This chapter covers App Governance in Microsoft 365, a critical add-on for monitoring and controlling app behavior across the tenant. For the MS-102 exam, this topic appears in Domain 2.3 (Implement and manage app governance) and typically comprises 5-10% of questions. You will need to understand the architecture, policy types, alerting, and integration with Defender for Cloud Apps and Microsoft Entra ID. The exam tests your ability to configure, manage, and troubleshoot app governance policies, especially in hybrid and complex environments.
Jump to a section
Imagine a bustling city where every new building (app) must be approved by the Permitting Office before construction. The office enforces zoning laws (compliance policies), inspects plans for safety (security assessments), and issues permits (app consent). Once a building is operational, the office conducts periodic inspections (monitoring) to ensure ongoing compliance. If a building violates codes (policy violation), the office can issue fines (alerts), suspend operations (disable app), or even order demolition (block app). The office also maintains a public registry (app inventory) of all permitted buildings, including their owners, purpose, and inspection history. This mirrors Microsoft 365 App Governance, where the service creates a catalog of all apps using Microsoft Graph, monitors their behavior via telemetry, enforces policies based on risk, and provides remediation actions like disabling or blocking apps. Just as the city office cannot inspect every building every day, App Governance uses sampling and anomaly detection to efficiently identify risky behavior without overwhelming administrators.
What is App Governance and Why Does It Exist?
App Governance is a Microsoft 365 security add-on that provides advanced monitoring, policy enforcement, and remediation for apps that use Microsoft Graph APIs. It addresses the growing risk of OAuth applications that have been granted permissions to access organizational data. Unlike basic app consent policies in Microsoft Entra ID, App Governance offers continuous monitoring and automated responses based on app behavior patterns.
The service is available as an add-on for Microsoft 365 E5, Microsoft 365 E5 Compliance, Microsoft 365 E5 Security, and Microsoft 365 E5 Information Protection and Governance. It can also be purchased as a standalone SKU. The exam expects you to know which licenses include App Governance.
How App Governance Works Internally
App Governance operates by collecting telemetry from Microsoft Graph API calls made by apps. The data includes:
App ID (client ID)
User ID making the call
IP address and location
Scopes (permissions) requested
Resource accessed (e.g., mail, files, calendar)
Timestamp and frequency of calls
This telemetry is analyzed against a set of built-in and custom policies. When a policy condition is met, an alert is generated, and an optional automated action is taken.
Key Components, Defaults, and Timers
App Governance Policies - Built-in policies: Microsoft provides default policies, such as:
- Unusual increase in app consent - App accessing resources from unusual locations - App with high privilege but low usage - Custom policies: Administrators can create policies based on:
- App characteristics (e.g., publisher, certificate, permissions) - User characteristics (e.g., group membership, risk level) - Behavior patterns (e.g., data access volume, time of day)
Policy Actions - Alert only: Generates an alert in Microsoft 365 Defender - Disable app: Prevents the app from signing in and accessing data - Block app: Completely blocks the app from any activity - Mark as malicious: Flags the app for further investigation
Timers and Defaults - Alert evaluation frequency: Policies are evaluated approximately every 24 hours, but some high-priority alerts are near real-time. - Data retention: Telemetry data is retained for 30 days by default. - Policy auto-remediation: Some built-in policies have a grace period of 7 days before automatic action is taken.
Configuration and Verification Commands
App Governance is managed through the Microsoft 365 Defender portal (https://security.microsoft.com) under App Governance. For automation, you can use PowerShell with the Microsoft Graph PowerShell SDK.
Example: List all apps in App Governance
Connect-MgGraph -Scopes "AppGovernance.Read.All"
Get-MgGovernanceApp -AllExample: Create a custom policy
$policy = @{
DisplayName = "Block high-risk apps from outside"
PolicyTemplate = @{
Id = "custom"
}
Conditions = @{
Applications = @{
Include = @("*") # all apps
}
Locations = @{
Include = @("OutsideAllowedLocations")
}
}
Actions = @(
@{
ActionType = "BlockApp"
}
)
State = "Enabled"
}
New-MgGovernanceAppPolicy -BodyParameter $policyVerification
- In the Defender portal, navigate to App Governance > Policies to see policy status.
- Use Get-MgGovernanceAppPolicy to list policies and their states.
Interaction with Related Technologies
Microsoft Entra ID: App Governance integrates with Microsoft Entra ID for app registration and consent information. It can use Entra ID risk signals (e.g., user risk level) in policies.
Microsoft Defender for Cloud Apps: Defender for Cloud Apps provides OAuth app discovery and governance. App Governance complements it by focusing on Graph API behavior. Both can be used together, but App Governance offers more granular policy options for Graph API usage.
Microsoft 365 Compliance Center: App Governance policies can enforce compliance by blocking apps that access sensitive data without proper controls.
Microsoft Graph API: All telemetry is based on Graph API calls. Apps that do not use Graph API (e.g., legacy protocols) are not monitored by App Governance.
Advanced Concepts
App Governance Roles - Global Administrator: Full access - Security Administrator: Manage policies and view alerts - Security Reader: Read-only access - Compliance Administrator: Manage compliance-related policies - Compliance Data Administrator: Manage data-related policies
Policy Scopes Policies can be scoped to:
All apps
Specific apps
Apps with specific permissions (e.g., Mail.ReadWrite)
Apps from specific publishers
Alert Triage Alerts are integrated into the Microsoft 365 Defender incidents. Security analysts can investigate alerts, take actions (disable, block), and provide feedback to improve policy accuracy.
Limitations - App Governance only monitors Graph API calls. Non-Graph traffic (SMTP, IMAP, legacy auth) is not covered. - The service requires that apps are registered in the tenant and have consented permissions. - There is a delay of up to 24 hours for policy evaluation, though some alerts are near real-time.
Exam-Specific Details
The MS-102 exam will test:
The difference between App Governance and Defender for Cloud Apps OAuth policies.
The license requirements (E5 or add-on).
The three built-in policy templates: anomalous app behavior, app consent from unusual locations, and high-privilege app usage.
The actions: alert, disable, block.
The integration with Microsoft 365 Defender for alerting.
The fact that App Governance does NOT cover apps that use legacy authentication.
Be prepared to identify when to use App Governance vs. Defender for Cloud Apps. A common scenario: Defender for Cloud Apps is better for discovering shadow IT OAuth apps, while App Governance is better for monitoring known apps' behavior.
Enable App Governance Add-on
Navigate to Microsoft 365 admin center > Billing > Purchase services. Search for 'Microsoft 365 App Governance' and purchase the add-on if not already licensed. Alternatively, if you have an eligible E5 license, App Governance is automatically enabled. After purchase, it may take up to 24 hours for the service to appear in the Defender portal. Verify by going to https://security.microsoft.com > App Governance. If the page loads, the add-on is active.
Review Built-in Policies
In the Defender portal, go to App Governance > Policies. Three default policies are pre-configured: 'Unusual increase in app consent', 'App accessing resources from unusual locations', and 'High-privilege app with low usage'. Each policy has default actions (usually alert only). Review the conditions and actions. Note that these policies are not enabled by default; you must manually enable them. The exam may ask which built-in policies exist and their default state.
Create a Custom Policy
Click 'Create policy' and choose a template (e.g., 'Custom policy'). Define conditions: select apps (all or specific), users (all or specific groups), locations (allow or block lists), and behavior (e.g., data access volume). Set the action: Alert only, Disable app, or Block app. Name the policy and enable it. The policy will be evaluated within 24 hours. Use PowerShell to automate creation for multiple policies.
Monitor Alerts and Incidents
When a policy triggers, an alert appears in Microsoft 365 Defender under Incidents & alerts > Alerts. Alerts are correlated into incidents if multiple alerts relate to the same app or user. Security analysts can investigate the alert, view the app details, and take remediation actions directly from the alert page. The alert includes telemetry data such as the app ID, user, IP, and resource accessed.
Remediate and Tune Policies
If an alert is a false positive, you can dismiss it and optionally adjust the policy to reduce noise. For true positives, take action: disable or block the app, or mark it as malicious. After remediation, monitor the app's activity to ensure compliance. Periodically review policy effectiveness and update conditions as needed. The exam may ask about the difference between disabling and blocking: disabling prevents sign-in but retains app registration; blocking prevents any activity and may remove consent.
Scenario 1: Monitoring a CRM App with High Privileges
A large enterprise uses a third-party CRM app that has been granted Mail.ReadWrite and Files.ReadWrite.All permissions. The security team wants to ensure the app is not exfiltrating data. They create a custom App Governance policy that triggers if the app accesses more than 10,000 emails in a day or if it accesses files from unusual locations (e.g., outside the corporate IP range). The policy action is set to alert and disable the app if the activity exceeds a threshold. In production, this policy catches an instance where the app's API key was compromised, and an attacker used it to download mail. The app was automatically disabled, and the incident was investigated. Without App Governance, the breach might have gone unnoticed for weeks.
Scenario 2: Enforcing Compliance for Sensitive Data
A financial institution requires that any app accessing SharePoint sites containing PII must be vetted. They use App Governance to create a policy that blocks any app that attempts to access a SharePoint site with a sensitivity label of 'Highly Confidential' unless the app is on an approved list. The policy is scoped to all apps and uses the 'Block app' action. This ensures that even if an app receives consent, it cannot access sensitive data without approval. The institution also integrates with Defender for Cloud Apps to discover shadow IT apps, but uses App Governance for granular control over Graph API access.
Common Pitfalls
Misconfiguring location conditions: Administrators often forget to define the 'OutsideAllowedLocations' correctly, leading to false positives. Ensure that corporate IP ranges are accurate and updated.
Over-relying on default policies: The built-in policies are generic and may not suit your environment. Custom policies are essential for specific threats.
Not testing policies: Before enabling a policy with automatic action, test it in alert-only mode to avoid disrupting legitimate apps.
Ignoring license requirements: Some administrators assume App Governance is included with all E3 licenses; it is not. Verify licensing before configuration.
Scale and Performance
In a tenant with over 10,000 apps, App Governance can handle the load, but policy evaluation may take longer. Microsoft recommends using scoped policies to limit the number of apps evaluated. The service uses a distributed telemetry pipeline and scales automatically. There is no performance impact on end users or apps.
MS-102 Exam Focus on App Governance
The MS-102 exam tests Objective 2.3: Implement and manage app governance. This includes:
Understanding the purpose and licensing of App Governance
Configuring built-in and custom policies
Managing alerts and incidents
Differentiating App Governance from Defender for Cloud Apps OAuth policies
Common Wrong Answers and Why Candidates Choose Them
Choosing Defender for Cloud Apps instead of App Governance: The exam may present a scenario where an app is making excessive Graph API calls. Many candidates select Defender for Cloud Apps because they associate it with app control. However, Defender for Cloud Apps focuses on app discovery and conditional access for cloud apps, not granular Graph API behavior. App Governance is the correct answer for monitoring Graph API telemetry.
Assuming App Governance covers all app activity: Candidates often think App Governance monitors all app traffic, including legacy protocols. The exam will test that App Governance only covers Graph API calls. Legacy protocols (SMTP, IMAP, etc.) require other tools like Defender for Office 365 or Conditional Access.
Believing built-in policies are enabled by default: Many candidates assume that because policies are built-in, they are automatically active. In reality, built-in policies are disabled by default and must be manually enabled. The exam may ask about the default state.
Confusing 'disable' and 'block' actions: Candidates may think both actions are the same. 'Disable' prevents sign-in but retains the app registration; 'Block' prevents all activity and may remove user consent. The exam expects you to know the difference.
Specific Numbers, Values, and Terms
Licensing: Microsoft 365 E5, E5 Compliance, E5 Security, E5 Information Protection and Governance, or standalone add-on.
Built-in policies: Exactly three: 'Unusual increase in app consent', 'App accessing resources from unusual locations', 'High-privilege app with low usage'.
Evaluation frequency: Up to 24 hours for policy evaluation.
Data retention: 30 days for telemetry.
Actions: Alert, Disable app, Block app, Mark as malicious.
Edge Cases and Exceptions
App Governance does not work with apps that use application permissions (app-only) without a signed-in user? Actually, it does monitor app-only calls, but the user context is the app itself. Policies can still apply.
If an app is disabled, can it still be re-enabled? Yes, from the App Governance interface or via PowerShell.
Can App Governance block first-party Microsoft apps? No, it only applies to third-party and custom apps registered in the tenant.
How to Eliminate Wrong Answers
If the scenario mentions 'Graph API calls' or 'app behavior monitoring', lean toward App Governance.
If the scenario is about discovering unknown OAuth apps, Defender for Cloud Apps is likely the answer.
If the question asks about blocking legacy authentication, the answer is not App Governance.
For policy actions, remember: 'disable' stops sign-in, 'block' stops all activity.
App Governance is an add-on for E5 licenses that monitors app behavior via Microsoft Graph API telemetry.
The three built-in policies are: Unusual increase in app consent, App accessing resources from unusual locations, High-privilege app with low usage.
Built-in policies are disabled by default and must be manually enabled.
Policy evaluation occurs up to every 24 hours, with some near real-time alerts.
Actions: Alert only, Disable app (prevents sign-in), Block app (prevents all activity), Mark as malicious.
App Governance does not monitor legacy authentication protocols; use Defender for Cloud Apps or Conditional Access for those.
Custom policies can be scoped by app, user, location, and behavior conditions.
Data retention for telemetry is 30 days.
App Governance integrates with Microsoft 365 Defender for incident management.
Licensing: Microsoft 365 E5, E5 Compliance, E5 Security, E5 Information Protection and Governance, or standalone add-on.
These come up on the exam all the time. Here's how to tell them apart.
App Governance
Monitors Microsoft Graph API calls only
Provides built-in policies for app behavior anomalies
Actions include alert, disable, block, mark as malicious
Integrates with Microsoft 365 Defender for alerting
Requires E5 or add-on license
Defender for Cloud Apps OAuth Policies
Discovers and controls OAuth apps across cloud apps
Provides app permissions and consent policies
Actions include revoke permissions, disable app, notify user
Integrates with Microsoft 365 Defender and Cloud App Security
Included with E5 and available as standalone
Mistake
App Governance is included with all Microsoft 365 E3 licenses.
Correct
App Governance requires Microsoft 365 E5 or an add-on license. It is not included in E3.
Mistake
Built-in App Governance policies are enabled by default.
Correct
Built-in policies are disabled by default. Administrators must manually enable them in the Defender portal.
Mistake
App Governance monitors all app traffic including legacy protocols.
Correct
App Governance only monitors Microsoft Graph API calls. Legacy protocols like SMTP, IMAP, and POP are not covered.
Mistake
Disabling an app in App Governance permanently deletes the app registration.
Correct
Disabling an app only prevents sign-in and data access. The app registration remains and can be re-enabled. Blocking may remove consent but does not delete the app registration.
Mistake
App Governance and Defender for Cloud Apps are the same service.
Correct
App Governance focuses on Graph API behavior and policies, while Defender for Cloud Apps provides broader app discovery, conditional access, and governance for cloud apps including non-Graph protocols.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
App Governance is available as an add-on for Microsoft 365 E5, E5 Compliance, E5 Security, E5 Information Protection and Governance, or as a standalone SKU. It is not included in E3 or lower licenses. The exam tests that you know E5 is the minimum for built-in inclusion.
App Governance focuses on monitoring Graph API call behavior and provides policies based on app activity patterns. Defender for Cloud Apps discovers OAuth apps and provides policies based on app permissions, consent, and risk. App Governance is more granular for Graph API, while Defender for Cloud Apps covers a broader range of cloud apps and protocols.
No, App Governance policies apply only to third-party and custom apps registered in your tenant. First-party Microsoft apps (like Teams, SharePoint) are not subject to App Governance policies.
The available actions are: Alert only (generates an alert), Disable app (prevents sign-in but retains registration), Block app (prevents all activity and may remove user consent), and Mark as malicious (flags the app for investigation). The exam may ask you to choose the correct action for a given scenario.
Policy evaluation occurs approximately every 24 hours for most policies. However, some high-priority alerts related to consent anomalies may be generated near real-time. The exam expects you to know the 24-hour evaluation cycle.
Yes, App Governance monitors Graph API calls from app-only contexts as well. The user context is the app itself. Policies can still apply based on behavior like data access volume.
Yes, from the App Governance interface in Defender, you can re-enable a disabled app. Alternatively, use PowerShell with the `Update-MgGovernanceApp` cmdlet. Disabling is reversible; blocking may require re-consent.
You've just covered App Governance in Microsoft 365 — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?