Manage app permissions using Office 365 Cloud App Security

Office 365 Advanced Security Management is now Office 365 Cloud App Security.

Evaluation    >

Planning    >

Deployment    >

Utilization   

Start evaluating

Start planning

Start deploying

You are here!

Next steps

People love apps and they download them often, especially apps that people think will save time by making it easier to get at their work or school information. However, some apps could potentially be a security risk to your organization, depending on what information they access and how they handle that information. With Office 365 Cloud App Security, if you are a global or security administrator, you can manage app permissions for your organization. You can see the apps people are using with Office 365 data, what permissions those apps have, and more.

This article describes where to go to manage app permissions, how to approve or ban an app, and how to create an app query.

Note: App permissions are managed in the Office 365 Cloud App Security portal. You must be a global administrator or security administrator to perform the following task.

  1. Go to https://protection.office.com and sign in using your work or school account for Office 365. (This takes you to the Security & Compliance Center.)

  2. Go to Alerts > Manage advanced alerts.

  3. Click (or tap) Go to Office 365 Cloud App Security.

    In the Security & Compliance Center, choose Manage Advanced Alerts to go to Office 365 Cloud App Security

    Note: If Office 365 Cloud App Security is not turned on yet, you can do that on this page.

  4. Choose Investigate > App permissions.

    In the O365 CAS portal, choose Investigate.

The following table describes the controls and options available on the Manage app permissions page.

Item

Description

Basic icon in the app query bar

Icon that indicates basic query view for querying app permissions

Select this to switch to the Advanced view.

(If you see Basic, you are using the Advanced view)

Advanced icon in the app query bar

Icon that indicates advanced query view for querying app permissions

Select this to switch to the Basic view.

(If you see Advanced, you are using the Basic view.)

Open or close all details icon in the app list

Click this icon to open or close all details for all apps

Select this icon to view more or fewer details about each app.

Export icon in the app list

Click this icon to export a csv file of all apps

Select this icon to export a CSV file that contains a list of apps, number of users for each app, permissions associated with the app, permissions level, app state, and community use level.

Name

Use this to see the name of an app. Select the name to view more information, such as its description, publisher, app website and app ID.

Authorized by

Use this to see how many users have authorized an app to access their Office 365 account. Select the number to view more information, such as a list of user accounts.

Permissions Level

Icon that indicates the permisiions level for an app

Use this to see how much access an app has to Office 365 data. Permissions levels indicate Low, Medium, or High, where Low might indicate that the app only accesses a user's profile and name. Select the level to view more information, such as permissions granted to the app, community use, and related activity in the Governance log.

App state (Banned, Approved, or Undetermined)

App permissions icons after being allowed, blocked, or no action has been taken by an admin

Use this to mark an app as Approved or Banned, or leave it as undetermined.

On the Manage app permissions page, locate the app you want to approve, and choose the Mark app as approved icon.

Choose the Mark app as approved icon

The icon turns green, and the app is approved for all your Office 365 users.

Note: When you mark an app as approved, there is no effect on the end user. Visually marking the apps that are approved helps to separate them from apps that haven't been reviewed yet.

  1. On the Manage app permissions page, locate the app you want to ban, and choose the Mark app as banned icon.

    Choose the Mark app as banned icon
  2. Choose whether to let users know that their app has been banned.

    (Recommended) To let users know, select Notify users who granted access to this banned app, and add or edit a custom notification message.

    To not let users know, clear Notify users who granted access to this banned app.

    The mail template for a banned app
  3. Choose Ban app.

  1. In the app query bar, if you see Advanced, click (or tap) it to go to the Advanced view. (If you see Basic, you are using the Advanced view; keep your view as it is.)

  2. Use the Select a filter list to choose an option. The following table summarizes your available filter options.

    Use this filter

    To display

    App

    Apps with certain names

    App state

    Apps based on their state (Approved, Banned, or Undetermined)

    Community use

    Apps based on community use levels (Rare, Uncommon, or Common)

    Permission level

    Apps based on certain permission levels

    Permissions

    Apps that require certain permissions

    Publisher

    Apps from certain publishers

    User

    Apps that a certain user authorized

  3. Select equals or does not equal, and then specify a value for your filter.

  4. To add more filters, select the plus sign ( Add a filter icon for querying apps ), and then repeat steps 2 and 3.

  5. To remove a filter, select the x ( Remove a filter icon for querying apps ) next to a filter name.

The filters are applied automatically, and the apps list is updated accordingly.

Next steps

Expand your skills
Explore training
Get new features first
Join Office Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×