Block unsanctioned apps – MCAS + MDATP + Intune configuration

Block unsanctioned apps – MCAS + MDATP + Intune configuration

This article will describe how to block unsanctioned apps in Intune together with MDATP and MCAS.


  • Azure AD Joined MEM Intune managed devices
  • Devices are enrolled in Microsoft Defender Advanced Threat Protection
  • Microsoft Cloud App Security is enabled


  • We wanna block access to unsanctioned apps, for demo purposes I chose

Microsoft Defender Advanced Threat Protection is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. Microsoft Defender ATP uses the following combination of technology built into Windows 10 and Microsoft’s robust cloud service:

  • Endpoint behavioral sensors: Embedded in Windows 10, these sensors collect and process behavioral signals from the operating system and sends this sensor data to your private, isolated, cloud instance of Microsoft Defender ATP.
  • Cloud security analytics: Leveraging big-data, machine-learning, and unique Microsoft optics across the Windows ecosystem, enterprise cloud products (such as Office 365), and online assets, behavioral signals are translated into insights, detections, and recommended responses to advanced threats.
  • Threat intelligence: Generated by Microsoft hunters, security teams, and augmented by threat intelligence provided by partners, threat intelligence enables Microsoft Defender ATP to identify attacker tools, techniques, and procedures, and generate alerts when these are observed in collected sensor data.

More info on MDATP here. Moving to the cloud increases flexibility for employees and IT alike. However, it also introduces new challenges and complexities for keeping your organization secure. To get the full benefit of cloud apps and services, an IT team must find the right balance of supporting access while maintaining control to protect critical data. Microsoft Cloud App Security is a Cloud Access Security Broker that supports various deployment modes including log collection, API connectors, and reverse proxy. It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your Microsoft and third-party cloud services. Microsoft Cloud App Security natively integrates with leading Microsoft solutions and is designed with security professionals in mind. It provides simple deployment, centralized management, and innovative automation capabilities.

  • Discover and control the use of Shadow IT: Identify the cloud apps, IaaS, and PaaS services used by your organization. Investigate usage patterns, assess the risk levels and business readiness of more than 16,000 SaaS apps against more than 80 risks. Start managing them to ensure security and compliance.
  • Protect your sensitive information anywhere in the cloud: Understand, classify, and protect the exposure of sensitive information at rest. Leverage out-of-the box policies and automated processes to apply controls in real-time across all your cloud apps.
  • Protect against cyberthreats and anomalies: Detect unusual behavior across cloud apps to identify ransomware, compromised users or rogue applications, analyze high-risk usage and remediate automatically to limit the risk to your organization.
  • Assess the compliance of your cloud apps: Assess if your cloud apps meet relevant compliance requirements including regulatory compliance and industry standards. Prevent data leaks to non-compliant apps, and limit access to regulated data.

More info on MCAS here.  


1. Configure MDATP

Navigate to the Microsoft Defender Security Center. Click on Settings.

Click on ‘Advanced Features’. Put ‘Custom network indicators on ON’ and put ‘Microsoft Cloud App Security on ON’.


2. Configure MCAS

Navigate to the Cloud App Security dashboard. Click on ‘Settings’.

Click on ‘Settings’ again.

Click on ‘Microsoft Defender ATP’, and select ‘Block unsanctioned apps’.

Click on ‘Discover’, and then click on ‘Discovered apps’. Search for ‘Twitch’. Click on ‘Tag as unsanctioned’.


3. Configure MEM Intune (MDATP configuration profiles)

There are some prerequisites that have to be met. More info here. In short, prerequisites are:

Navigate to the MEM Intune dashboard. Click on ‘Devices’, then on ‘Configuration profiles’ and at last click on ‘Create profile’.

Give your profile a name, choose ‘Windows 10 and later as platform’, choose ‘Device restrictions’ as profile type.

Click on ‘Microsoft Defender Smartscreen’ and put the settings like in the screenshot below.

Click on ‘Microsoft Defender Antivirus” and put the settings like those marked in the screenshot below.

Now let’s create another profile. Click on ‘Devices’, then on ‘Configuration profiles’ and at last click on ‘Create profile’.

Give your profile a name, choose ‘Windows 10 and later as platform’, choose ‘Endpoint protection’ as profile type.

Click on ‘Microsoft Defender Exploit Guard’, then on ‘Network Filtering’ and put the ‘Network protection mode’ on ‘Enable’.


4. Now let’s test it!

Open the site in different browsers. You’ll see it will get blocked.


Happy testing!


More articles on MDATP: