🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided SC-200 Domain 2
Domain 2 — Module 4 of 10 40%
16 of 28 overall

SC-200 Study Guide

Domain 1: Manage a Security Operations Environment

  • Sentinel Workspace: Roles & Retention
  • Get Windows Events Into Sentinel
  • Syslog, CEF & Azure Data Ingestion
  • Defender for Endpoint: Core Setup
  • Attack Surface Reduction & Security Policies
  • Defender XDR: Tune Your Alerts
  • Automated Investigation & Attack Disruption
  • Sentinel Automation: Rules & Playbooks
  • Custom Detections in Defender XDR
  • Sentinel Analytics & Threat Intelligence
  • MITRE ATT&CK & Anomaly Detection
  • Detection Engineering: Putting It All Together

Domain 2: Respond to Security Incidents

  • Incident Triage: From Alert to Verdict Free
  • Purview & Defender for Cloud Threats
  • Identity Threats: Entra & Defender for Identity
  • Cloud App Security: Investigate Shadow IT
  • Sentinel Incident Response
  • Copilot for Security: Your AI Analyst
  • Complex Attacks & Lateral Movement
  • Endpoint: Timeline & Live Response
  • Endpoint: Evidence & Entity Investigation
  • M365 Investigations: Audit, Search & Graph

Domain 3: Perform Threat Hunting

  • KQL Foundations for Threat Hunters Free
  • Advanced Hunting in Defender XDR Free
  • Sentinel Hunting: Build & Monitor Queries
  • Threat Analytics & Hunting Graphs
  • Data Lake: KQL Jobs & Summary Rules
  • Notebooks & the Sentinel MCP Server

SC-200 Study Guide

Domain 1: Manage a Security Operations Environment

  • Sentinel Workspace: Roles & Retention
  • Get Windows Events Into Sentinel
  • Syslog, CEF & Azure Data Ingestion
  • Defender for Endpoint: Core Setup
  • Attack Surface Reduction & Security Policies
  • Defender XDR: Tune Your Alerts
  • Automated Investigation & Attack Disruption
  • Sentinel Automation: Rules & Playbooks
  • Custom Detections in Defender XDR
  • Sentinel Analytics & Threat Intelligence
  • MITRE ATT&CK & Anomaly Detection
  • Detection Engineering: Putting It All Together

Domain 2: Respond to Security Incidents

  • Incident Triage: From Alert to Verdict Free
  • Purview & Defender for Cloud Threats
  • Identity Threats: Entra & Defender for Identity
  • Cloud App Security: Investigate Shadow IT
  • Sentinel Incident Response
  • Copilot for Security: Your AI Analyst
  • Complex Attacks & Lateral Movement
  • Endpoint: Timeline & Live Response
  • Endpoint: Evidence & Entity Investigation
  • M365 Investigations: Audit, Search & Graph

Domain 3: Perform Threat Hunting

  • KQL Foundations for Threat Hunters Free
  • Advanced Hunting in Defender XDR Free
  • Sentinel Hunting: Build & Monitor Queries
  • Threat Analytics & Hunting Graphs
  • Data Lake: KQL Jobs & Summary Rules
  • Notebooks & the Sentinel MCP Server
Domain 2: Respond to Security Incidents Premium ⏱ ~11 min read

Cloud App Security: Investigate Shadow IT

Users connect to hundreds of cloud apps your IT team never approved. Learn how Defender for Cloud Apps discovers shadow IT, investigates risky OAuth apps, and detects suspicious cloud activities.

What is shadow IT?

☕ Simple explanation

Shadow IT is the app your marketing team signed up for without telling IT.

The design team uses Canva. Sales uses a third-party CRM. Someone gave a random AI tool access to their Microsoft 365 account. None of these were approved, reviewed, or secured by IT.

Defender for Cloud Apps (MDCA) discovers these shadow apps, assesses their risk, and lets you investigate suspicious activity. It also monitors approved cloud apps (like Salesforce, Box, Dropbox) for unusual behaviour — mass downloads, impossible travel, or privilege escalation.

As a SOC analyst, you investigate MDCA alerts when users do risky things with cloud apps — especially OAuth app consents that grant third-party apps access to your organisation’s data.

Microsoft Defender for Cloud Apps (MDCA) is a Cloud Access Security Broker (CASB) that provides visibility, control, and threat protection for cloud applications. It discovers shadow IT through network log analysis, integrates with Entra ID for app governance, and monitors sanctioned SaaS apps for threats.

For SC-200, the focus is investigation: responding to MDCA alerts about risky OAuth apps, suspicious user activities in cloud apps, and anomalous data access patterns. MDCA alerts feed into the Defender XDR unified incident queue.

Cloud app discovery

MDCA discovers cloud apps your organisation uses by analysing:

  • Firewall and proxy logs — which cloud services are employees connecting to
  • Defender for Endpoint signals — app usage data from managed devices
  • Entra ID app registrations — which third-party apps have been granted access

The Cloud App Catalog

MDCA rates over 31,000 cloud apps on a risk score (1-10) based on:

  • Security certifications (SOC 2, ISO 27001, GDPR compliance)
  • Encryption (at rest, in transit)
  • Data ownership and portability
  • Legal and regulatory compliance
  • Known vulnerabilities and breaches

Apps scoring below your threshold can be sanctioned (approved), unsanctioned (blocked), or monitored.

OAuth app investigation

OAuth apps are the biggest shadow IT risk. When a user clicks “Allow” on a third-party app, they grant that app permissions to read their email, files, or calendar — sometimes with full access.

Risky OAuth scenarios

ScenarioRiskMDCA Detection
Overprivileged appApp requests Mail.ReadWrite but only needs Calendar.ReadApp governance alert
Suspicious consentUser grants full mailbox access to an unknown appOAuth app anomaly
App impersonationMalicious app name mimics a trusted brandApp governance alert
Mass data accessApp reads thousands of emails after consentActivity alert
App from untrusted publisherApp published by an unverified developerRisk score alert

Investigation workflow for OAuth alerts

  1. Review the app — what permissions did it request? Who published it? What is its risk score?
  2. Check consenting users — who granted access? When? From which device?
  3. Review app activity — what has the app done since consent? (emails read, files accessed, data exported)
  4. Assess legitimacy — is this a known business tool or a suspicious unknown app?
  5. Remediate:
    • Revoke the app’s permissions in Entra ID
    • Ban the app in MDCA to prevent future consents
    • Notify the user about safe app consent practices
    • Review all consents from the same user (if their account is compromised, the attacker may have consented to multiple apps)
💡 Scenario: Elena investigates a suspicious OAuth app

Elena at Atlas Bank gets an MDCA alert: “High-risk OAuth app — ‘DocuSign-Verify’ granted full mailbox access.”

Investigation:

  • The app name mimics DocuSign but is published by an unknown developer
  • 3 users consented — all in the finance department
  • The app has read 1,200 emails from each user in the past 24 hours
  • Several emails contain wire transfer instructions and account numbers

This is a consent phishing attack.

Remediation:

  • Revoke the app’s permissions immediately
  • Ban the app in MDCA
  • Reset passwords and revoke sessions for the 3 users
  • Check if any wire transfer instructions were forwarded externally
  • Alert the fraud team about potential BEC follow-up

Suspicious cloud activities

Beyond OAuth, MDCA detects anomalous behaviour in connected cloud apps:

ActivityWhat MDCA Detects
Mass downloadUser downloads unusually large number of files from SharePoint/OneDrive
Impossible travelUser accesses Salesforce from two countries within impossible timeframe
Privilege escalationUser’s role is elevated in a connected SaaS app
Risky sign-inSign-in to cloud app from anonymous IP or Tor
Data sharingFiles shared externally from a connected app (Box, Dropbox)
💡 Exam tip: MDCA vs Entra ID Protection

Both detect impossible travel, but for different scopes:

  • Entra ID Protection detects impossible travel for Entra ID sign-ins (Microsoft 365, Azure portal)
  • MDCA detects impossible travel for connected SaaS apps (Salesforce, Box, Dropbox, ServiceNow)

If the question specifies “sign-in to a third-party SaaS app,” the answer is MDCA, not Entra ID.

Question

What is consent phishing and how does MDCA detect it?

Click or press Enter to reveal answer

Answer

Consent phishing tricks users into granting OAuth permissions to a malicious app disguised as a legitimate service. MDCA detects it through app governance alerts — flagging apps with suspicious names, untrusted publishers, overprivileged permissions, or anomalous data access after consent.

Click to flip back
Question

What is the first remediation step when a malicious OAuth app is discovered?

Click or press Enter to reveal answer

Answer

Revoke the app's permissions in Entra ID to immediately cut off its access to user data. Then ban the app in MDCA, reset affected user passwords, and review what data the app accessed.

Click to flip back
Question

How does MDCA discover shadow IT?

Click or press Enter to reveal answer

Answer

By analysing firewall and proxy logs (network traffic to cloud services), Defender for Endpoint signals (app usage from managed devices), and Entra ID app registrations (third-party apps granted access). MDCA rates 31,000+ apps on security risk.

Click to flip back
Knowledge Check

Elena discovers that a malicious OAuth app named 'DocuSign-Verify' has read 1,200 emails from 3 finance users at Atlas Bank. What should she do first?
Knowledge Check

An MDCA alert shows impossible travel for a Salesforce user — signed in from London at 10 AM and from Tokyo at 10:30 AM. Which product detected this?

🎬 Video coming soon

Next up: Cloud app threats are handled. Now let’s investigate incidents in Microsoft Sentinel — the central SIEM where all these signals come together.

← Previous

Identity Threats: Entra & Defender for Identity

Next →

Sentinel Incident Response

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.