The preview of a new app governance add-on for Microsoft Client App Security gives Office 365 administrators insight into Graph-based apps. The add-on depends on information gathered from Azure AD and MCAS to generate insights about apps and their usage, including highlighting apps which are overprivileged or highly privileged. Although you can do some of the auditing yourself, the add-on makes it easier. It’s a preview, so some glitches are present.
Microsoft Cloud App Security (MCAS) can integrate with Azure Information Protection to allow automated policy-driven application of Office 365 sensitivity labels to Office documents and PDFs. You can depend on users to apply labels manually as they create documents, but it’s easy for humans to forget to add protection where a computer won’t. You’ll pay extra for MCAS, but it could be worthwhile.