Forum Discussion
Microsoft Application Protection Incidents
Hi,
Seeing a small number of incidents within Sentinel with the Alert product name of 'Microsoft Application Protection'.
Can view them in Sentinel but when clicking on the hyper link to be taken to the defender portal I can't access them?
Two things, which Defender suite are these alerts coming from? Which roles/permissions are required to view them within the Defender/Unified portal?
1 Reply
alerts that appear in Microsoft Sentinel with the product name Microsoft Application Protection come from Microsoft Defender for Cloud Apps (MDCA), which is now fully integrated into the Microsoft Defender XDR (Unified Defender) platform. In some cases, they can also originate from Microsoft Defender for Endpoint mobile protection policies (part of the Microsoft Intune App Protection, or MAM-WE, enforcement), but in Sentinel they all appear under the same product family name because of how the alert taxonomy is standardized in Defender XDR.
When you see “Microsoft Application Protection” listed as the alert source, it usually refers to detections generated by App Protection Policies (APP) in Microsoft Intune that enforce conditional access and threat defense for managed or MAM-enabled apps. These alerts are forwarded to Microsoft Defender XDR through the Intune and Defender for Endpoint connector, and then to Sentinel via the Microsoft 365 Defender connector. The most common scenarios include detecting suspicious app behavior, attempts to bypass application protection policies, or compromised app sessions.
If you can see the alerts in Sentinel but not open them directly in the Defender portal, it’s likely a permissions or role alignment issue. Application Protection alerts are stored under Defender for Cloud Apps / App Governance / Conditional Access App Control within the Unified Defender experience. To view them there, you need one of the following roles:
Security Reader, Security Operator, or Security Administrator in Microsoft Defender XDR (Microsoft 365 Defender portal) OR App Protection Administrator or Intune Administrator in Microsoft Intune if the alerts relate to MAM-WE enforcement OR Defender for Cloud Apps Admin if the alerts are being generated through the Defender for Cloud Apps layer.
If you only hold Sentinel Reader or Contributor rights, you can view the alert details in Sentinel but not drill down into its corresponding incident record in the Defender portal, as that requires access to the unified XDR data plane.
To confirm the source, open the alert details in Sentinel and look at the ProviderName or AlertSource field — values like “MCAS” or “AppProtection” indicate the alerts came from Defender for Cloud Apps or Intune. In the Microsoft 365 Defender portal, navigate to Incidents & Alerts → Filters → Product name: Microsoft Application Protection to see whether they are visible. If not, check your account permissions in the Microsoft Entra admin center under Roles and administrators → Security Administrator or Defender for Cloud Apps Administrator and assign the role that matches your use case.
In summary, these alerts are coming from Microsoft Defender for Cloud Apps and Intune App Protection integration, and to view them directly in the Unified Defender portal you need either a Security Administrator or a Defender for Cloud Apps Administrator role in Microsoft 365 Defender.
Please hit like if you like the solution.
