What’s a Defender OAuth Apps policy?

A Defender OAuth Apps policy in Microsoft Defender for Cloud Apps (formerly known as Microsoft Cloud App Security) is a security policy that helps you manage and control the permissions granted to third-party applications that are integrated with your organization’s Azure AD through OAuth (Open Authorization). OAuth is a common protocol used by apps to request delegated access to resources on behalf of a user. OAuth apps can access Microsoft 365 data (like SharePoint, OneDrive, etc.) if granted permissions via Azure AD.

License Requirements

• Microsoft 365 E5 (preferred): Includes Defender for Cloud Apps, advanced security features, and Azure AD Premium.
• Microsoft 365 E3 with add-ons: You may need to add Defender for Cloud Apps and Azure AD Premium P1/P2 separately.
• Azure AD Premium P1/P2: Required for more granular control and reporting on OAuth apps and conditional access policies.

Enterprise application

We want to see if an App governance policy can be used to restrict an OAuth enterprise application to download documents from SharePoint Library.

In this test scenario the documents are stored in a SharePoint Online Shareflex application, such as Contract Management.

Configuration

The Shareflex OAuth app is listed under cloud apps.

We create a new policy under App governance.

Conclusion

The edit policy conditions are too limited for our goal. We can detect an increase in usage—say by 100%—and then disable the app. However, we don’t want to rely on a usage increase trigger based on a percentage, as it’s not a reliable indication of whether the OAuth app has been hacked.