Apply Tag Recommendations to Sanctioned Apps

1. Log in to your tenant, and navigate to SaaS Security Inline.
2. To navigate to the Discovered Applications view, select Discovered AppsApplications.

   If SaaS Security Inline has discovered apps that are enterprise apps accessible through your identity provider, a banner message displays the number of apps and suggests that you tag the apps as Sanctioned.

   You can click the Cloud Identity Engine link in the banner message to navigate to the Directories page of the Cloud Identity Engine. On this page, you can view the Azure AD and Okta Directory instances that are synced to Cloud Identity Engine. SaaS Security Inline uses this synced information to identify your organization's enterprise apps.
3. Select the option to Review Tags Now.

   The Tag Recommendations window lists the apps that SaaS Security Inline identified as sanctioned. By default, SaaS Security Inline applies the Tagged: Never filter to list only the applications that were never tagged.

4. Review the list to determine whether you want to accept the recommendation to tag the apps as Sanctioned, or if you want to apply a different tag to one or more of the apps.

   If you do not want to tag the apps at this time, take one of the following actions:

   • If you do not currently have enough information to determine whether to accept the recommended tagging or to apply alternative tags, close the Tag Recommendations window. SaaS Security Inline will display the banner notification later to remind you to take action. You can also open the Tag Recommendations window from the Discovered Applications view.
   • If you do not want to apply the Sanctioned tag to the selected apps and you do not want SaaS Security Inline to remind you about these apps again, select the apps and choose Ignore. SaaS Security Inline will not tag the selected apps, and hides the apps from the list. If you decide to tag these apps later, you can open the Tag Recommendations window and filter the tag recommendations to show apps that have a Tag Status of Ignored.
5. To apply tags to apps, select one of more of the apps and take one of the following actions:

   • To tag the selected apps with the Sanctioned tag, Accept Tag as Sanctioned.
   • To apply an alternative tag to the selected apps, from the Re-Tag action list, select the tag you want to apply.
6. (Optional) Review previously tagged applications.

   When you first open the Tag Recommendations window, SaaS Security Inline applies the Tagged: Never filter to list only the applications that were never tagged. To view applications that are already tagged, complete the following steps:

   1. Use the Tagged filter to show all tagged applications, or only the applications that were tagged in the last 7, 30, or 90 days.

      The Tag Recommendations window displays additional columns that show each application's current tag and when the tag was applied.

      If your tenant has SaaS Security Inline and SSPM enabled, the Tag Recommendations window also displays an Onboarding Status column. The Onboarding Status column displays Data Security and Posture Security labels to show whether Data Security and SSPM scans are available for the app. If a label contains a green circle, this means that the application is onboarded and at least one instance is active. If a label contains a red circle, this means that the application is onboarded, but no instance is active. If neither colored circle appears in the label, then scans are available, but the application is not onboarded. If scans are available but the application is not onboarded, we recommend that you onboard the application.

   2. To re-tag an application, select the application in the list and, from the Re-Tag action list, select the tag you want to apply.