Microsoft App Governance

App Governance is a security and policy management capability in Microsoft Defender for Cloud Apps that provides deep visibility into OAuth applications accessing your Microsoft 365 data:

• The problem: Modern enterprises have hundreds of third-party OAuth apps connected to their M365 tenant. Each app was granted permissions through user or admin consent. often without security review. These apps have persistent API access to mailboxes, files, and user data, and can be compromised in supply chain attacks.
• What App Governance does: Continuously inventories all OAuth apps, monitors their data access patterns, detects anomalous behaviour (sudden data access spikes, credential changes, privilege escalation), and enforces compliance policies
• Key metrics it tracks: Which apps access M365 data, how much data they consume, what permissions they hold, whether their publisher is verified, when they were last active, and whether their behaviour deviates from established baselines

App Governance closes the blind spot between "who has access" (Entra ID) and "what are they actually doing with that access" (MDA + App Governance).

App Governance overview

App Governance identifies overprivileged apps by comparing granted permissions against actual usage:

• Permission vs. usage analysis: An app granted Mail.ReadWrite.All but only ever reads 5 mailboxes is flagged as overprivileged. An app granted Files.ReadWrite.All but only accesses one SharePoint site is flagged.
• High-risk permission scopes: Automatic flagging of apps with dangerous permissions: Mail.ReadWrite, Files.ReadWrite.All, Directory.ReadWrite.All, User.ReadWrite.All, Sites.ReadWrite.All, MailboxSettings.ReadWrite
• Application vs. delegated permissions: Application permissions (tenant-wide access without user context) are inherently higher risk than delegated permissions (user-scoped). App Governance highlights application-level grants.
• Dormancy detection: Apps that hold high permissions but haven't been active in 90+ days are flagged as dormant risks. they maintain access but provide no business value

Recommendation: review and right-size permissions for all flagged apps. Revoke permissions down to the minimum required, or ban apps with no legitimate business purpose.

Detect and remediate

Publisher verification is a trust signal that indicates the developer behind a multi-tenant OAuth app has verified their identity with Microsoft through the Microsoft Partner Network:

• Verified publisher: The app developer has completed the MPN verification process, including proving ownership of their domain and meeting partner programme requirements. A blue verified badge appears in consent prompts.
• Unverified publisher: The developer has not completed verification. This does NOT mean the app is malicious. many legitimate small vendors have not registered for MPN. However, unverified status means Microsoft has not independently confirmed the developer's identity.
• Risk assessment: An unverified publisher with high-privilege permissions and low community adoption is the highest-risk combination. This pattern is common in phishing consent grant attacks where attackers register convincing-looking apps.
• Admin consent enforcement: Configure Entra ID to require admin approval for all apps from unverified publishers, preventing users from granting access directly.

Publisher verification

Yes. App Governance supports automated policy-driven remediation:

• App policies: Create rules that automatically trigger actions when apps match specific criteria. Example: "If an app has high permissions AND unverified publisher AND was consented in the last 7 days, disable it and alert the security team."
• Built-in actions: Disable the app (revoke the service principal's ability to sign in), revoke all OAuth permission grants, send email notification to security team, create a Defender XDR alert
• Severity levels: Configure tiered responses: monitor and alert for medium risk, auto-disable for critical risk patterns
• Manual actions: From the OAuth apps page, analysts can investigate, revoke, ban, or mark apps as approved

For maximum protection, combine automated policies with a quarterly manual review process where a security analyst reviews all high-privilege apps with business owners.

App policies

OAuth-based supply chain attacks are among the most sophisticated threats to modern enterprises. App Governance detects multiple indicators of compromise:

• Credential tampering: Detects when new client secrets or certificates are added to an established app. a common indicator of app compromise (attacker adding their own credentials)
• Redirect URI changes: Alerts when app redirect URIs are modified, which could indicate an attacker redirecting OAuth tokens to their own infrastructure
• Data access anomalies: Detects sudden spikes in data access volume (e.g., an HR survey tool suddenly downloading 15 GB of SharePoint data overnight)
• Authentication from unexpected IPs: Flags when an app authenticates from IP addresses outside its historical range, suggesting the app's credentials were stolen and used from attacker infrastructure
• Permission escalation: Alerts when apps request additional permissions through incremental consent or admin consent manipulation

When a supply chain compromise is confirmed, the recommended response is: disable the service principal immediately, revoke all grants, rotate any shared secrets, assess data exposure, and coordinate with the vendor.

Threat detection

App Governance is included as part of Microsoft Defender for Cloud Apps:

• Microsoft 365 E5 / E5 Security: Full App Governance capabilities included
• EMS E5: App Governance included through MDA
• Standalone MDA licence: App Governance included
• Microsoft 365 E3: App Governance not available. Requires E5 upgrade or MDA standalone add-on.

No separate App Governance licence is needed. it activates automatically when MDA is licensed and configured.

Get started