Skip to Content
SecurityCloud App SecurityConnected Apps

Connected Apps

Discover and manage third-party cloud applications connected to your Microsoft 365 environment. Monitor OAuth app consents, API permissions, and data access to identify risky applications and enforce governance policies.

Note: Connected Apps visibility is provided by Microsoft Defender for Cloud Apps (MCAS). Included with Microsoft 365 E5 or available as a standalone license.

Discovery Overview

  • 1,247 — Discovered Apps
  • 89 — OAuth Apps
  • 34 — Sanctioned
  • 12 — Unsanctioned

App Sources

OAuth Connected Apps

Third-party apps that users or admins have granted access to Microsoft 365 data via OAuth consent. These apps have direct API access to services like Exchange, SharePoint, and Graph API.

Discovered Apps (Shadow IT)

Cloud apps discovered through network traffic analysis and endpoint telemetry. Identifies SaaS usage that may not be officially sanctioned by IT.

Connector Apps

Apps with MCAS API connectors for deeper visibility. Includes major SaaS platforms like Salesforce, ServiceNow, Box, and Dropbox.

Custom Apps

Line-of-business applications registered in your Entra ID tenant. Includes apps developed internally or by IT partners.

App Details

PropertyDescription
App NameApplication display name
PublisherApp developer or company
Risk Score1-10 based on security assessment
CategoryProductivity, Storage, CRM, etc.
UsersNumber of users accessing app
Data VolumeTraffic or API calls to app
StatusSanctioned, Unsanctioned, or Unreviewed

Risk Assessment

Risk Score Factors

Apps are scored 1-10 based on multiple security factors:

Security

  • Data encryption at rest and in transit
  • MFA support for authentication
  • Security certifications (SOC2, ISO 27001)
  • Vulnerability disclosure program

Compliance

  • GDPR compliance
  • Data residency options
  • Audit logging capabilities
  • Privacy policy transparency

General

  • Company founding date and size
  • Domain registration age
  • User reviews and ratings
  • Legal terms clarity

Legal

  • Terms of service
  • Data ownership clauses
  • Service level agreements
  • Data deletion policies

Risk Levels

  • Low Risk (8-10) — Well-established apps with strong security posture. Generally safe for business use.
  • Medium Risk (5-7) — Apps with some security concerns. Review before sanctioning for broad use.
  • High Risk (1-4) — Significant security gaps or unknown apps. Consider blocking or restricting access.

App Governance

Mark as Sanctioned

Approve app for organizational use. Users see sanctioned apps as IT-approved. Can be used in access policies.

Mark as Unsanctioned

Flag app as not approved. Can optionally block access. Users receive warning when accessing unsanctioned apps.

Block App

Prevent users from accessing the app. Requires Defender for Endpoint integration for network-level blocking.

Revoke Permissions

For OAuth apps: remove all user consents and block API access to Microsoft 365 data.

App Discovery

Continuous Discovery

Automatic discovery using Defender for Endpoint telemetry. No additional setup required for Windows devices.

Log Collector

Upload firewall/proxy logs for network-based app discovery. Supports major vendors: Palo Alto, Cisco, Zscaler, etc.

Snapshot Reports

Upload one-time log files for point-in-time analysis. Useful for initial shadow IT assessment.

Session Policies

For connector apps, apply real-time session controls:

  • Monitor all activities — Full visibility into user actions
  • Block downloads — Prevent file downloads to unmanaged devices
  • Block uploads — Prevent data upload to app
  • Block copy/paste — Prevent data exfiltration
  • Apply sensitivity labels — Auto-label downloaded files
  • Protect on download — Encrypt files leaving app

Alerts and Policies

Built-in Anomaly Detection

  • New high-privilege app detected
  • Unusual data access patterns
  • App accessing data from new location
  • Spike in app usage or API calls

Custom Policies

  • Alert on new OAuth apps with high permissions
  • Alert on unverified publisher apps
  • Alert on apps accessing sensitive data
  • Block risky apps automatically

Best Practices

  • Review new apps weekly — Check newly discovered apps and OAuth consents regularly.
  • Set baseline sanctioned apps — Identify and approve commonly used business applications.
  • Enable discovery continuously — Use Defender for Endpoint integration for real-time shadow IT visibility.
  • Block high-risk categories — Consider blocking categories like personal cloud storage or file sharing.

API Reference

  • GET /api/security/connected-apps — List all connected and discovered apps
  • GET /api/security/connected-apps/:appId — Get app details and risk assessment
  • PUT /api/security/connected-apps/:appId/status — Update app sanctioned/unsanctioned status
  • GET /api/security/connected-apps/discovery — Get shadow IT discovery report
  • POST /api/security/connected-apps/:appId/block — Block app access
Last updated on
OAuth AppsSession Control