Third-Party Apps Report
The Third-Party Apps report lists third-party cloud applications that have been authorized to access sanctioned application tenants. This report provides visibility to the risks to which your system is exposed by third-party app authorizations. From this report admin users can also block or allow access to third-party applications, overriding access established by other users.
Note: Currently the report presents information only about third-party applications authorized through Microsoft 365 tenants. You must authorize the tenant application for third-party access detection. See Enable Cloud Access Security Broker Features for Microsoft 365 Tenants.
Third-Party Apps discovery is aggregated and processed on an hourly basis.
Currently the report presents information only about third-party applications authorized through Microsoft 365 tenants.
- Prerequisites
- View the Third-Party Apps Report
- Use Search
- Use Advanced Search
- Export the Third-Party Apps Report
Prerequisites
- Viewing the report requires a minimum user role of Read-Only. To use the block/unblock override feature, you must have the Admin user role. For more information, see Manage User Roles.
View the Third-Party Apps Report
To view the Third-Party Apps report:
- Navigate to Reporting>Additional Reports>Third-Party Apps.
- Select the time window for the report results. This time reflects the dates and times the third-party apps were authorized. You can view the results for the Last Year (default), Yesterday, Last 7 Days, Last 30 Days, or a Custom Range.
The Third-Party Apps report presents the following columns of information:
- Application
The names of third-party applications that users have authorized through the application tenant listed under the Source column.
- Identity
The names of users that have accessed the third-party applications. Hover over a name to see the email address for the user and the time and date of access.
- Tenant Name
The name of the tenant from which authorization originated. (See Manage Cloud Malware Protection for information about authenticating tenant applications.)
- Access Scope
The number of access permission scopes granted to the third-party application. Click on a value in the Access Scope column to see the scopes listed by name.
- Source
The application's tenant from which authorization originated. Currently the report presents information only about third-party applications authorized through Microsoft 365 tenants. (See Manage Cloud Malware Protection for information about authenticating tenant applications.)
- Authorization Risk
The risk scope Umbrella has calculated for the third-party application, based on the access scopes granted by the user that authorized the application to access an application tenant. The possible values are Low, Medium, and High. You can filter the report results by values in this column using the filter selections on the left side of the screen.
- App Risk
The overall weighted risk score assigned to the app. This could be calculated by Umbrella (based on Business risk, Usage risk, Vendor compliance, and Community risk (if available)) or assigned by you. The possible values are Very Low, Low, Medium, High, and Very High.
- Detected
The time and date when Umbrella detected the access event.
- Status
Block/Allow status for the third-party application:
- Blocked - The system has blocked users from granting access to the application via sanctioned tenant. (Overriding the access granted by a tenant application.)
- Failed to Block - The system has attempted to block users from granting access to the application via sanctioned tenant, but the block attempt failed. Retry the block action; if it fails again, check that your tenant authentication is active. (You may need to re-authenticate.) If you are still unable to block the application, contact Support.
- Allowed - The system allows users to grant access to the application via sanctioned tenant.
- In progress - A block or unblock action is in progress. (The action in progress will appear dimmed in the Permissions column.)
You can filter the report results by the values Allowed and Blocked in this column using the filter selections on the left side of the screen.
- Permissions
This column offers administrators the ability to override the tenant access granted to third-party apps by another user. The possible actions are:
- Block - Block the third-party applications from accessing the application via a sanctioned tenant, overriding access granted by other users.
- Unblock - Allow the third-party application to access the application via a sanctioned tenant.
The options in this column will appear dimmed if they are not available for any of the following reasons:
- A block or unblock action is in progress.
- A block action has failed
Use Search
You can search the Third-Party Apps report by keywords to find specific events.
Note:
- There is a minimum three-character limit when searching the Third-Party Apps report.
- The search feature does not support wildcards.
- The system does not search detail information from the Identity column.
- Navigate to Reporting>Core Reports>Third-Party Apps.
- Enter a string in the search box. Umbrella searches the report for that value in the Application, Identity, and Access Scope fields and displays matching results for all three fields. This result reflects the matches found for all third-party applications users have authorized; this result is not restricted by the time window you have applied to the report.
- Scroll through the results and choose a value to apply as a filter to the report.
A. Scroll through the results and click on any matching value to filter the report by that value. In the example below the report will be filtered by applications that have been granted the Access Scope "Microsoft Graph - Have full access to all files user can access."
B. Scroll to the end of the results shown for a field and click Show All to filter the report by all results that match the search term. In the example below you would click on the highlighted Show All link to filter by all applications that have "Read" in their Access Scopes.
The filtered search results that appear reflect matches for third-party applications that were accessed within the time window you have selected. In the example below that time window is the past year.
Use Advanced Search
You can search the Third-Party Apps report by keywords in selected fields to find specific access events.
Note:
- There is a minimum three-character limit when searching the Third-Party Apps report.
- The search feature does not support wildcards.
- The system does not search detail information from the Identity column.
- Click Advanced in the search bar to bring up Advanced Search.
You can filter by specific values in the report columns Identity, Access Scope, and Application. Type the desired value in a filter field; a list of matches for that field will appear. This result reflects the matches found for all third-party applications users have accessed using credentials from tenant applications authorized for Cloud Malware protection; this result is not restricted by the time window you have applied to the report.
- Choose the value(s) to apply as a filter to the report.
A. Enter one or more search terms in the search box for Identity, Access Scope, or Application. Scroll through the results and click on any matching value to filter the report by that value. In the example below the report will be filtered by applications that have been granted the Access Scope Microsoft Graph - Have full access to user files.
B. Scroll to the end of the results shown for a field and click Show All to filter the report by all results that match the search term. In the example below you would click on the Show All link to filter by all applications that have an access scope with "view" in its name.
C. Repeat as needed to create a filter with the desired combination of criteria. In the example below the user has selected to filter for all instances of Microsoft Developer Network (Graph Explorer) that have been granted an access scope that includes the string "view."
Note: You must select a value from the list that appears below your search term to apply that value as a filter on the report. Selected values appear in grey boxes as shown above. If no list of matches appears below your search term, there are no matches that you can apply as a filter.
- Click APPLY.
The report displays results matching the combined search criteria for all columns. The results are filtered by the time window you have selected.
Export the Third-Party Apps Report
You can export the Third-Party Apps report to a CSV file.
- Navigate to Reporting>Core Reports>Third-Party Apps.
- Select the time window for the report results. This time reflects the dates and times the third-party apps were accessed. You can view the results for the Last Year (default), Yesterday. Last 7 Days, Last 30 Days, or a Custom Range.
- Filter the report by Risk level, or use the Search or Advanced Search features to refine your results.
- Click Download CSV to download the report in CSV format.
- Navigate to your Downloads folder to view the report. The file name format will be Third_Party_Apps_YYYY-MM-DDThh_mm_ss.sssZ.csv
Where:
- YYYY-MM-DD represents the date of the download.
- hh_mm_ss.sss represents the time of the download.
Data Loss Prevention Report < Data Loss Prevention Report
Updated about 1 month ago