Jan 25 2023 07:43 AM
Hi,
We have set a policy within Azure that ALL OAUTH request nbeeds to be approved first. After approval I should expect to view (and monitor) the app in MDCA dashboard. But waiting for 24 hours, I do not see my approval within the dashboard. Where does MDCA get it's OAUTH information from
Jan 26 2023 04:01 AM
@RVC this information comes from graph and will only be present for apps that have been consented to. If there is a user or admin consent and approval has happened it should show up.
The approval will not though.
I would also recommend looking at App Governance as it can also monitor not only consents but app registrations as well.
If you have an app that has consent and has approval and there is a permission assigned in AAD then I would suggest opening a case.
Jan 26 2023 06:20 AM
Jan 26 2023 06:32 AM
@RVC the consent is purely for the app in this case (there isn't an extra consent needed for graph). If a user has consented, and it's been approved, I would expect the user and the app to show within the OAuth apps.
I'm not sure if the approval from AAD for the app by the admin will appear in the Defender for Cloud Apps activity logs. There are some scenarios where this might only be available in the AAD audit logs, it depends on what is sent by the service.
If a new user just consented, it's been approved, and you do not see it show up in the app (that already existed in the console) then I would recommend opening a ticket.
App Governance in this case provides more visibility. It will also include app registrations while OAuth will only show "consents" and there are many more anomaly detections available there in addition to extra data such as if an app is accessing sensitive info within a tenant, amount of data accessed, etc...
This can be tested out with a trial as well.
Jan 26 2023 06:43 AM
Jan 26 2023 07:16 AM
@RVC the approval workflow only exists in AAD today, there isn't currently a way to implement a policy like this in Defender for Cloud Apps.
If this is a type of feature, you would like to see would recommend submitting your feedback at the link below:
https://aka.ms/M365Defender/SendFeedback