OAuth App Policies and Cloud App Catalog

OAuth App Policies and Cloud App Catalog – SC-300 Exam Guide

Why Are OAuth App Policies and the Cloud App Catalog Important?

In modern enterprise environments, users frequently grant third-party OAuth applications access to organizational data (such as email, files, and calendar) through consent workflows. While this enables productivity, it also introduces significant security risks. Malicious or overprivileged OAuth apps can exfiltrate data, maintain persistent access, and operate without the user's ongoing awareness. OAuth App Policies and the Cloud App Catalog in Microsoft Defender for Cloud Apps provide administrators with the visibility and control needed to govern these applications at scale.

For the SC-300: Microsoft Identity Administrator exam, understanding how to plan and implement workload identities — including OAuth app governance — is a critical domain. Questions in this area test your ability to identify risks, configure policies, and manage the lifecycle of OAuth-connected applications.

What Are OAuth App Policies?

OAuth App Policies are rules configured within Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security) that allow administrators to monitor, alert on, and take action against OAuth applications that have been granted permissions in the organization. These policies can:

• Detect apps with high permission levels (e.g., full mailbox access, read/write to all files)
• Identify apps from untrusted publishers
• Flag apps with low community usage or poor reputation
• Automatically revoke apps or trigger alerts when specific conditions are met
• Monitor the authorization state and activity of OAuth-connected apps

What Is the Cloud App Catalog?

The Cloud App Catalog in Microsoft Defender for Cloud Apps is a comprehensive database of over 31,000 cloud applications, each assessed against more than 90 risk factors. These risk factors span categories such as:

• General – headquarters location, domain registration, founding date
• Security – encryption at rest, encryption in transit, multi-factor authentication support, audit logging
• Compliance – SOC 2, HIPAA, ISO 27001, GDPR compliance
• Legal – data ownership, data retention policies

Each application receives a risk score from 1 to 10, helping administrators make informed decisions about which apps to sanction (approve), unsanction (block), or monitor. Administrators can also override or customize risk scores based on organizational priorities.

How Do OAuth App Policies and the Cloud App Catalog Work Together?

1. Discovery: Microsoft Defender for Cloud Apps discovers OAuth applications that users have authorized to access organizational resources (e.g., Microsoft 365 data). This discovery happens through API connectors, particularly with Microsoft 365.

2. Risk Assessment: Each discovered app is cross-referenced against the Cloud App Catalog. The catalog provides risk scoring and categorization, so administrators immediately understand the security posture of each connected app.

3. Policy Creation: Administrators create OAuth App Policies to define acceptable and unacceptable behaviors. For example:
- Alert when an OAuth app with high permissions is authorized by more than 5 users
- Automatically revoke any OAuth app with a risk score below 4
- Notify the security team when an app from an unverified publisher requests mail.readwrite permissions

4. Enforcement: Policies can trigger the following actions:
- Notify user – Send an email to the user who authorized the app
- Notify admin – Alert the security team
- Revoke app – Automatically revoke the OAuth app's permissions
- Disable app – Ban the app across the organization

5. Ongoing Governance: The Cloud App Catalog is continuously updated. As new risk information becomes available, app scores change, and policies re-evaluate connected apps automatically.

Key Configuration Steps

Step 1: Connect Microsoft 365 to Defender for Cloud Apps
Navigate to Settings > App Connectors and connect your Microsoft 365 tenant. This enables OAuth app discovery.

Step 2: Review Discovered OAuth Apps
Go to Investigate > OAuth Apps. Here you can see all apps that have been granted consent, their permission levels, the number of users who authorized them, and their catalog risk score.

Step 3: Tag Apps in the Cloud App Catalog
Navigate to the Cloud App Catalog and tag apps as Sanctioned (approved), Unsanctioned (blocked), or Monitored. Unsanctioned apps can be blocked at the network level when integrated with Microsoft Defender for Endpoint or a secure web gateway.

Step 4: Create an OAuth App Policy
Go to Control > Policies > OAuth app policy. Configure filters such as:
- Permission level (High, Medium, Low)
- App state (Authorized, Banned, etc.)
- Community use (Rare, Common, etc.)
- Publisher (Verified, Unverified)
- Risk score threshold
Set the governance action (alert, revoke, or disable).

Step 5: Monitor and Respond
Use the Alerts dashboard to review triggered policy matches. Investigate the app details and take manual action if needed.

Important Concepts for the SC-300 Exam

• Workload Identities vs. User Identities: OAuth apps operate as workload identities. They have their own permissions and can act independently of the user who authorized them. The exam tests your understanding of this distinction.

• App Consent Policies vs. OAuth App Policies: App consent policies (configured in Azure AD/Entra ID) control who can grant consent and under what conditions. OAuth App Policies in Defender for Cloud Apps monitor and govern apps after consent has been granted. Know the difference.

• Admin Consent vs. User Consent: Admin consent grants permissions for the entire organization. User consent grants permissions only for that user's data. OAuth App Policies monitor both types.

• Risk Scoring Customization: Administrators can customize the weight of risk factors in the Cloud App Catalog to align with organizational priorities. For example, an organization in healthcare might increase the weight of HIPAA compliance.

• Integration with Conditional Access App Control: The Cloud App Catalog works with Conditional Access App Control to provide session-level controls for sanctioned apps.

Exam Tips: Answering Questions on OAuth App Policies and Cloud App Catalog

1. Know where each policy type lives: If the question is about controlling who can consent to apps, think Microsoft Entra ID > Enterprise Applications > Consent and permissions. If the question is about monitoring or revoking already-consented OAuth apps, think Microsoft Defender for Cloud Apps > OAuth App Policies.

2. Understand the relationship between the Cloud App Catalog and Shadow IT Discovery: The Cloud App Catalog is used both for evaluating discovered shadow IT apps (via Cloud Discovery) and for evaluating OAuth apps. Exam questions may mix these scenarios — read carefully.

3. Remember the governance actions: OAuth App Policies can revoke an app, meaning the tokens are invalidated. They can also notify users or admins. If a question asks how to automatically remove a risky app's access, the answer is an OAuth app policy with a revoke governance action.

4. Pay attention to the word 'automatically': If the question asks for an automatic response, you need a policy with a governance action. If it asks for investigation or visibility, simple discovery or alerts may suffice.

5. Distinguish between Sanctioned, Unsanctioned, and Monitored tags: Sanctioned means approved. Unsanctioned means blocked (and can generate block scripts for firewalls or integrate with Defender for Endpoint to enforce). Monitored means tracked but not blocked. The exam may test whether you know which tag to apply in a given scenario.

6. Know the prerequisites: To use OAuth App Policies, you need Microsoft Defender for Cloud Apps (included in Microsoft 365 E5 or as a standalone license) and you must connect Microsoft 365 via the App Connector. Questions may include distractor answers referencing tools that do not support OAuth app governance.

7. Watch for multi-step scenarios: A common exam pattern presents a scenario where you must first discover apps, then assess risk, then create a policy. Understand the full workflow — not just individual steps.

8. Risk score thresholds: If a question mentions wanting to block apps below a certain risk score, you configure an OAuth App Policy with a filter on the app's risk score from the Cloud App Catalog and set the governance action to revoke or ban.

9. Read for scope: Some questions test whether a solution applies to all cloud apps or only Microsoft 365 connected apps. OAuth App Policies specifically apply to apps connected through the API connector (primarily Microsoft 365 and Google Workspace).

10. Practice in the portal: If possible, explore the Microsoft Defender for Cloud Apps portal at security.microsoft.com. Navigating the Cloud App Catalog and creating a test OAuth app policy will reinforce your understanding far more than reading alone.

Summary

OAuth App Policies and the Cloud App Catalog are essential tools for governing workload identities and third-party application access in a Microsoft 365 environment. For the SC-300 exam, focus on understanding where these controls are configured, what governance actions are available, how risk scoring works, and when to use OAuth App Policies versus Entra ID consent policies. Mastering these distinctions will help you confidently answer scenario-based questions in this domain.