Defender for Cloud Apps: Policies & OAuth Governance
Create access and session policies for real-time app control, govern OAuth apps to prevent abuse, and manage the cloud app catalog risk scoring in Defender for Cloud Apps.
Policies in Defender for Cloud Apps
Policies are like the rules at an airport security checkpoint.
An access policy is the decision at the gate: “Can this person board the plane?” — you check their ticket (identity), passport (device compliance), and no-fly list (risk level) BEFORE they enter.
A session policy is what happens DURING the flight: “This passenger can sit in their seat but can’t enter the cockpit, and if they try to open the emergency door, we intervene immediately.” You’re watching and controlling actions in real time.
OAuth policies are about the apps themselves: “This airline (app) has been flagged for safety violations — revoke its operating licence until it’s reviewed.”
Access policies vs session policies
| Feature | Access Policy | Session Policy |
|---|---|---|
| When it acts | At sign-in (before session starts) | During the session (real-time) |
| What it controls | Whether the user can access the app at all | What the user can do inside the app |
| Actions available | Allow, Block, Monitor, Test (route through reverse proxy) | Monitor, Block download, Block upload, Block copy/cut, Block print, Protect (label/encrypt), Custom |
| Granularity | User, device, location, risk level | User + action type + file type + sensitivity label + content inspection |
| Requires reverse proxy | ||
| Example | Block access from high-risk countries | Block downloading files labelled 'Confidential' on unmanaged devices |
Creating access policies
Access policies evaluate conditions when a user accesses a protected app and determine what happens.
Steps to create an access policy:
- Defender for Cloud Apps portal → Control → Policies → Create policy → Access policy
- Configure filters:
- App: Select the target app (e.g., Salesforce, SharePoint)
- User: All users, specific groups, or external users
- Device: Managed, unmanaged, specific client types
- Location: Specific countries/IP ranges
- Risk level: User risk from Entra ID Protection
- Choose the action:
- Allow — let the user in
- Block — deny access
- Monitor — allow but log for review (route through reverse proxy)
- Configure alerts — email notification, Defender XDR alert
Note: Step-up authentication (requiring MFA or re-auth) is handled by Conditional Access policies, not MDCA access policies directly. MDCA and CA work together — CA controls access decisions, MDCA controls in-session behaviour.
Scenario: Anika blocks access from high-risk locations
🛡️ Anika Weber creates an access policy for a financial services client:
- App: All connected apps
- User: All users
- Location: Countries flagged as high-risk by the compliance team (North Korea, Iran, Russia)
- Action: Block with a custom message: “Access from this location is blocked per security policy. Contact IT if you believe this is an error.”
- Alert: High-severity alert to the SOC team
Result: Any attempt to access company apps from blocked countries is denied at the gate. The SOC team is notified immediately for investigation — it could be a compromised account or a travelling employee using a VPN.
Creating session policies
Session policies are more powerful — they control what happens inside an active session.
Steps to create a session policy:
- Defender for Cloud Apps portal → Control → Policies → Create policy → Session policy
- Select the session control type:
- Monitor only — log all activities, no enforcement
- Block activities — prevent specific actions (download, upload, copy, print)
- Control file download (with inspection) — inspect and protect downloaded files
- Control file upload (with inspection) — inspect files before upload
- Block copy/cut — prevent data from being copied to clipboard
- Configure filters:
- Activity type: Download, upload, print, copy, custom activity
- Device: Managed vs unmanaged
- File: By type, sensitivity label, or content (DLP inspection)
- User: Specific groups or all users
- Choose the action for matching activities
- Configure alerts
Scenario: Anika blocks downloads from unmanaged devices
🛡️ Anika creates a session policy for a healthcare client who needs clinicians to view patient records on personal phones but never download them:
Policy configuration:
- Session control type: Block activities
- App: SharePoint Online, OneDrive for Business
- Activity type: Download file
- Device filter: Device is not Intune compliant AND not hybrid joined
- File filter: Files with sensitivity label “Patient Data” OR “Confidential”
- Action: Block with message: “Downloads of sensitive files are restricted to managed devices.”
- Alert: Medium severity → SOC team
What happens:
- A clinician on their managed hospital laptop downloads a patient file → ✅ Allowed
- The same clinician on their personal phone views the file in browser → ✅ Allowed
- They try to download it to their phone → ❌ Blocked, logged, alert generated
- They try to download a non-sensitive “cafeteria menu” file on their phone → ✅ Allowed (no sensitivity label match)
Exam tip: Session policy order of evaluation
When multiple session policies match, the most restrictive policy wins. If one policy allows downloads and another blocks them for the same user and app, the block takes effect. Monitor-only policies don’t interfere with enforcement policies — they just log alongside them.
OAuth app governance
OAuth apps are third-party applications that users grant permissions to via consent. These are a major attack surface — a malicious app with Mail.Read permission can silently exfiltrate email data.
Why OAuth governance matters
- Illicit consent grants: Attackers trick users into consenting to malicious apps
- Over-permissioned apps: Legacy apps with broad permissions that are no longer used
- Data exfiltration: Compromised or rogue apps accessing sensitive data via Graph API
- Supply chain risk: A trusted vendor’s app gets compromised
Viewing OAuth apps
Defender for Cloud Apps → Investigate → OAuth apps shows:
- Every app that has been granted permissions in your tenant
- The permission level (high, medium, low severity)
- Number of users who authorised the app
- Publisher verification status
- Community usage (how many other organisations use this app)
Creating OAuth app policies
Steps:
- Control → Policies → Create policy → OAuth app policy
- Set filters:
- Permission level: High (reads mail, files, etc.)
- Community use: Uncommon (few organisations use it)
- Publisher: Not verified
- App state: Enabled
- Choose actions:
- Notify — alert admins about the risky app
- Revoke app — automatically revoke all user consents
- Disable app — prevent new sign-ins via the app
Scenario: Anika hunts risky OAuth apps
🛡️ Anika audits OAuth apps for a client and finds:
| App | Permission Level | Users | Publisher Verified | Community Use |
|---|---|---|---|---|
| ”Quick PDF Converter” | High (Mail.ReadWrite) | 47 | ❌ No | Low (12 orgs) |
| “Salesforce Connector” | High (User.Read.All) | 200 | ✅ Yes | High (15,000 orgs) |
| “Calendar Optimizer Pro” | Medium (Calendars.Read) | 3 | ❌ No | Low (8 orgs) |
Anika’s actions:
- Revokes “Quick PDF Converter” — unverified publisher, high permissions, reads and writes email. Classic illicit consent pattern. All 47 users lose access immediately.
- Monitors “Salesforce Connector” — high permissions but verified publisher, widely used. Anika adds it to the watch list.
- Revokes “Calendar Optimizer Pro” — unverified, low usage, unnecessary risk for 3 users.
Anika then creates an automated policy: Any new OAuth app with high permission level + unverified publisher + fewer than 100 community users → automatically revoke and alert.
Managing the Cloud app catalog
The Cloud app catalog in Defender for Cloud Apps contains 31,000+ cloud apps, each with a risk score from 1 to 10.
Risk score factors
Scores are based on 90+ attributes across four categories:
| Category | What It Assesses | Example Factors |
|---|---|---|
| General | Company info, age, legal terms | Company founded date, headquarters location, terms of service |
| Security | Encryption, authentication | Data-at-rest encryption, MFA support, SAML/OIDC support |
| Compliance | Certifications, standards | SOC 2, ISO 27001, HIPAA, GDPR compliance |
| Legal | Data ownership, privacy | Data ownership clarity, DMCA compliance, privacy policy |
Customising the catalog
You can override risk scores to reflect your organisation’s priorities:
- Open the Cloud app catalog → find the app
- Click the app → Override score
- Adjust individual factor scores or the overall score
- Add notes explaining the override
Example: Your organisation has a contract with an app that scores 4/10 by default. After reviewing the contract’s security addendum, you override the score to 7/10 with a note: “Reviewed by legal — contractual security obligations meet our standard.”
You can also:
- Add custom apps not in the catalog
- Request an app review from Microsoft if you think the scoring is inaccurate
- Export the catalog for offline analysis or compliance reporting
Exam tip: Catalog scores and policies
Risk scores from the Cloud app catalog feed into other features:
- Cloud Discovery uses scores to flag risky discovered apps
- Policies can filter by risk score (e.g., “alert when a user accesses an app with score below 5”)
- Sanctioning decisions should consider the catalog score alongside your own assessment
- You can create a policy that automatically unsanctions apps below a certain score threshold
🎬 Video walkthrough
🎬 Video coming soon
Defender for Cloud Apps Policies & OAuth — SC-300 Module 21
Defender for Cloud Apps Policies & OAuth — SC-300 Module 21
~11 minFlashcards
Knowledge Check
Anika needs to ensure that employees on unmanaged devices can view files in SharePoint but cannot download files labelled 'Confidential.' She also wants to allow all downloads on managed devices. What should she create?
Anika discovers that 23 users at a client have consented to an app called 'SuperSync Pro' that has Mail.ReadWrite permissions. The app publisher is unverified, and only 5 organisations worldwide use it. What should Anika do first?
A discovered app in the Cloud app catalog has a risk score of 3/10 due to poor encryption practices. However, your legal team has reviewed the app and confirmed it meets your organisation's requirements under a specific contract. What should you do?
🎉 Congratulations! You’ve completed Domain 3: Plan and Implement Workload Identities. You now understand managed identities, service principals, enterprise apps, app registrations, consent frameworks, and Defender for Cloud Apps governance. Next up is Domain 4, where you’ll tackle access management with Conditional Access, MFA, and identity protection.