Merge pull request #5869 from MicrosoftDocs/main

[AutoPublish] main to live - 12/09 04:39 PST | 12/09 18:09 IST

Author: m365-skilling-repo-management[bot]

defender-for-cloud-apps/app-governance-app-policies-create.md

@@ -53,6 +53,7 @@ The following table lists the app governance templates supported to generate ale
 
 |Template name|Description|
 |---|---|
+|**Unused app**|Find apps that have not authenticated recently. This policy checks the following conditions: <ul><li>Last used: More than 90 days (customizable)</li></ul>|
 |**New app with high data usage**|Find newly registered apps that have uploaded or downloaded large amounts of data using Microsoft Graph and EWS APIs. This policy checks the following conditions: <ul><li>Registration age: Seven days or less (customizable)</li><li>Data usage: Greater than 1 GB in one day (customizable)</li></ul>|
 |**Increase in users**|Find apps with a sizable increase in the number of users. This policy checks the following conditions: <ul><li>Time range: Last 90 days</li><li>Increase in consenting users: At least 50% (customizable)</li></ul>|
 
@@ -78,7 +79,7 @@ The following table lists the app governance templates supported to generate ale
 
 Use a custom app policy when you need to do something not already done by one of the built-in templates.
 
-- To create a new custom app policy, first select **Create new policy** on the **Policies** page. On the **Choose App policy template page**, select the **Custom** category, the **Custom policy** template, and then select **Next**.
+1. To create a new custom app policy, first select **Create new policy** on the **Policies** page. On the **Choose App policy template page**, select the **Custom** category, the **Custom policy** template, and then select **Next**.
 
 1. On the **Name and description** page, configure the following settings:
    - Policy Name
@@ -125,6 +126,7 @@ Use a custom app policy when you need to do something not already done by one of
    |**Sensitivity labels accessed**|Select one or more sensitivity labels from the list|Apps that accessed data with specific sensitivity labels in the last 30 days.||
    |**Services accessed** (Graph only)|Exchange and/or OneDrive and/or SharePoint and/or Teams|Apps that have accessed OneDrive, SharePoint, or Exchange Online using Microsoft Graph and EWS APIs|Multiple selections allowed.|
    |**Error rate** (Graph only)|Error rate is greater than X% in the last seven days|Apps whose Graph API error rates in the last seven days are greater than a specified percentage||
+   |**Last used**|Within last X days|Apps that have not authenticated within a specified period from the current date||
    |**App origin**|External or Internal|Apps that originated within the tenant or registered in an external tenant||
 
       All of the specified conditions must be met for this app policy to generate an alert.
@@ -176,9 +178,9 @@ Policies for OAuth apps trigger alerts only on policies that are authorized by u
 
 3. You might want to set the policy based on the group memberships of the users who authorized the apps. For example, an admin can decide to set a policy that revokes uncommon apps if they ask for high permissions, only if the user who authorized the permissions is a member of the Administrators group.
 
-For example:
-
-![new OAuth app policy.](media/app-permissions-policy.png)
+   For example:
+    
+    ![new OAuth app policy.](media/app-permissions-policy.png)
 
 ### Anomaly detection policies for OAuth apps connected to Salesforce and Google Workspace
 
@@ -188,7 +190,6 @@ This section is only relevant for Salesforce and Google Workspace applications.
 
 > [!NOTE]
 > Anomaly detection policies are only available for OAuth apps that are authorized in your Microsoft Entra ID.
->
 > The severity of OAuth app anomaly detection policies can't be modified.
 
 The following table describes the out-of-the-box anomaly detection policies provided by Defender for Cloud Apps:

defender-for-cloud-apps/app-governance-secure-apps-app-hygiene-features.md

@@ -10,7 +10,7 @@ ms.reviewer: anandd512
 # Secure apps with app hygiene features
 
 > [!NOTE]
-> Management of unused apps, unused credentials, and expiring credentials will only be available to app governance customers with Microsoft Entra Workload ID Premium. For more information, see [What are workload identities?](/azure/active-directory/workload-identities/workload-identities-overview)
+> Management of unused credentials and expiring credentials is available to app governance customers with a Microsoft Entra Workload ID Premium license. For more information, see [What are workload identities?](/azure/active-directory/workload-identities/workload-identities-overview)
 
 Have you ever wanted to see the apps that your organization owns but isn't using, but didn't know how to? Or clean up unused or expiring credentials more easily? Microsoft Entra ID includes recommendations to help you identify such apps, and the **App governance** page in Microsoft Defender provides an app hygiene feature suite that includes controls and insights on unused apps, unused credentials, and expiring credentials. 
 

defender-for-cloud-apps/app-governance-trial-user-guide.md

@@ -34,7 +34,7 @@ Start by using the following steps to get visibility and insights about your app
    > You can also view app governance-related recommendations in [Secure Score](https://security.microsoft.com/securescore?viewid=overview&tid=b5304409-74ae-42bf-a3e3-d62da4845129) to help you holistically manage your posture.
    >
 
-1. **[View your apps](app-governance-visibility-insights-view-apps.md)**: Sort the data on the **App governance** tabs by apps with high data usage or number of consents given, or filter by high privileged apps, apps with unused permissions, or unverified publisher, and more.
+1. **[View your apps](app-governance-visibility-insights-view-apps.md)**: Sort the data on the **App governance** tabs by apps with high data usage or number of consents given, or filter by high privileged apps, unused apps, apps with unused permissions, or unverified publisher, and more.
 
     Use these sorting and filtering options to gain deeper insights into your OAuth apps, including relevant app metadata and usage data.
 

defender-for-cloud-apps/app-governance-visibility-insights-compliance-posture.md

@@ -14,16 +14,14 @@ The **Overview** page shows the following details:
 
 |Apps / incidents  |Details shown  | Use this data to... |
 |---------|---------|---------|
-|**OAuth-enabled apps that use the Microsoft Graph API**     |  - How many apps are in your tenant <br>- How many apps might be overprivileged <br>- How many apps are highly privileged | Determine the level of risk to your organization by overprivileged and highly privileged apps. |
-|**For incidents**    | - How many active incidents your tenant has <br>- How many are based on app governance detections (**Threat incidents**) <br>- How many are based on app policies you have in place (**Policy incidents**) <br>- The 10 latest incidents  | Determine how quickly incidents are being generated and the relative number of detected and policy-based incidents. |
+|**OAuth-enabled apps that use the Microsoft Graph API**     |  - How many apps are in your tenant <br>  - How many apps are unused in the last 90 days <br>  - How many apps might be overprivileged <br>  - How many apps are highly privileged | Determine the level of risk to your organization by unused, overprivileged and highly privileged apps. |
+|**For incidents**    | - How many active incidents your tenant has <br>- How many are based on app governance detections (**Threat incidents**) <br> - How many are based on app policies you have in place (**Policy incidents**) <br>- The 10 latest incidents  | Determine how quickly incidents are being generated and the relative number of detected and policy-based incidents. |
 
 For example:
 
-> [!div class="mx-imgBorder"]
-> ![Relative number of detected and policy-based incidents.](media/incidents-summary1.png)
-> 
-> [!div class="mx-imgBorder"]
-> ![top alerts.](media/app-governance-visibility-insights-compliance-posture/top-alerts.png)
+:::image type="content" source="media/incidents-summary1.png" alt-text="Screenshot showing relative number of detected and policy-based incidents.":::
+
+:::image type="content" source="media/app-governance-visibility-insights-compliance-posture/top-alerts.png" alt-text="Screenshot showing top alerts.":::
 
 ## Data usage cards
 
@@ -35,17 +33,15 @@ Data usage cards show the following types of information:
 
 For example:
 
-> [!div class="mx-imgBorder"]
-> ![Total data accessed by apps.](media/app-governance-visibility-insights-compliance-posture/data-usage-chart.png)
+:::image type="content" source="media/app-governance-visibility-insights-compliance-posture/data-usage-chart.png" alt-text="Screenshot showing total data accessed by apps.":::
 
 ## Apps that access data on Microsoft 365
 
 For apps that access data on Microsoft 365, cards show the number of apps that have accessed data on SharePoint, OneDrive, Exchange Online, or Teams using Microsoft Graph and EWS APIs in the last 30 days.
 
 For example:
 
-> [!div class="mx-imgBorder"]
-> ![Apps that have accessed data on SharePoint, OneDrive, Exchange Online, or Teams in the last 30 days.](media/app-governance-visibility-insights-compliance-posture/apps-accessed-m365-services-chart.png)
+:::image type="content" source="media/app-governance-visibility-insights-compliance-posture/apps-accessed-m365-services-chart.png" alt-text="Screenshot showing apps that have accessed data on SharePoint, OneDrive, Exchange Online, or Teams in the last 30 days.":::
 
 ## Sensitivity labels accessed
 
@@ -54,8 +50,9 @@ For sensitivity labeling data, cards show the number apps that have accessed con
 For example:
 
 The number of apps that have accessed content with sensitivity labels.
-> :::image type="content" source="media/sensitive-data-accessed-chart1.png" alt-text="Number of apps that have accessed content with sensitivity labels.":::
+
+:::image type="content" source="media/sensitive-data-accessed-chart1.png" alt-text="Screenshot showing the number of apps that have accessed content with sensitivity labels.":::
 
 ## Next steps
 
-[Get insights on and regulate access to sensitive content](app-governance-visibility-insights-sensitive-content.md)
+[Get insights on and regulate access to sensitive content](app-governance-visibility-insights-sensitive-content.md)

defender-for-cloud-apps/app-governance-visibility-insights-get-started.md

@@ -28,7 +28,7 @@ The dashboard on the **Overview** tab contains a summary of your app ecosystem:
 |**Apps that accessed data across Microsoft 365 services**     |  The count of apps that have accessed data with and without sensitivity labels on SharePoint, OneDrive, Exchange Online, and Teams in the last 30 days. <br><br>For example, in the screenshot above, 99 apps accessed OneDrive in the last 30 days, out of which 27 apps accessed data with sensitivity labels.       |
 |**Sensitivity labels accessed**     |     Count of apps that accessed labeled data across SharePoint, OneDrive, Exchange Online, and Teams in the last 30 days, sorted by the count. <br><br>For example, in the screenshot above, 90 apps accessed confidential data on SharePoint, OneDrive, Exchange Online, and Teams.    |
 |**Predefined policies**     |  Count of active and total predefined policies that identify risky apps, such as apps with excessive privileges, unusual characteristics, or suspicious activities.       |
-|**App categories**     |  The top apps sorted by these categories:  <br><br>- **All categories**: Sorts across all available categories.<br>  - **Highly privileged**: High privilege is an internally determined category based on platform machine learning and signals.<br>  - **Overprivileged**: When app governance receives data that indicates that a permission granted to an application hasn't been used in the last 90 days, that application is overprivileged. App governance must be operating for at least 90 days to determine if any app is overprivileged.  <br>- **Unverified publisher**: Applications that haven't received [publisher certification](/azure/active-directory/develop/publisher-verification-overview) are considered unverified.<br>  - **App only permissions**: [Application permissions](/azure/active-directory/develop/v2-permissions-and-consent#permission-types) are used by apps that can run without a signed-in user present. Apps with permissions to access data across the tenant are potentially a higher risk.<br>- **New apps**: New apps that have been registered in the last seven days.       |
+|**App categories**     |  The top apps sorted by these categories:  <br><br>- **All categories**: Sorts across all available categories.<br>  - **Highly privileged**: High privilege is an internally determined category based on platform machine learning and signals.<br>  - **Overprivileged**: When app governance receives data that indicates that a permission granted to an application hasn't been used in the last 90 days, that application is overprivileged. App governance must be operating for at least 90 days to determine if any app is overprivileged.<br> - **Unused**: Apps that have not signed in within the last 90 days  <br>- **Unverified publisher**: Applications that haven't received [publisher certification](/azure/active-directory/develop/publisher-verification-overview) are considered unverified.<br>  - **App only permissions**: [Application permissions](/azure/active-directory/develop/v2-permissions-and-consent#permission-types) are used by apps that can run without a signed-in user present. Apps with permissions to access data across the tenant are potentially a higher risk.<br>- **New apps**: New apps that have been registered in the last seven days.       |
 
 ## View app insights
 
@@ -56,25 +56,28 @@ One of the primary value points for app governance is the ability to quickly vie
 
    - **Publisher verified**
 
-    Use one of the following nondefault filters to further customize the apps listed:
-
-    - **Last modified**
+   - **Last used**
 
-       - **Added on**
+   - **Services accessed**
 
-       - **Certification**
+   - **Sensitivity labels accessed**
 
+       Use one of the following nondefault filters to further customize the apps listed:
+
+       - **Last modified**
+   
+       - **Added on**
+   
+       - **Certification**
+   
        - **Users**
-      
-       - **Services accessed**
-      
+   
        - **Data usage**
-      
-       - **Sensitivity labels accessed**
+
+    > [!TIP]
+    > Save the query to save the currently selected filters for use again in the future.
+   
 
-     > [!TIP]
-     > Save the query to save the currently selected filters for use again in the future.
-     
 1. Select the name of an app to view more details. For example:
 
     :::image type="content" source="media/app-governance-visibility-insights-get-started/app-governance-app-list-view.png" alt-text="Screenshot of the app details pan showing an app summary." lightbox="media/app-governance-visibility-insights-get-started/app-governance-app-list-view.png":::

defender-for-cloud-apps/app-governance-visibility-insights-overview.md

@@ -24,7 +24,7 @@ App governance provides access to the following data:
 
 - Data accessed and permissions used by all apps with workload and user level insights.
 
-- App information and metadata, such as Graph API and legacy permissions, registration date, and certification.
+- App information and metadata, such as Graph API and legacy permissions, registration date, last used date and certification.
 
 - Publisher information and metadata, such as name and verification status.
 
@@ -36,6 +36,8 @@ App governance provides access to the following data:
 
   - High-privileged apps.
   - Overprivileged apps.
+  - Unused apps.
+    
   - High-usage apps.
   - Top consented users whose data a specific app can access.
   - Priority accounts who have data that a specific app can access.

defender-for-cloud-apps/app-governance-visibility-insights-view-apps.md

@@ -35,6 +35,7 @@ On the **Microsoft 365** tab, the apps in your tenant are listed with the follow
 | **App origin**| Shows whether the app originated within the tenant or was registered in an external tenant |
 | **Consent type**| Shows whether the app consent has been given at the user or the admin level, and the number of users whose data is accessible to the app |
 | **Publisher**| Publisher of the app and their verification status |
+| **Last used**| Shows the last time when the app signed in. Tracking of this data goes back to June, 2022. | 
 | **Last modified**| Date and time when registration information was last updated on Microsoft Entra ID |
 | **Added on**| Shows the date and time when the app was registered to Microsoft Entra ID and assigned a service principal |
 | **Permission usage**| Shows whether the app has any unused Graph API permissions in the last 90 days |
@@ -72,13 +73,13 @@ In the details pane, select any of the following tabs to view more details:
 
   ![Screenshot 2025-02-24 005703](media/app-governance-visibility-insights-view-apps/screenshot-2025-02-24-005703.png)
 
-   If an app is *admin consented*, the **Total consented users** are all users in the tenant.
-  
+  If an app is *admin consented*, the **Total consented users** are all users in the tenant.
+
 - Select the **Permissions** tab to see a summary and list of the Graph API and legacy permissions granted to the app, consent type, privilege level and whether they are in use. For example:
 
     :::image type="content" source="media/app-governance-visibility-insights-view-apps/permissions.png" alt-text="Screenshot of the Permissions tab.":::
 
-    For more information, see the [Microsoft Graph permissions reference](/graph/permissions-reference).
+  For more information, see the [Microsoft Graph permissions reference](/graph/permissions-reference).
 
 - Select the **Sensitivity labels** tab to see how frequently items with certain sensitivity labels were accessed by the app on Microsoft 365. For example:
 

defender-for-cloud-apps/applications-inventory.md

@@ -68,6 +68,8 @@ The OAuth apps tab provides visibility into Microsoft 365, Google workspace and
 
 * **Highly privileged apps** – Shows apps with powerful permissions that allow them to access data or change important settings. (Available for Microsoft 365 and Google)
 
+* **Unused apps** - Shows apps that have not signed in within the last 90 days (Available for Microsoft 365)
+
 * **Overprivileged apps** – Shows apps with unused permissions. (Available for Microsoft 365)
 
 * **Apps from external unverified publishers** – Shows apps that originated from an external unverified publisher tenant. (Available for Microsoft 365)
@@ -91,6 +93,7 @@ You can apply the following filters to get a more focused view:
 | **App origin**| Shows whether the app originated within the tenant or was registered in an external tenant. |
 | **Consent type**| Shows whether the app consent has been given at the user or the admin level, and the number of users whose data is accessible to the app. |
 | **Publisher**| Publisher of the app and their verification status. |
+| **Last used**| Date and time when the app last signed in. Tracking of this data goes back to June, 2022. | 
 | **Last modified**| Date and time when registration information was last updated on Microsoft Entra ID |
 | **Added on**| Shows the date and time when the app was registered to Microsoft Entra ID and assigned a service principal. |
 | **Permission usage**| Shows whether the app has any unused Graph API permissions in the last 90 days. |