How to view all „marked approved“ apps?

Question

How to view all „marked approved“ apps?

Sascha Josephs 1

Hello everybody, within a incident in Defender XDR, I see an Oauth app as suspicious. The application is an internal development and therefore trustworthy. In the "attack story" of the Incident, I called up the "App Page" and declared the application as „marked approved“. The app is an enterprise app that does not have an admin or user consent, nor a connection to an M365 app. This means that it does not appear under Cloud App / App Governance. Now my question is how can I display all „marked approved“ apps? I marked several App in the past and need now a list of them. Thanks in advance for the support

User's image

2 answers

Your answer

Answer 1

Catherine Kyalo 2,620 Microsoft Employee

Hi Josephs,

Did you already attempt to check under Assets> Applications? https://learn.microsoft.com/en-us/defender-cloud-apps/applications-inventory#navigate-to-the-applications-page

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

Sascha Josephs 1 Reputation point

2025-09-23T08:24:36.0433333+00:00

@Catherine Kyalo ,
thank you for your answer, but unfortunately this is not really what I am looking for.
My app is a App-registration with no connection to Microsoft 365, Google Workspace, and Salesforce. Therefore it does not appears in the Oauth list.
My Incident "Unusual addition of credentials to an OAuth app involving one user" markes the app as suspicios oauth app and I can only reach the App Page within the Inciden/ Alert.
I find the App under Defender/ Assets/ Identities by searching the Object ID, but I cannot find any tags showing me the app is approved.
Catherine Kyalo 2,620 Reputation points Microsoft Employee

2025-09-29T11:19:44.0866667+00:00

Hi Sascha Josephs,

I have escalated this to PG - I will update with feedbck
Shruti Agarwal 21 Reputation points Microsoft Employee

2025-09-29T12:53:00.4566667+00:00

Hi @Sascha Josephs can you please paste the screenshot of the app page that you see when you click on "Open app page"
Sascha Josephs 1 Reputation point

2025-09-30T07:45:21.98+00:00

@Shruti Agarwal ,

Answer 2

my summary :
• App registration/Service Principal without connection to Microsoft366, Google or Salesforce is recognized as an Oaut app in the incident but is not listed in the Governance app.

• The App Page for this type of Oauth Apps can only be opened within the incident.

• There is no query for Status Approved in KQL (OAuthAppInfo), only Enabled or Disabled

• No reference to Approved found via Powershell.

• With the Object ID you can find the app in Defender / Assets / Identities, but also no "Approved" note.

• There is no notice in Entra ID / Enterprise Apps either

Guess it's just an internal classification in the Defender Incident that isn't really listed anywhere.
Manual documentation is probably the current solution.
Consultants, Copilot and GPT coudn't help either ;-)

I appreciate any advises.

Share via

How to view all „marked approved“ apps?

2 answers

Your answer