Defender for Cloud Apps: Connect and Govern

Governing what you can’t see

App connectors — your eyes inside SaaS apps

App connectors use API-level integration to pull activity data, user information, and file metadata from connected cloud applications. Once connected, you get deep visibility without proxying traffic.

Connecting Microsoft 365

The Microsoft 365 connector is the first one every admin should configure. It provides visibility into:

• Exchange Online — mail forwarding rules, delegate access, mailbox permission changes
• SharePoint Online — file sharing, external access, permission changes
• OneDrive — file downloads, sharing with external users, sync activity
• Teams — guest access, app installations, file sharing in channels
• Power Platform — Power Automate flows, Power Apps usage

To connect Microsoft 365:

1. Navigate to Settings in the Defender portal, then Cloud Apps, then Connected apps, then App Connectors
2. Select Microsoft 365 from the app catalog
3. Choose which Microsoft 365 components to connect (Exchange, SharePoint, Teams, etc.)
4. Authorize the connection using a Global Administrator account
5. The connector begins pulling historical data — initial sync can take several hours

Third-party app connectors

Beyond Microsoft 365, Defender for Cloud Apps connects to popular SaaS platforms via API connectors:

App	Key visibility	Authentication method
Salesforce	User logins, data exports, permission changes	OAuth connected app
Box	File sharing, external collaboration, admin actions	Enterprise app authorization
Google Workspace	Drive sharing, email forwarding, admin console changes	Service account with domain-wide delegation
Dropbox	File sharing, link permissions, team folder access	Team admin authorization
ServiceNow	Instance access, configuration changes, data exports	OAuth or username/password

ℹ️ Priya discovers shadow IT at GlobalReach

When Priya first connected the Microsoft 365 connector at GlobalReach Corp, she expected to find normal activity. Instead, the first week revealed:

• 47 mail forwarding rules routing email to external addresses — three belonged to former employees whose accounts were never properly offboarded
• 2,100 externally shared files in OneDrive — including 340 marked as “anyone with the link” (no authentication required)
• 14 Power Automate flows copying SharePoint data to personal Dropbox accounts

Without the app connector, none of this was visible. The M365 admin center shows some of this data in scattered reports, but Defender for Cloud Apps surfaces it through a unified policy engine that can detect and respond automatically.

Policy types — automated detection and response

Policies are the enforcement engine. Each policy type addresses a different threat vector.

Defender for Cloud Apps Policy Types

Feature	What It Monitors	Example Use Case
Activity policy	User and admin activities from connected apps	Alert when a user downloads more than 100 files in 5 minutes
Anomaly detection policy	Behavioral deviations detected by ML (built-in, always on)	Impossible travel — user signs in from London and Tokyo within 30 minutes
File policy	Files stored in connected cloud apps	Alert when a file containing credit card numbers is shared externally
Access policy	Real-time sign-in events via Conditional Access App Control	Block access to Exchange from unmanaged devices
Session policy	Real-time in-session actions via Conditional Access App Control	Allow viewing but block downloading sensitive files from unmanaged devices

Activity policies — monitoring what users do

Activity policies trigger when specific user or admin actions match your criteria. You define:

• Activity filter — app, user, IP address, location, activity type
• Repeated activity — trigger only when the same activity occurs X times within a timeframe
• Alert severity — Low, Medium, High
• Governance action — what happens when the policy triggers (notify user, suspend user, require sign-in again)

Example: Priya creates a policy at GlobalReach to detect mass downloads.

Setting	Value
Activity type	Download file
Repeated activity	More than 50 times within 5 minutes
App filter	SharePoint Online, OneDrive
Alert severity	High
Governance action	Suspend user, notify admin

Anomaly detection policies — ML-powered threat detection

These are built-in policies that run automatically — no configuration needed to start. They use machine learning to establish behavioral baselines for each user and alert when deviations occur.

Key built-in anomaly detections:

Detection	What it catches
Impossible travel	Sign-ins from geographically distant locations within an impossible timeframe
Activity from infrequent country	Sign-in from a country the user has never accessed from before
Ransomware activity	File extension patterns and activity sequences matching ransomware behavior
Multiple failed login attempts	Brute force patterns against cloud applications
Unusual file share activity	Sharing patterns that deviate significantly from the user’s baseline
Unusual admin activity	Admin actions that don’t match normal patterns

You can tune anomaly policies (adjust sensitivity, exclude groups) but you cannot create new ones from scratch.

File policies — protecting sensitive content

File policies scan files stored in connected apps for sensitive content, risky sharing configurations, or policy violations.

• Content inspection — scans file contents for sensitive data types (credit cards, health records, personally identifiable information)
• Sharing status — detects files shared externally, publicly, or with specific domains
• File type — filters by extension, size, or modification date
• Governance actions — remove external sharing, quarantine file, notify file owner, apply sensitivity label

Access and session policies — real-time inline control

These two policy types require Conditional Access App Control — a Conditional Access integration that routes user sessions through a reverse proxy for real-time monitoring and enforcement.

Access Policies vs Session Policies

Feature	Access Policy	Session Policy
When it evaluates	At sign-in time	During the active session
What it controls	Whether the user can access the app at all	What the user can do inside the app
Example action	Block sign-in from unmanaged devices	Allow viewing files but block download or print
Requires Conditional Access integration	true	true
Granularity	Binary — allow or block access	Action-level — control specific operations within the session

💡 Exam tip: Which policy type for which scenario

The exam describes a scenario and expects you to identify the correct policy type:

• “Alert when a user shares a file containing PII externally” — File policy (content inspection + sharing filter)
• “Block downloads from unmanaged devices” — Session policy (requires CAAC, controls in-session actions)
• “Detect a user signing in from two countries simultaneously” — Anomaly detection policy (impossible travel, built-in)
• “Alert when an admin performs bulk user deletions” — Activity policy (monitors specific admin actions)
• “Prevent access to Salesforce from non-corporate networks” — Access policy (evaluates at sign-in)

The key differentiator: if the scenario involves content inspection or file sharing, it’s a file policy. If it involves what happens during a session (download, print, copy), it’s a session policy. If it involves user behavioral anomalies, it’s anomaly detection.

Alert management — investigating and responding

When a policy triggers, it generates an alert in the Defender portal. Investigation workflow:

1. Triage — review alert severity, affected user, and triggered policy
2. Investigate — examine the activity log for context (what else did this user do before and after the alert?)
3. Determine scope — is this an isolated incident or part of a broader attack?
4. Respond — apply governance actions (suspend account, revoke sessions, remove sharing)
5. Resolve — mark the alert as true positive (confirmed threat), false positive (benign), or benign true positive (real but not risky)

Governance actions

Governance actions are the automated or manual responses available when investigating alerts:

Action	What it does
Notify user	Sends an email notification to the affected user
Suspend user	Disables the user account in the connected app
Require sign-in again	Revokes active sessions, forcing re-authentication
Remove collaborator	Removes specific external sharing from a file
Put in quarantine	Moves the file to a quarantine folder and removes sharing
Apply sensitivity label	Applies a Microsoft Purview sensitivity label to the file

Question

What is the difference between an activity policy and an anomaly detection policy?

Click or press Enter to reveal answer

Answer

Activity policies are custom rules you create — you define exact conditions (e.g., more than 50 downloads in 5 minutes). Anomaly detection policies are built-in ML models that learn each user's behavioral baseline and alert on deviations (e.g., impossible travel, unusual admin activity). You can tune anomaly policies but cannot create new ones. Activity policies require manual configuration.

Click to flip back

Question

What is Conditional Access App Control and which policy types require it?

Click or press Enter to reveal answer

Answer

Conditional Access App Control (CAAC) routes user sessions through a reverse proxy in Defender for Cloud Apps, enabling real-time monitoring and enforcement. Access policies (control sign-in decisions) and session policies (control in-session actions like download, print, copy) both require CAAC. Activity policies and file policies do NOT require CAAC — they use API connector data.

Click to flip back

Question

What must you use to connect Microsoft 365 to Defender for Cloud Apps?

Click or press Enter to reveal answer

Answer

The Microsoft 365 app connector — configured in the Defender portal under Settings, then Cloud Apps, then Connected apps, then App Connectors. Requires Global Administrator authorization. You select which M365 components to connect (Exchange, SharePoint, OneDrive, Teams, Power Platform). The initial data sync takes several hours.

Click to flip back

Question

Name the five policy types in Defender for Cloud Apps.

Click or press Enter to reveal answer

Answer

1) Activity policy — monitors user and admin actions. 2) Anomaly detection policy — ML-based behavioral analysis (built-in). 3) File policy — scans file content and sharing. 4) Access policy — controls sign-in via CAAC proxy. 5) Session policy — controls in-session actions (download, print) via CAAC proxy.

Click to flip back

Question

What governance action would you use to immediately prevent a compromised user from accessing cloud apps?

Click or press Enter to reveal answer

Answer

Revoke sessions (Require sign-in again) for immediate effect — this invalidates all active tokens so existing sessions stop working. Then suspend the user account in the connected app to prevent new sign-ins. Revoking sessions alone doesn't prevent re-authentication if credentials are compromised, so both actions together provide full containment.

Click to flip back

Knowledge check

Knowledge Check

Priya configures a file policy in Defender for Cloud Apps to detect files containing health records shared externally from SharePoint Online. The policy is configured with content inspection enabled and governance set to 'Remove external sharing.' A GlobalReach HR manager shares a benefits document containing employee health information with an external insurance broker via a SharePoint sharing link. What happens?

AThe file policy blocks the sharing link from being created in the first placeBThe file policy detects the file after sharing, removes the external sharing link, and generates an alertCThe file policy sends the document to quarantine and notifies the HR managerDNothing — file policies only apply to OneDrive, not SharePoint

Check Answer

Knowledge Check

Elena wants to prevent MedGuard Health staff from downloading patient records from SharePoint Online when accessing from personal (unmanaged) devices — but she still wants them to be able to view the documents in the browser. Which policy type should she configure?

AAn activity policy that alerts on file downloads from unmanaged devicesBA file policy with content inspection that blocks downloads of files containing patient dataCA session policy via Conditional Access App Control that allows viewing but blocks download and print actions from unmanaged devicesDAn access policy that blocks all access to SharePoint from unmanaged devices

Check Answer

Knowledge Check

Marcus has connected Microsoft 365 to Defender for Cloud Apps at Oakwood Financial. He receives an anomaly detection alert: 'Impossible travel — user JSmith signed in from New York at 09:00 and from Singapore at 09:15.' JSmith confirms they are in New York and did not travel. What should Marcus do?

ADismiss the alert as a false positive since VPN use can cause impossible travel detectionsBRevoke JSmith's active sessions, force a password change, and investigate the Singapore sign-in for indicators of compromise — then mark the alert as true positiveCSuspend JSmith's account permanently and escalate to law enforcementDAdd Singapore to the blocked locations list in Conditional Access

Check Answer

🎬 Video coming soon

---

Next up: Cloud App Discovery and Activity Monitoring — discover unsanctioned apps across your organization and investigate risky usage patterns.