Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Blocking unsanctioned apps

Brass Contributor

Hi everyone,


I am using Microsoft Defender for Endpoint, and now that it has incorporated Microsoft Defender for Cloud Apps, I am exploring how I can block access to unsanctioned apps.


I created a device group and a scoped profile for a test Allow group (Group A) and I am able to block access to a specific, unsanctioned app, which I'll call App A, for everyone else (Group B). I created the device group by tagging the relevant devices in the device inventory, and then used tags as the device group attribute. 


However, is it possible to get more granular control to create or use multiple groups for multiple apps, like you can do in Active Directory?


Ultimately, I want to be able to block unsanctioned apps for everyone, but then create exceptions for App A for Group A, App B for Group C etc., so that it isn't simply a Block OR Allow situation?


4 Replies

you can certainly create exceptions as you mentioned using Defender for Cloud Apps.
Details here:

Please let us know if that helps or if you have more questions.
Hi Yoann,

Thank you for sharing the link. I have read that guidance before, but I don't think it answered my question clearly.

I have fifty-four apps in total.

I have fifty apps that I want to block access to for everyone.

I have the following four apps that I want to block access to for nearly everyone, but allow for certain users only, who I will call Alice, Bob, Chris and Dave:
- Dropbox
- Gmail
- Google Docs
- Google Drive

How do I allow Alice, Bob and Chris access to Dropbox and Gmail, whilst stopping Dave and everyone else from accessing it?

Also, I want to allow Alice, Chris and Dave access to Google Docs but stop Bob and everyone else from accessing it.

Lastly, I want to allow Bob and Dave access to Google Drive, but stop Alice, Chris and everyone else.

I found out about importing user groups from AD, but the literature seems to suggest this is only for deciding which groups to monitor for app discovery, rather than governance actions.

My understanding is (please correct me if I'm wrong!) that currently I can only use scoped profiles based on Device groups. This means that if a user gets their laptop swapped, I need to make sure to move the old/new laptops into/out of the device group.

It also means that a laptop can only be in one device group at a time, with the highest ranked device group taking precedence.

So, if I create a scoped profile for allow Dropbox and I put Alice, Bob and Chris' laptops in the device group, and then create a deny device group for Alice and Chris to prevent access to Google Drive, then Alice and Chris' laptops would be blocked from accessing Dropbox as the Google Drive block device group takes precedence.

Is it possible to created scoped profiles based on membership of an Active Directory group, import that group, and have that user be a member of more than one AD group/scoped profile, depending on the app and requirement to block/allow?

So, if I have an AD group called 'Allow Dropbox' and added Alice, Bob, and Chris, I could unsanction Dropbox to block access to Dropbox for but except that group?

And then if I had an AD group called 'Allow Google Drive' and added Bob and Dave, I could unsanction Google Docs to block access to everyone but Bob and Dave, without it having any impact on Alice and Chris being able to access Dropbox?

Sorry for the wordy reply, but I'm really trying to figure this out!
Did you work this out?
In same kind of situation.

As far as I know, you can leave groups of devices out of app discovery, but you can't apply allow/deny permissions to apps based on different groups. You can either allow access to all apps or deny access to all apps.