Forum Discussion

Brass Contributor

Mar 17, 2025

Defender bulk unsanction

I want to unsanctioned all Generative AI apps in cloud catalogue with a risk score 7 or below. But this is 970 apps and I don't feel like doing this one page of 20 at a time I'll be there all day. ...

microsoft 365 defender

dhorne25

Copper Contributor

Mar 18, 2025

Hi, you should be able to use a policy to tag specific apps as unsanctioned based on their risk level.

In this example (https://learn.microsoft.com/en-us/defender-cloud-apps/cloud-discovery-policies#creating-an-app-discovery-policy), you should be able to add filters for AI, I don’t have access to test right now, and then set a risk score level filter as well. Finally, as a governance action, you can tag it as unsanctioned.

lfk73
Brass Contributor
Mar 21, 2025
Is that going to automatically tag them all unsanctioned immediately or when a user tries to access one of the cloud apps it will then unsanctioned that cloud app?
- Lucifier0786
  Copper Contributor
  Mar 21, 2025
  I checked in my environment, and I believe the policy didn’t immediately unsanctioned existing apps. It only acted and tagged them as unsanctioned when a user accessed the app. This suggests that the policy is triggered by new activity rather than automatically applying to already discovered apps.
  - lfk73
    Brass Contributor
    Mar 22, 2025
    Makes sense. Sadly I cant test it in my Developer tenant they don't provide Defender for Endpoint licenses