Forum Discussion
Defender bulk unsanction
Is that going to automatically tag them all unsanctioned immediately or when a user tries to access one of the cloud apps it will then unsanctioned that cloud app?
I checked in my environment, and I believe the policy didn’t immediately unsanctioned existing apps. It only acted and tagged them as unsanctioned when a user accessed the app. This suggests that the policy is triggered by new activity rather than automatically applying to already discovered apps.
Makes sense. Sadly I cant test it in my Developer tenant they don't provide Defender for Endpoint licenses
We have a similar policy as mentioned in place, and essentially blocks anytime a user goes to a site less than that score, even if we’ve seen it before.
This scenario should work, as soon as you implement the policy, anytime someone visits those sites, the policy should kick in and block, but if no one ever visits them, then there’s no point in unsanctioning, since no one has visited it before, but it’ll block it on the first visit.
FYI is anyone is watching I did this and something weird happened. Instead of unsanctioning anything with the risk rating set it unsanctioned every single site as soon as someone requested it. 1000 users screaming down the phone thanks MS.
