OAuth applications often request permissions that users do not fully understand. Once granted, these permissions can allow persistent access to mailboxes, files, calendars, and other sensitive data.
Microsoft Defender for Cloud Apps provides OAuth app policies to detect, investigate, and control OAuth app risk.
Purpose of OAuth app policies
Receive automated alerts when apps meet risky criteria.
Investigate which permissions apps requested.
See which users authorized the apps.
Approve or ban permissions.
When permissions are marked as banned, Microsoft Defender for Cloud Apps disables the corresponding Enterprise Application.
Create a new OAuth app policy
Launch Microsoft Defender for Cloud Apps at https://security.microsoft.com.
Scroll down the left menu to the Cloud apps section.
Select OAuth apps.
Filter the apps according to your requirements.
For example, filter for apps that request Modify calendars in your mailbox permission.
Select New policy from search.
The policy creation dialog opens.
Community use filter
Common.
Uncommon.
Rare.
Are rarely used.
Request high-severity permissions.
Are authorized by many users.
Policy scoping using group membership
OAuth app policies can be scoped based on the group membership of users who authorized the app.
An admin might configure a policy that revokes uncommon apps requesting high permissions, but only if the user who authorized the app is a member of the Administrators group.
This allows targeted enforcement without disrupting regular users.
Alternative policy creation path
Select Control.
Select Policies.
Select Create policy.
Select OAuth app policy.
Both paths result in the same type of policy.
Exam takeaway for OAuth policies
OAuth app policies operate in Microsoft Defender for Cloud Apps.
Banning permissions disables the Enterprise Application.
Community use helps identify abnormal permission requests.
Policies can be scoped using user group membership.