Welcome back! If you thought Part 1 was fun, get ready we’re throwing a Block Party. Instead of music and snacks (man I love snacks), we’re handing out automated app blocks and governance policies. In Part 1, we covered how to get visibility into Shadow IT using the integration between Microsoft Defender for Endpoint (MDE) and Defender for Cloud Apps (MCAS). Now in Part 2, we’re turning up the volume by setting up automatic policies to block risky apps, excluding VIPs from the guest list (a.k.a. policy exceptions), and sending alerts when new apps try to sneak into the party. Let’s get this Block Party started!
Automatically Blocking New Risky Apps (Risk Score 1–5)
Think of this as managing the guest list at your Block Party. If an app shows up with a risk score between 1 and 5, it’s not getting past the velvet rope. No invite? No entry.
Step-by-Step Instructions:
- Head to Microsoft 365 Defender – Navigate to Cloud Apps > Policies > Policy Management and click that “Shadow IT” tab. Hit Create policy and choose App discovery policy.
- Name it, Set Filters – Choose to filter by risk score, we’re going for scores between 1 and 5 here. Want to narrow it to just “Cloud Storage” apps or another category? Go for it. Otherwise leave it broad.
- To Alert or Not to Alert? – You can set up alerts. I’m choosing to not setup alerts in my test tenant, but do what works best for your environment.
- Governance Action: Tag as Unsanctioned – This is the heart of it. Tag any matching apps as unsanctioned. This tells MCAS to boot them out and block them on endpoints (via MDE).
What Happens Next?
Once tagged, MCAS sends a “Hey, block this!” signal to MDE. MDE then adds the app’s domains to its block list using custom network indicators. Within a couple hours, devices under MDE protection will start blocking that app like a bouncer checking IDs.
VIP Access: Some Guests Are on the List
Every Block Party has its VIPs those folks who get past the rope even if they’re rocking some questionable fashion choices (looking at you, devs and data analysts). Same goes for your environment. Some users need access to risky apps for legit reasons, and we don’t want to block the DJ just because he’s using a sketchy cloud tool.
Here’s how to roll out the red carpet:
- Create a VIP Group in MDE – Set up a device group with a tag (think of it as your guest wristband). Just make sure the tag name matches exactly what you are tagging your devices in DfE. it’s your pass at the door.
- Build the VIP List in MCAS – Head to Cloud Discovery > App tags > Scoped profiles, hit Add Profile
- Name the Profile, select Exclude, and then select the newly created MDE Device Group.
- Apply That VIP Profile – Go back to the app, hit Unsanction, check “Select a profile…”, and pick your freshly made exclusion profile. Boom they’re on the list!
The Result?
- Everyone else? Blocked at the door.
- Your VIPs? Waved right in.
Party planning tip: It might take up to 3 hours for this to update across all devices. Grab a drink and hang tight.
When the Block Party Gets Bumpy (Troubleshooting)
Apps Still Aren’t Being Blocked
- Check that MCAS is set to block unsanctioned apps for MDE (Settings > Cloud Apps > Defender for Endpoint).
- Make sure MDE’s Advanced Features has Custom indicators and MCAS integration turned on.
- Network Protection needs to be in Block mode not just auditing.
Policy Isn’t Triggering
- Double-check your filter logic. Are there actually apps with a risk score 1–5?
- Confirm your policy is set to look at “All continuous reports.”
- Make sure the policy wasn’t accidentally disabled.
- If you are excluding devices, be sure the device has the correct tag in MDE to ensure that it is a part of the MDE Device Group.
Excluded User Still Showing Up
- Confirm they were part of the excluded group before the activity occurred.
- MCAS doesn’t scrub old data. Exclusions apply going forward only.
- Don’t want to scope exclusions? You can also raise the risk threshold or add conditions to keep legit apps out of the danger zone. I personally try to stay away from this, but it does work.
Wrapping It Up
With auto-blocking policies and scoped exclusions in place, you’re not just spotting Shadow IT you’re stopping it in its tracks. The best part? You can do this without over-policing your power users.
