>
    Strata Copilot
    Apply Tag Recommendations to Sanctioned Apps
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. Manage Policy for Unsanctioned SaaS Apps
    4. Apply Tag Recommendations to Sanctioned Apps
    Download PDF
    SaaS Security

    Apply Tag Recommendations to Sanctioned Apps

    Table of Contents

    Apply Tag Recommendations to Sanctioned Apps

    SaaS Security Inline's autotagging feature uses information from Cloud Identity Engine to identify apps that are sanctioned by your organization.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Panorama or Strata Cloud Manager)
    • Prisma Access (Managed by Panorama or Strata Cloud Manager)
    • SaaS Security Inline license
    • NGFW or Prisma Access license
    Or any of the following licenses that include the SaaS Security Inline license:
    • CASB-X
    • CASB-PA
    To categorize apps that your organization has approved for general use, you can apply the default tag Sanctioned to the apps. To help you identify apps that you should tag as Sanctioned, SaaS Security Inline uses information from the Cloud Identity Engine to determine if a detected app is an enterprise application accessible through your identity provider. If the app is an enterprise application, SaaS Security Inline will recommend that you tag the app as Sanctioned.
    When you navigate to the Discovered Applications view, a banner message will notify you if SaaS Security Inline has discovered any new apps that it has determined to be sanctioned. You can then review a list of these apps and tag them as Sanctioned. Alternatively, you can reject the tagging recommendation for one or more of the apps and apply other tags instead.
    Prerequisites: To determine if an app is sanctioned by your organization, SaaS Security Inline attempts to obtain information from Azure Active Directory (Azure AD) or Okta Directory through the Cloud Identity Engine. To enable sanctioned app detection, the following configuration is required.
    • You must have activated Cloud Identity Engine on your tenant.
    • You must have configured directory sync in Cloud Identity Engine for Azure AD or Okta Directory. This enables Azure AD or Okta Directory to communicate with the Cloud Identity Engine.
      If you configure directory sync for Azure AD, you must make sure that the sync is collecting information about enterprise applications. To do this, when you're configuring directory sync for Azure AD, select the Collect enterprise applications check box. If directory sync is already configured for an Azure AD directory, verify that the sync is collecting enterprise application information.
      1. In Cloud Identity Engine, navigate to the Directories page.
      2. Locate the Azure AD directory and select ActionsEdit.
      3. Verify that the Collect enterprise applications check box is selected.
    SaaS Security Inline can identify a majority of SaaS enterprise applications supported by Azure AD and Okta Directory. To create tagging recommendations, SaaS Security Inline matches this information with the SaaS apps that it discovers in your environment. However, for a minority of applications, SaaS Security Inline can’t match the application it discovers in your environment with the information from Azure AD and Okta Directory. If SaaS Security Inline detects these applications in your environment, it's not able to recommend that you tag the applications as Sanctioned.
    1. Log in to Strata Cloud Manager.
    2. Select ConfigurationSaaS SecurityDiscovered AppsApplications.
      If SaaS Security Inline has discovered apps that are enterprise apps accessible through your identity provider, a banner message displays the number of apps and suggests that you tag the apps as Sanctioned.
      You can click the Cloud Identity Engine link in the banner message to navigate to the Directories page of the Cloud Identity Engine. On this page, you can view the Azure AD and Okta Directory instances that are synced to Cloud Identity Engine. SaaS Security Inline uses this synced information to identify your organization's enterprise apps.
    3. Select the option to Review Tags Now.
      The Tag Recommendations window lists the apps that SaaS Security Inline identified as sanctioned. By default, SaaS Security Inline applies the Tagged: Never filter to list only the applications that were never tagged.
    4. Review the list to determine whether you want to accept the recommendation to tag the apps as Sanctioned, or if you want to apply a different tag to one or more of the apps.
      If you don’t want to tag the apps at this time, take one of the following actions:
      • If you don’t currently have enough information to determine whether to accept the recommended tagging or to apply alternative tags, close the Tag Recommendations window. SaaS Security Inline will display the banner notification later to remind you to take action. You can also open the Tag Recommendations window from the Discovered Applications view.
      • If you don’t want to apply the Sanctioned tag to the selected apps and you don’t want SaaS Security Inline to remind you about these apps again, select the apps and choose Ignore. SaaS Security Inline won’t tag the selected apps, and hides the apps from the list. If you decide to tag these apps later, you can open the Tag Recommendations window and filter the tag recommendations to show apps that have a Tag Status of Ignored.
    5. To apply tags to apps, select one of more of the apps and take one of the following actions:
      • To tag the selected apps with the Sanctioned tag, Accept Tag as Sanctioned.
      • To apply an alternative tag to the selected apps, from the Re-Tag action list, select the tag you want to apply.
    6. (Optional) Review previously tagged applications.
      When you first open the Tag Recommendations window, SaaS Security Inline applies the Tagged: Never filter to list only the applications that were never tagged. To view applications that are already tagged, complete the following steps:
      1. Use the Tagged filter to show all tagged applications, or only the applications that were tagged in the last 7, 30, or 90 days.
        The Tag Recommendations window displays additional columns that show each application's current tag and when the tag was applied.
        If your tenant has SaaS Security Inline and SaaS Security Posture Management enabled, the Tag Recommendations window also displays an Onboarding Status column. The Onboarding Status column displays Data Security and Posture Security labels to show whether Data Security and SaaS Security Posture Management scans are available for the app. If a label contains a green circle, this means that the application is onboarded and at least one instance is active. If a label contains a red circle, this means that the application is onboarded, but no instance is active. If neither colored circle appears in the label, then scans are available, but the application is not onboarded. If scans are available but the application is not onboarded, we recommend that you onboard the application.
      2. To re-tag an application, select the application in the list and, from the Re-Tag action list, select the tag you want to apply.

    © 2026 Palo Alto Networks, Inc. All rights reserved.