go to the Advanced view. (If you see Basic, you are using the Advanced view; keep your view as it is.)

  2. Use the Select a filter list to choose an option.

    • App Apps with certain names
    • App state Apps based on their state (Approved, Banned, or Undetermined)
    • Community use Apps based on community use levels (Rare, Uncommon, or Common)
    • Permission level Apps based on certain permission levels
    • Permissions Apps that require certain permissions
    • Publisher
      |Apps from certain publishers
    • User Apps that a certain user authorized
  3. Select equals or does not equal, and then specify a value for your filter.

  4. To add more filters, select the plus sign (Add a filter icon for querying apps), and then repeat steps 2 and 3.

  5. To remove a filter, select the x (Remove a filter icon for querying apps) next to a filter name.

The filters are applied automatically, and the apps list is updated accordingly.

Next steps