Apply Tag Recommendations to Sanctioned Apps

Log in to your tenant, and navigate to SaaS Security Inline.
To navigate to the Discovered Applications view, select
Discovered Apps
Applications
.
If SaaS Security Inline has discovered apps that are enterprise apps accessible through your identity provider, a banner message displays the number of apps and suggests that you tag the apps as
Sanctioned
.

You can click the
Cloud Identity Engine
link in the banner message to navigate to the Directories page of the Cloud Identity Engine. On this page, you can view the Azure AD and Okta Directory instances that are synced to Cloud Identity Engine. SaaS Security Inline uses this synced information to identify your organization's enterprise apps.
Select the option to
Review Tags Now
.
The Tag Recommendations window lists the apps that SaaS Security Inline identified as sanctioned. By default, SaaS Security Inline applies the
Tagged: Never
filter to list only the applications that were never tagged.

Review the list to determine whether you want to accept the recommendation to tag the apps as
Sanctioned
, or if you want to apply a different tag to one or more of the apps.
If you do not want to tag the apps at this time, take one of the following actions:
If you do not currently have enough information to determine whether to accept the recommended tagging or to apply alternative tags, close the Tag Recommendations window. SaaS Security Inline will display the banner notification later to remind you to take action. You can also open the
Tag Recommendations
window from the Discovered Applications view.
If you do not want to apply the
Sanctioned
tag to the selected apps and you do not want SaaS Security Inline to remind you about these apps again, select the apps and choose
Ignore
. SaaS Security Inline will not tag the selected apps, and hides the apps from the list. If you decide to tag these apps later, you can open the
Tag Recommendations
window and filter the tag recommendations to show apps that have a
Tag Status
of
Ignored
.
To apply tags to apps, select one of more of the apps and take one of the following actions:
To tag the selected apps with the
Sanctioned
tag,
Accept Tag as Sanctioned
.
To apply an alternative tag to the selected apps, from the
Re-Tag
action list, select the tag you want to apply.
(
Optional
) Review previously tagged applications.
When you first open the Tag Recommendations window, SaaS Security Inline applies the
Tagged: Never
filter to list only the applications that were never tagged. To view applications that are already tagged, complete the following steps:
Use the
Tagged
filter to show all tagged applications, or only the applications that were tagged in the last 7, 30, or 90 days.
The Tag Recommendations window displays additional columns that show each application's current tag and when the tag was applied.
If your tenant has SaaS Security Inline and SSPM enabled, the Tag Recommendations window also displays an
Onboarding Status
column. The
Onboarding Status
column displays Data Security and Posture Security labels to show whether Data Security and SSPM scans are available for the app. If a label contains a green circle, this means that the application is onboarded and at least one instance is active. If a label contains a red circle, this means that the application is onboarded, but no instance is active. If neither colored circle appears in the label, then scans are available, but the application is not onboarded. If scans are available but the application is not onboarded, we recommend that you onboard the application.

To re-tag an application, select the application in the list and, from the
Re-Tag
action list, select the tag you want to apply.