Forum Discussion
Defender bulk unsanction
I want to unsanctioned all Generative AI apps in cloud catalogue with a risk score 7 or below.
But this is 970 apps and I don't feel like doing this one page of 20 at a time I'll be there all day.
Can someone suggest a powershell script to set anything in that category risk score 0-7 as unsanctioned?
12 Replies
I'm in a similar situation but instead of wanting to unsanction every app in the category, I want to allow the CoPilot ones. If I set the CoPilot ones as sanctioned and then use the policy to unsanction, will it change CoPilot to unsanctioned? Like the OP, I was planning to just unsanction them all via powershell but can't find a module to do it.
Policies shouldn’t touch anything that was manually or already tagged. If you leave something I untagged or open, it will get caught, but you can simply go back into the portal and select sanction/unsanction to get it back to the desired state.
It would be better to configure a policy in the Defender for Cloud Apps (MCAS) blade if you have MCAS access, rather than using a PowerShell script. This way, the process becomes automated and consistent, reducing manual effort and ensuring ongoing enforcement. Once the policy is set, it will automatically unsanction any new Generative AI apps with a risk score ≤ 7 in the future.
With a PowerShell script, you would need to manually run it each time or set up a schedule using Task Scheduler or Azure Automation to mimic automation — but it wouldn’t be as seamless or integrated as an MCAS policy.
Thanks for the suggestion. That's what I'm doing right now for new apps as they are added. But I want to unsanctioned the existing 970 odd ones already in the cloud app catalogue. Through the WebUI you can only do 20 at a time based on only being able to select 20 at a time and click unsanctioned. Possible but time wasteful and tedious.
If there is a way to do all of them in MCAS Blade that's fine with me if you can explain how to do that.
Thanks.
Hi, you should be able to use a policy to tag specific apps as unsanctioned based on their risk level.
In this example (https://learn.microsoft.com/en-us/defender-cloud-apps/cloud-discovery-policies#creating-an-app-discovery-policy), you should be able to add filters for AI, I don’t have access to test right now, and then set a risk score level filter as well. Finally, as a governance action, you can tag it as unsanctioned.
Is that going to automatically tag them all unsanctioned immediately or when a user tries to access one of the cloud apps it will then unsanctioned that cloud app?
I checked in my environment, and I believe the policy didn’t immediately unsanctioned existing apps. It only acted and tagged them as unsanctioned when a user accessed the app. This suggests that the policy is triggered by new activity rather than automatically applying to already discovered apps.
