Forum Discussion
Defender bulk unsanction
Hi, you should be able to use a policy to tag specific apps as unsanctioned based on their risk level.
In this example (https://learn.microsoft.com/en-us/defender-cloud-apps/cloud-discovery-policies#creating-an-app-discovery-policy), you should be able to add filters for AI, I don’t have access to test right now, and then set a risk score level filter as well. Finally, as a governance action, you can tag it as unsanctioned.
Is that going to automatically tag them all unsanctioned immediately or when a user tries to access one of the cloud apps it will then unsanctioned that cloud app?
I checked in my environment, and I believe the policy didn’t immediately unsanctioned existing apps. It only acted and tagged them as unsanctioned when a user accessed the app. This suggests that the policy is triggered by new activity rather than automatically applying to already discovered apps.
Makes sense. Sadly I cant test it in my Developer tenant they don't provide Defender for Endpoint licenses
We have a similar policy as mentioned in place, and essentially blocks anytime a user goes to a site less than that score, even if we’ve seen it before.
This scenario should work, as soon as you implement the policy, anytime someone visits those sites, the policy should kick in and block, but if no one ever visits them, then there’s no point in unsanctioning, since no one has visited it before, but it’ll block it on the first visit.
