Block Access to Unsanctioned Apps with Microsoft Defender ATP & Cloud App Security

Published Jan 21 2020 01:35 PM 35.7K Views

In a modern workplace where the average enterprise is using over 1,500 different cloud apps, and more than 80 gigabytes of data is being uploaded monthly to risky apps from business endpoint devices, the ability of IT and compliance administrators to manage and monitor shadow IT becomes an (almost) impossible mission. It is not only about the ability to assess the potential risk that cloud apps pose to the company, but also about the tools IT has (or doesn’t have) to control and manage access to these apps.


Complex network security solutions, time-consuming workflows for creating custom blocking rules, and a lot of manual work that needs to be done, make a simple process such as taking a list of cloud apps to be blocked and pushing these to web filtering rules a significant undertaking! When administrators have to manage too many personas and components in this process, it will dramatically slow them down when it comes to applying cloud app access policies in their organization.

In the last two years, Microsoft Defender Advanced Threat Protection (ATP) and Microsoft Cloud App Security have worked to build a full shadow IT discovery solution that analyzes organization’s traffic data against the Cloud App Security cloud app catalog. Apps are carefully curated to be included in this catalog and ranked and scored based on more than 90 risk factors to provide your organization with ongoing visibility into cloud app usage, existing shadow IT, and the risk shadow IT poses into your organization.


reporting of existing shadow IT, and to allow organizations to proactively take action on the high risk posed by use of these unsanctioned applications – thereby removing any further risk and usage across your business. This new feature, now in public preview, leverages Microsoft Defender ATP network protection in block mode ensuring the protections are in place wherever the device travels – in distributed offices, at airports, or at the local coffee shop. 

By tagging apps in Cloud App Security as unsanctioned based on the comprehensive usage and risk assessment of each app that we provide, those risky app domains are then pushed to Microsoft Defender ATP as custom network indicators in near real-time.

This is a single-click control that can significantly improve security posture and save time.



Figure 1: Configure a cloud app as unsanctioned in one click


The process can also be completed manually, by reviewing discovered apps in your tenant and marking them as unsanctioned, or automatically by creating a cloud app control policy to block cloud apps that meet predefined conditions. For instance, in the Cloud App Security portal, you can now create a policy to automatically block access to non-compliant cloud storage apps, for example apps that do not comply with HIPAA and SOC 2 AND that are not Microsoft OneDrive for Business or Dropbox. Alternatively, you might want to block end users from accessing specific social networks in case there was a high volume of data upload identified. This can also be done manually or by creating a simple policy to handle blocking those network connections automatically.

The corresponding URL/Domains Indicators will appear in the “Microsoft Defender ATP Indicators” setting page under URLs/Domains tab.



Figure 2: URL and Domain Indicators


When the user next attempts to access the unsanctioned app, they will be blocked by Windows Defender SmartScreen, and will not able to access the requested cloud resource.



Figure 3: Example user experience when attempting to access an unsanctioned app


Every instance of an endpoint trying to access a blocked cloud app will result in an informational alert in Microsoft Defender Security Center allowing you to drill down into the full machine timeline to see whether the endpoint was trying to access additional risky resources and to eliminate any concern of malicious behavior or data exfiltration attempts.

Microsoft Defender ATP and Cloud App Security together deliver this simple, powerful and unique outcome to ensure your modern workplace allows high end user productivity without neglecting your security principles, and to also allow you as an administrator to be more productive by setting automated policy-based flows to protect against user access to risky cloud resources. This enables you to put your limited resources on managing your security strategy, while we take care of operating and configurating your environment.

The Microsoft Defender ATP and Cloud App Security product teams would love to get your feedback on your overall experience with this feature, use this form to fill in your feedback.


Get Started in 3 quick steps

After you have verified that you have all the integration prerequisites listed in this article, follow the steps below to start blocking access to unsanctioned apps with Cloud App Security and Microsoft Defender ATP –


Step 1

In Microsoft Defender Security Center under Settings > Advanced features, enable Microsoft Cloud App Security integration:



Step 2

In Microsoft Defender Security Center under Settings > Advanced features, enable Custom network indicators:



Step 3

In the Microsoft Cloud App Security portal under Settings > Microsoft Defender ATP integration, mark the checkbox to enable blocking of endpoint access to cloud apps marked as unsanctioned in Cloud App Security:




More info and feedback


Please let @Efrat Kliger and @Danny Kadyshevitch know any questions you have!


Thank you

@Danny Kadyshevitch on behalf of Microsoft Defender ATP and Cloud App Security teams.


Occasional Contributor
Does this feature make solutions like Zscaler useless?
Regular Visitor

Isn’t there a step missing.

windows defender atp client also needs to have network protection enabled on block mode. Or has this requirement changed.


i would like to see functionality to be able to block types of sites like gambling etc. 

any ideas when the redirect url feature that was shown at ignite is coming out. So we can redirect users to a more friendly screen. 

Regular Visitor

Can this feature be used to block access to other corporate o365 tenants, using tenant ID restrictions?

@Dale Hayter network protection is listed as part of the integration prerequisites, to which there's a link provided under the "Get started" section.

Re the redirect URL - we will be able to provide a committed timeline for that shortly.

@Tony-1085 we are still looking into having the O365 tenant restrictions feature supported, stay tuned for more updates to come down the line.

Senior Member

@Danny Kadyshevitch 

Thanks for putting this together. There were a few things that I noticed in testing that don't quite look primetime. With Network Protection enabled I was able to block and MCAS unsanctioned app and another Custom indicator domain. The experience that I saw across browser is where the problems are.

  • Edge - The smart screen filter came up for both sites. Which was probably the most optimal experience.
  • Chrome - The MCAS Unsanctioned App gave a ERR_TUNNEL_CONNECTION_FAILED. The custom indicator domain returned a 403 error.
  • Firefox - The MCAS Unsanctioned App gave a blank white screen. The custom indicator domain never left the landing screen.

For all 3 browsers I never received the toast message at the bottom of the screen.

What about Edge Chromium support?

Occasional Contributor

@Marius Sandbu , Edge Chromium comes up with the red screen. No toast notification for me in the stable build.

Senior Member

Also what is the current state of this in a macOS version of MDATP?


@Bill Brennan cross-platform support is important to our customers and this product roadmap. As of today, this feature is not yet supported on macOS.


Regarding browsers:

Edge and Chromium Edge are going to have the best user experience due to SmartScreen integration.

3rd party browsers and other client applications leverage Network Protection to enforce the policy. As of today, Network Protection block notifications are done through the Windows Toast user interface. Feedback is clear on improving this end user experience.


Please check your Focus Assist settings if you aren't receiving notifications for Chrome/Firefox. You should not see a toast notification for Edge or Chromium Edge blocks. You can also view the notification history in Action Center.

Frequent Contributor

Hi Danny, Step 3 is slightly inaccurate:



In the Microsoft Cloud App Security portal under Settings > Microsoft Defender ATP integration, mark the checkbox


Should read:

Use the following steps to enable access control for cloud apps:

  1. In Cloud App Security, go to Settings > Cloud app control, and then select Block unsanctioned apps. (should now be) Cloud app control with Microsoft Defender Advanced Threat Protection.


@David Caddick we made some wording changes that might have not propagated to all environments yet.

Please let me know if you're still seeing these texts in your Cloud App Security tenant in the next 24 hours.

Frequent Contributor

**bleep** - how can we hope to keep up ;)

Thanks - seeing this now

New Contributor

I can confirm that I didn't receive toast notifications either, on build 1909. Nothing in notification history either. Same experience as @Bill Brennan - with Firefox showing a Secure Connection Failed error (SSL_ERROR_NO_CYPHER_OVERLAP).


Focus Assist is disabled, is there something else we're missing here?

Senior Member

For what it is worth, last week the Defender ATP Web Content Filtering went into Public Preview. I haven't kicked the tires on it yet, but it certainly appears that the solution is getting closer to be able to replace a lot of other systems...


@glappin In your Virus and Threat Protection settings -> Notification settings  -> Do you have the box check for "Files or activities are blocked?"

Senior Member

@NickWelton… I have all of the notifications checked off, including that one. I just never receive any notifications.

New Contributor

@NickWelton- Same as Bill, all notifications are on. No notifications received.

I got a toast notification the first time I blocked the URL. All subsequent blocks as I was testing with the same URL returned no notification. 

Occasional Visitor

Greate article :hearteyes:. Unfortunatly i'm having mixed success with this :cry:.


Running: Office E3 licenses, on prem domain joined Windows 10 - 2004 (19041.113) and Windows 10 - 1909 (18363.693) Machines are not Intune-managed.
App in question: (Action in Cloud App Security: Unsanctioned-tag)
Cloud App Security and Microsoft Defender Security Center are integrated, and data flow between the two.

All things turned on under "Advanced features" in Microsoft Defender Security Center.  

PowerShell: EnableNetworkProtection set to Enabled (1/Block mode)


Using Microsoft Edge (80.0.2361.66) visting gets the blocked message with Microsoft Defender SmartScreen. 
Using any other browser, or running app on one of the two test computeres, things fly past Microsoft Defender. 


Any thoughts on what I'm missing (or misunderstanding)? 

Bonus info:
Looked into the follow page, setting iTunes as unsanctioned. Gets blocked by Edge browser, but no problem running the app on machines or visting the via latest Chrome or Firefox.


Occasional Visitor

@Peter1400 Having the same issue with E5 licenses, everything on, testing with Build 2004. Edge blocks it, but that's it. Firefox and Chrome can open the Unsanctioned app's website without an issue and the app itself.

Senior Member

Hi, any news regarding O365 tenant restrictions feature support?

Occasional Visitor

Can you have a policy for a specific user and not the entire org?

Occasional Contributor

@Danny Kadyshevitch  Is there a way to block only specific users .  Blocking Unsanctioned apps blocks ist for all the users 


Hi @SathishKumarPatchaiappan 


Currently, this is not supported.

We are planning to enable user group based scoping in the future.



New Contributor

@Danny Kadyshevitch is there a roadmap for when we might see granular control around unsanctioned apps? We need to be able to exclude certain users or user groups, and that doesn't seem possible at present.


Hello @Boris_Kacevich in case customer is looking for replacing incumbent content filtering product with Web Content Filtering and/or MCAS, is there a way to perform tenant restriction from managed Windows 10 devices. As per this require "For each outgoing request to,, and, insert two HTTP headers: Restrict-Access-To-Tenants and Restrict-Access-Context"


CC @Tony-1085 and @Sergey Petrukhin - have you heard any news on this? Perhaps some other MS Defender features?


P.S. References - examples of implementation with firewall and proxy based products:







Hi @Sergg 


Tenant restrictions are currently not supported as part of the MCAS solution on controlling app access.

Note that Defender for Endpoints are introducing a dedicated WCF solution, so reaching out to them is also recommended.



Version history
Last update:
‎May 11 2021 01:58 PM
Updated by: