App Governance
Monitor and control OAuth apps that access Microsoft 365 data in your organization. App governance provides visibility into app permissions, behaviors, and data access patterns to identify risky or overprivileged applications.
Note: App governance is an add-on capability for Microsoft Defender for Cloud Apps, available with Microsoft 365 E5 Security or as a standalone add-on.
Dashboard Overview
- 247 — Total Apps
- 12 — High Privilege
- 34 — Unused Apps
- 89% — Certified Apps
App Categories
Microsoft Apps
First-party Microsoft applications including Office apps, Power Platform, Azure services. Generally trusted but still monitored for unusual behavior.
Third-Party Apps
Applications from external vendors that have been granted access to Microsoft 365 data through OAuth consent.
Line of Business Apps
Custom applications built by your organization or your IT partners, registered in your Azure AD tenant.
Unverified Apps
Apps from publishers who haven’t completed Microsoft’s verification process. Higher risk, require careful review.
App Details
| Property | Description |
|---|---|
| App Name | Display name of the application |
| Publisher | Developer/company that created the app |
| Certification | Microsoft 365 Certified, Publisher Attested, or none |
| Privilege Level | High, Medium, or Low based on permissions |
| Users | Number of users who have consented |
| Last Used | When the app last accessed data |
| Data Access | Volume of data accessed (emails, files, etc.) |
Permission Analysis
High Privilege Permissions
Permissions that grant extensive access:
Mail.ReadWrite— Read and write all mailFiles.ReadWrite.All— Full file accessDirectory.ReadWrite.All— Modify directoryUser.ReadWrite.All— Modify all users
Medium Privilege Permissions
Permissions that grant moderate access:
Mail.Read— Read user mailCalendars.ReadWrite— Manage calendarsGroup.Read.All— Read all groups
Low Privilege Permissions
Basic permissions with limited scope:
User.Read— Read own profileopenid— Sign-in identityprofile— Basic profile info
Activity Monitoring
Data Access Patterns
Track how much data each app accesses: emails read, files accessed, calendar events retrieved. Identify abnormal spikes in activity.
API Call Volume
Monitor Graph API calls made by each app. Detect apps making excessive requests or accessing unusual endpoints.
User Activity
See which users are actively using each app and which users have granted consent but never used the app.
Sensitivity Label Access
Track when apps access content protected by sensitivity labels, especially Confidential or Highly Confidential data.
App Policies
Create policies to automatically detect and respond to risky app behaviors:
Permission-Based Policies
Alert or block apps requesting high-risk permissions like Mail.ReadWrite.All or Directory.ReadWrite.All.
Activity-Based Policies
Detect apps with unusual data access patterns, high API call volumes, or accessing sensitive content.
Certification Policies
Require all apps to be Microsoft 365 Certified or block unverified publisher applications.
Inactivity Policies
Flag apps that haven’t been used in 90 days for review and potential removal.
App Actions
Disable App
Prevent app from accessing Microsoft 365 data. Existing tokens are revoked. Users cannot re-consent until app is enabled.
Revoke Consents
Remove all user consents for the app. Users will need to re-consent if app is still enabled.
Mark as Sanctioned
Approve app for organizational use. Helps users identify IT-approved applications.
Mark as Unsanctioned
Flag app as not approved. Can optionally block all access when marked as unsanctioned.
Consent Settings
User Consent Settings
Control which apps users can consent to without admin approval:
- Allow all apps — Users can consent to any app (not recommended)
- Verified publishers only — Only allow Microsoft-verified apps
- Low-impact permissions only — Allow consent for basic permissions
- No user consent — All apps require admin consent
Admin Consent Workflow
Enable admin consent requests so users can request access to apps that require admin approval. Requests go to designated approvers.
Risk Indicators
High Risk Signals
- Unverified publisher with high privileges
- Sudden spike in data access
- Accessing many users’ mailboxes
- App from suspicious geography
- Recently created app with broad consent
Medium Risk Signals
- Overprivileged permissions for app function
- No recent activity (dormant app)
- High user count without business justification
- Accessing data outside business hours
Best Practices
- Restrict user consent — Require admin consent for apps requesting high-privilege permissions.
- Review apps regularly — Audit app list quarterly. Remove unused or unnecessary applications.
- Prefer certified apps — Choose Microsoft 365 Certified apps when possible for better security.
- Monitor high-privilege apps — Create alerts for apps accessing sensitive data or using admin permissions.
API Reference
GET /api/security/app-governance/apps— List all OAuth applicationsGET /api/security/app-governance/apps/:appId— Get app details and permissionsGET /api/security/app-governance/apps/:appId/activity— Get app data access activityPOST /api/security/app-governance/apps/:appId/disable— Disable an applicationGET /api/security/app-governance/policies— List app governance policies