Unsanctioned cloud apps generates constant alerts

At the moment there is no setting to change the default behavior when Defender creates a URL indicator from a Cloud App governance action. When a Cloud Discovery policy automatically tags an app as Unsanctioned, Microsoft Defender creates the corresponding URL indicator and enables the “Generate alert” option by default. Unfortunately this behavior is currently hard-coded and there is no tenant-level configuration to disable it globally.

Because of that, SOC teams that use policies like yours (for example automatically unsanctioning all newly discovered apps in a category such as Generative AI) often end up with a large number of alerts when users attempt to access those apps.

Today the practical options are:

1. Manually edit the indicator and disable Generate alert (which you already mentioned, but does not scale well).
2. Use automation (Graph API, Power Automate, or a script) to periodically modify newly created indicators and turn off the alert flag.
3. Adjust the SOC alert pipeline by filtering or suppressing these alerts if they are not actionable.

In many environments the goal of marking an app as Unsanctioned is simply to enforce blocking through Defender for Endpoint or network controls, not necessarily to generate alerts for every access attempt. Because of that, several organizations handle this by filtering those alerts in their SOC workflow.

Unfortunately, until Microsoft exposes a configurable option for indicator creation behavior, there is no native way to change this default in Defender.