Simplifying SaaS App Management Through Auto-Tagging

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.
L1 Bithead



Release Announcement: SaaS Security Auto Tagging Recommendation for Sanctioned Applications Now Available


Large enterprises are dealing with the ongoing challenge of managing sanctioned and sanctioned SaaS applications. In fact, 59% of IT professionals struggle with SaaS Sprawl as cited here. That’s why we are excited to announce the latest innovation in SaaS Security - Auto Tagging Recommendation for Sanctioned Applications. Rolled out on January 16, 2024, this feature marks a significant leap forward in empowering our users with advanced visibility and control over their sanctioned applications.


Our latest enhancement, the Auto-Tagging Recommendation for Sanctioned Applications, is designed to provide users with unparalleled visibility and control. By leveraging the Cloud Identity Engine (CIE) for the first time, SaaS Security Inline is now capable of seamlessly recognizing enterprise applications accessible through identity providers.


Key Benefits:

  1. Seamless Tagging: Automatically identifies and recommends sanctioned applications, reducing manual efforts.
  2. Enhanced Visibility: Offers deeper insights into the usage of sanctioned applications.
  3. Effective Policy Controls: Enable effective usage of existing policy controls for sanctioned apps.


How it Works:

SaaS Security Inline intelligently utilizes data from the Cloud Identity Engine, suggesting admin users tag applications as Sanctioned upon detection. Admins have the flexibility to accept, ignore, or retag the system-generated recommendations. Once tagged, real-time updates on onboarding status with respect to Posture and Data security are seamlessly provided.


Additional Features:

This streamlined process ensures that customers promptly gain visibility into their Sanctioned applications, facilitating effective monitoring and policy creation. Onboarding status visibility for Data Security and Posture Security provides comprehensive CASB protection for Sanctioned applications. Users can stay informed and in control of their applications' security posture with this proactive approach.


Admin Guide: Apply Tag Recommendations to Sanctioned Apps

Admins can now effortlessly categorize approved organization-wide apps by applying the default tag "Sanctioned." The process involves reviewing recommendations from SaaS Security Inline based on data from the Cloud Identity Engine.



  • Activate Cloud Identity Engine on your tenant.
  • Configure directory sync in Cloud Identity Engine for Azure AD or Okta Directory.


How to Apply Tags:

  1. Navigate to the Discovered Applications view.
  2. Review recommended apps tagged as Sanctioned.
  3. Accept, ignore, or retag recommendations based on your organization's policies.


Reviewing Previously Tagged Applications:

Admins can review previously tagged applications, filter by tag duration, and assess onboarding status for Data Security and Posture Security.



The Auto Tagging Recommendation for Sanctioned Applications by Palo Alto Networks simplifies the management of sanctioned applications in SaaS environments. It reduces the manual workload and enhances the security posture by providing immediate visibility and control over these applications. Organizations can contact Palo Alto Networks today to begin securing themselves from sensitive data loss.


Stay secure, stay empowered!



Best Regards,

Priyanka Neelakrishnan  |  Product Line Manager, Cloud Security

L0 Member

Automation, enhanced visibility, & effective controls! Congrats @pneelakrishn !  

L1 Bithead

Thanks @rohsawhney Once we name it (by tagging apps) then it's easy to protect it. 

Register or Sign-in
Top Liked Authors