News

Microsoft To Include App Governance in Defender for Cloud Apps Subscriptions

• By Kurt Mackie
• 04/25/2023

Microsoft is planning to include its App Governance add-on as part of the Microsoft Defender for Cloud Apps service "at no additional cost," starting in June.

Any license that includes Microsoft Defender for Cloud Apps can opt in to get the App Governance perk, starting on June 1, 2023. Organizations that already paid for the App Governance add-on will get that subscription canceled by Microsoft on that date, but the functionality will remain the same. No refund or compensation was mentioned.

Microsoft's generosity stems from its view that there's been a "rise in app-based attacks" and a need for "OAuth app protection" to ensure "holistic SaaS security." App Governance can specifically provide protection regarding "OAuth-enabled apps registered in Azure Active Directory (Azure AD), Google Workspace and Salesforce," the announcement explained. It provides visibility into "how these apps and their users access, use, and share sensitive data stored in Microsoft 365 through actionable insights and automated policy alerts." It'll also show information about unused or expiring apps, or apps with expiring credentials.

App Governance also provides prebuilt queries for investigating OAuth app activities, plus any of the resources such apps have accessed.

Microsoft Defender for Cloud Apps is one of the components of Microsoft 365 Defender, which is Microsoft's top-of-the-line "unified pre-and post-breach enterprise defense suite" consisting of about eight separate security products. The Microsoft Defender for Cloud Apps part is specifically designed to detect security incidents "across endpoints, identities, email, and SaaS apps," per Microsoft's description. Microsoft Defender for Cloud Apps acts as a "gatekeeper to broker access in real time between your enterprise users and cloud resources they use." It's designed to look for "shadow IT" and "anomalous behaviors."

Microsoft Defender for Cloud Apps is mostly concerned with providing app risk information, while App Governance provides details at the API level, according to this Microsoft document on the App Governance add-on. Organizations can use App Governance to "create proactive or reactive policies for app and user pattens and behaviors," the document indicated. App Governance also has detection and "automatic remediation capabilities" for anomalous app behaviors.

Microsoft's inclusion of App Governance with Microsoft Defender for Cloud Apps seems to be unexpected good news for users of Microsoft's top-of-the-line E5 security products. However, it shouldn't have been offered as a separate add-on product, according to Wesley Miller, an analyst with independent consultancy Directions on Microsoft.

"This is good news, but it's weird and disturbing that they had initially pitched it as an add-on to begin with," Miller commented, in this Twitter post.

Microsoft's current trend has been to offer add-on products as extra-cost options to its top-paying E5 subscribers, which it has been doing across its security and management products for enterprises.