As organisations harden user authentication with MFA, Conditional Access, and endpoint security, attackers are increasingly shifting focus away from users and towards application identities. Malicious or compromised third-party apps, excessive OAuth permissions, and trusted integrations now represent a quiet but highly effective supply-chain attack vector in Microsoft 365.

These attacks frequently bypass traditional sign-in and endpoint telemetry, allowing apps to persist and access data without triggering the controls security teams rely on most. In this session, we’ll explore why app-based attacks are so effective, where common identity and security controls fall short, and how App Governance in Microsoft Defender XDR can be used not only to detect active threats, but also to proactively reduce app risk before a breach occurs.

What will be covered
- How modern supply-chain attacks abuse OAuth apps and application identities
- Why MFA, Conditional Access, and endpoint controls often fail to stop app-based attacks
- Using the App Governance portal to review app permissions and identify over-privileged or risky applications
- How App Governance detects suspicious app behaviour beyond static permission reviews
- Investigating app-based threats using Defender XDR
- Practical response actions, including permission revocation, app disablement, and containment
- Governance patterns to reduce app risk without blocking productivity

What can the audience expect to leave with?
Attendees will leave with a clear understanding of how application-based attacks operate in Microsoft 365, how to use the App Governance portal to continuously assess app permissions and risk, and how to respond when an app becomes malicious or compromised. They’ll also gain practical guidance on shifting from one-time app approval to ongoing governance, helping close one of the most commonly overlooked gaps in modern identity security.

Products: Microsoft Entra ID, Microsoft Defender XDR, App Governance, Microsoft Graph