Forum Discussion
OAUTH autorization
MicrosoftRVC the consent is purely for the app in this case (there isn't an extra consent needed for graph). If a user has consented, and it's been approved, I would expect the user and the app to show within the OAuth apps.
I'm not sure if the approval from AAD for the app by the admin will appear in the Defender for Cloud Apps activity logs. There are some scenarios where this might only be available in the AAD audit logs, it depends on what is sent by the service.
If a new user just consented, it's been approved, and you do not see it show up in the app (that already existed in the console) then I would recommend opening a ticket.
App Governance in this case provides more visibility. It will also include app registrations while OAuth will only show "consents" and there are many more anomaly detections available there in addition to extra data such as if an app is accessing sensitive info within a tenant, amount of data accessed, etc...
This can be tested out with a trial as well.
As I tried to explain, the consent is given based on AAD settings. But, is there a mechanism within MDCA that a request comes in and can be approved, without having a grey period that the user can have access (use the app, with all related risk) and during a "periodic" review the app is approved or blocked? Thus, within AAD we do not restrict, but have a setting within MDCA (a policy!?) that prevent the user usews the app for accessing the data, but first (queue the request)/triggers a workflow that a admin/security officer should first review the request before it approved. Whereby the approval could be user based, for a specific group or tenant wide.
- Keith_Fleming
RVC the approval workflow only exists in AAD today, there isn't currently a way to implement a policy like this in Defender for Cloud Apps.
If this is a type of feature, you would like to see would recommend submitting your feedback at the link below:
https://aka.ms/M365Defender/SendFeedback