Skip to content

App Tags

MDCA app tags are primarily useful for organizing the cloud apps in your environment. Depending on your configuration they can also block certain cloud apps or notify the user prior to using a cloud app. There are built-in tags and custom tags.

Built-in tags

MDCA has three built in tags:

  • Sanctioned
  • Unsanctioned
  • Monitor

Sanctioned

If you tag a cloud app as sanctioned it does not change anything from the end-user experience, it is primarily for organizing applications you have vetted and approve of using in the environment. Imagine you see a low scoring cloud app of 4/10, this would be a cloud app you should likely take a closer look at to determine if the app should be used in your environment. You investigate and determine it is needed and cannot be removed or blocked, by adding a sanction tag to it, the next time you see it you will be aware that it was already vetted.

Default sanctioned cloud apps

Microsoft automatically tags some of their applications as sanctioned and prevents you from removing the tag. I believe this is to prevent breaking applications required in the Microsoft/Azure environment. The default tagged cloud apps are:

  • Microsoft 365
  • Microsoft Azure
  • Microsoft Exchange Online
  • Microsoft OneDrive for Business
  • Microsoft Power Automate
  • Microsoft Power BI
  • Microsoft SharePoint Online
  • Microsoft Teams

Unsanctioned

Similar to sanctioning, unsanctioned tags can help you organize applications, but you can additionally enable an integration with MDE that allows you to block unsanctioned applications from being used. This works by adding indicators for all the domains a cloud application uses.

This is immensely helpful as most major cloud apps have many domains you would need to block the entire service. Imagine Google for example, they obviously have google.com, google.net, and gmail.com, and other domains. They probably even have all their domains in a reference somewhere as well, you would need to add block indicators for all the domains to completely block the cloud app from being used. But unsanctioning a cloud app handles adding all of those indicators for you.

Monitored

Tagging a cloud app as monitored allows you to specify some custom messaging a user will see when they try to access the cloud app. This could be a good way of notifying a user of an impending block to a cloud app you plan to unsanction.

Custom tags

Custom tags are again useful for organizing apps but offer the flexibility of custom names. You can also use an App discovery policy to automatically add a cloud app to a certain app tag. For example, if you have a new risky app in your environment you can add it to a custom "risky" tag and then use that for filtering in Cloud discovery to find all the risky apps you need to review this month.

Construction

Scoped profiles