You remediate app threats to your Microsoft 365 tenant through the Alerts page of the Microsoft app governance section of the Microsoft 365 Defender.
The Alerts page by default lists new threat alerts generated by app governance and policy-based alerts generated by active app policies. You can view the details of a specific alert by selecting it, which opens an alert pane with additional alert information and the ability to change its status.
From this pane, you can get this additional information:
- Additional details on the alert from the Description field.
- The name of the app policy that generated the alert from the Policy name field. You can also select View policy to go to the app policy that generated the alert.
App policies that you configured for automatic remediation from the Action will have a status of Resolved.
You can remediate an app alert with these steps:
- Investigation: Examine the information in the alert and change its status to Mark in progress.
- Resolution: After your investigation and, as needed, the determination of app policy changes or continued app support in your tenant, change its status to Resolved.
Based on app alert patterns, you can update the appropriate app policy and change its Action setting to perform automatic remediation. This removes your need to investigate and manually resolve future alerts that are generated by the app policy. For more information, see Manage your app policies.