Have you ever thought about how many apps you use daily? Or the apps that require you to sign in using your Microsoft credentials? The relationship between a user and an app has become instinctual. People often use apps without a second thought, unaware of the data that app is accessing on their behalf or what permissions they’ve just granted consent to. The rise of OAuth app based attacks has especially become more prominent through attacks like consent phishing or OAuth app abuse. Combined with the existing challenge of navigating through the SaaS sprawl, organizations need security solutions that protect them from all facets without requiring extra tooling or personnel.
Because we are seeing a continued rise in app-based attacks, we believe this is a foundational capability for customers. That’s why today, we are excited to announce that going forward the App Governance add-on will be included in Defender for Cloud Apps at no additional cost. On June 1, 2023, new and existing customers will be able to start the opt-in process to begin using these capabilities.
This means that all customers with a standalone, E5 Security, or Microsoft 365 E5, or any other license that includes Defender for Cloud Apps, will have access to App Governance, at no additional cost. For existing App Governance customers, on June 1, depending on which channel you've purchased the licensing, we will either proactively cancel your subscription or manage the queue accordingly once a ticket is received. The change will have no effect on your current App Governance experience.
In February, we announced our shift from CASB to SaaS Security which extended our powerful CASB capabilities (discovery, information & enhanced threat protection via Microsoft 365 Defender) to new pillars in SaaS security posture management (SSPM) and app-to-app protection. We recognize the need for OAuth app protection and want to ensure organizations have holistic SaaS security within their existing security offerings to further enable them to Do More with Less.
App Governance is a security and policy management capability designed for OAuth-enabled apps registered in Azure Active Directory (Azure AD), Google Workspace and Salesforce. It delivers full visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data stored in Microsoft 365 through actionable insights and automated policy alerts.
It also proactively helps organizations maintain their app hygiene by providing a view into OAuth apps that are unused, expiring or have unused credentials and ways to remediate these potential vulnerabilities.
Figure 1. App governance dashboard showing an overview of OAuth app insights
Hunting using OAuth app data in Microsoft 365 Defender
As part of the alert investigation or app inspection journey, admins often need to look at specific activities done by suspicious or noncompliant apps and the resources the apps have accessed. This information, however, is not always available and it takes advanced skills to write effective KQL queries that surface relevant information without too much noise.
We’ve taken hunting with app data one step further by providing deeper OAuth app insights to help your SOC identify an app’s activities and the resources it has accessed. This includes pre-built queries to streamline the investigation, visibility into the data in the results view and the ability to include OAuth app data such as resource, app, user, and app activity details in custom detections.
In addition to the above, you will also see prior OAuth app features in Defender for Cloud Apps standalone have converged into the App Governance blade providing you insights and policy management for OAuth-enabled apps registered in Azure Active Directory (Azure AD), Google Workspace and Salesforce from a single view. All these features will be available in alignment with the June 1 timeline.
- Visit our website to learn more about Microsoft Defender for Cloud Apps
- Check out our documentation to read about our App Governance capabilities
- Read more about SaaS Security in our infographic
- Look out for a webinar in the coming weeks