This is one of the newer Microsoft Secure Score recommended actions, but how do we enable it and what’s the point behind it? We’ll explore both of those questions in this post.

Description

OAuth app policies can help you manage app permission and notify you when a user or an admin consents to a new Open Authorization (OAuth) app. With this information, you can investigate which permissions each app requested and which users authorized them.

Official Implementation Steps

It’s certainly not a unique case but the instructions provided with this one are almost entirely useless, I’ll cover exactly how to implement this finding further down.

1. In the Defender for Cloud Apps portal, go to the OAuth app policy page.
2. Select the policy severity and application (if relevant).
3. Select filters according to your business requirements.
4. (Optional) Configure alerts settings such as email and text message notifications.
5. (Optional) Configure governance actions to revoke the app.

How To Remediate

1. Navigate to the Security Admin Portal and under the Cloud apps heading, select OAuth apps.
2. Select the New policy from search button, which will open the Create OAuth app policy page.
3. Define a Policy name and select the severity to assign to any generated alerts.
4. Ensure you add a policy filter, otherwise, it will not be detected. I’d suggest ‘App state equals Approved, Undetermined’ if you would prefer to be notified of all new Apps.
5. Optionally, check the “Create an alert for each matching event with the policy’s severity” and set an email address to be notified of any new findings.
6. Click ‘Create’ to create the new policy.
7. After several days the new policy should be detected and you’ll receive up to 4 Secure Score points at the time of writing.