Defender for Cloud Apps: Discover & Control
Discover shadow IT with Cloud Discovery, connect and monitor sanctioned apps, and implement Conditional Access App Control for real-time session governance.
What is Microsoft Defender for Cloud Apps?
Defender for Cloud Apps is like a security camera system for all the cloud apps your company uses.
Imagine you run a building. You know about the main doors (sanctioned apps like Teams and SharePoint). But employees are also climbing through windows (shadow IT — unapproved apps). Some visitors are sneaking into restricted rooms (risky data access).
Defender for Cloud Apps does three things: (1) discovers every door and window being used (Cloud Discovery), (2) connects security cameras to the main doors so you can see what’s happening inside (Connected Apps), and (3) lets you set rules like “visitors can look but not take photos” (session policies).
Cloud Discovery — finding shadow IT
Cloud Discovery analyses network traffic logs to identify every cloud app your organisation uses — not just the ones IT knows about.
How Cloud Discovery works
| Discovery Method | How It Works | Best For |
|---|---|---|
| Log collector | Upload firewall/proxy logs (Palo Alto, Zscaler, Squid, etc.) manually or automatically | Organisations with on-premises network infrastructure |
| Defender for Endpoint integration | Agents on devices report cloud app traffic directly | Modern endpoint-managed environments (no proxy needed) |
| Secure Web Gateway | Zscaler or other SWG forwards logs directly | Organisations using cloud-based web gateways |
The Cloud Discovery dashboard
After data flows in, the dashboard shows:
- Total apps discovered — typically hundreds or thousands (most organisations are shocked)
- Risk score per app — 1 (highest risk) to 10 (lowest risk) based on 90+ risk factors
- Categories — collaboration, storage, CRM, development, etc.
- Users and traffic — who’s using which app, how much data is flowing
- Sanctioned vs unsanctioned — apps you’ve approved vs apps you haven’t
Sanctioned and unsanctioned apps
| Status | Meaning | Action |
|---|---|---|
| Sanctioned | Approved by IT — safe to use | App is tagged as approved. Used as a signal in policies. |
| Unsanctioned | Not approved — blocked or flagged | Can generate block scripts for firewalls/proxies. Users see a warning page. |
| Monitored | Under review — neither approved nor blocked | IT is evaluating the app before making a decision. |
Scenario: Anika discovers shadow IT
🛡️ Anika Weber at Sentinel Partners runs a Cloud Discovery analysis for a new banking client. She integrates Defender for Endpoint (already deployed on all devices) with Defender for Cloud Apps.
Discoveries after 7 days:
- 847 cloud apps detected (the client expected about 30)
- 3 file-sharing apps with risk score 2 (no encryption, servers in non-compliant jurisdictions) being used by the finance team
- 12 AI tools (ChatGPT, Midjourney, etc.) with data being uploaded by developers
- 1 CRM app scoring 8/10 but not on the approved vendor list
Anika’s actions:
- Unsanctions the 3 risky file-sharing apps → generates firewall block scripts
- Tags the AI tools as monitored → starts a policy review with the CISO
- Sanctions the CRM app after verifying it meets compliance requirements
- Presents a risk report to the client’s board showing data exposure through unapproved apps
Result: The client goes from blind to fully informed in one week. Shadow IT is no longer invisible.
Connected apps — deep visibility
Connected apps give Defender for Cloud Apps API-level access to sanctioned cloud services, enabling:
- User activity monitoring (who accessed what, when)
- File scanning (DLP — detect sensitive data in cloud storage)
- Anomaly detection (impossible travel, mass downloads)
- Governance actions (quarantine files, suspend accounts)
App connectors
| Connector | What It Monitors |
|---|---|
| Microsoft 365 | Exchange, SharePoint, OneDrive, Teams activity |
| Azure | Azure resource management, sign-in activity |
| Salesforce | User activity, file sharing, admin changes |
| Google Workspace | Drive, Gmail, Admin console activity |
| Dropbox | File sharing, user activity |
| Box, ServiceNow, Okta, GitHub, etc. | Service-specific activities |
Connecting an app:
- Defender for Cloud Apps portal → Settings → Connected apps → App connectors
- Click Connect an app → select the app
- Follow the wizard (typically involves authorising the connector with an admin account in the target app)
- Once connected, data starts flowing within minutes to hours
Exam tip: Connector permissions
Connecting an app requires admin credentials in the target app (e.g., a Salesforce admin account). The connector uses the target app’s API to pull activity logs and file metadata. For Microsoft 365, the connection is automatic when Defender for Cloud Apps is part of your Microsoft 365 E5 or EMS E5 licence.
Application-enforced restrictions
Application-enforced restrictions use Entra ID Conditional Access to signal to apps (primarily SharePoint Online and Exchange Online) that a session is restricted. The app itself enforces the restriction.
How it works:
- A Conditional Access policy targets SharePoint Online or Exchange Online
- The policy grants access with the session control: “Use app enforced restrictions”
- When a user signs in from a non-compliant device, Entra ID sends a claim to the app
- SharePoint/Exchange reads the claim and limits functionality (e.g., read-only, no downloads)
Example restrictions in SharePoint Online:
- Full access: compliant device → normal experience
- Limited web-only access: unmanaged device → can view but not download, sync, or print
- Block access: blocked by policy → access denied
Exam tip: App-enforced vs CA App Control
Don’t confuse these two:
- Application-enforced restrictions: The app (SharePoint/Exchange) enforces limits. Works only for these Microsoft apps. Simple to configure. Limited to the restrictions the app supports.
- Conditional Access App Control: Defender for Cloud Apps acts as a reverse proxy. Works for any supported app. More granular — can block copy/paste, watermark downloads, block specific file types.
Conditional Access App Control — real-time session governance
Conditional Access App Control routes user sessions through a reverse proxy (Defender for Cloud Apps), enabling real-time monitoring and control.
Architecture
User signs in via Entra ID
↓ Conditional Access policy applies "Use Conditional Access App Control"
Session is routed through Defender for Cloud Apps reverse proxy
↓ URL changes to *.mcas.ms (e.g., app.contoso.com → app.contoso.com.mcas.ms)
Defender for Cloud Apps inspects every action in real time
↓ Applies access and session policies
Traffic is forwarded to the actual appSetting it up
-
Create a Conditional Access policy in Entra ID:
- Target the app(s) you want to protect
- Under Session controls → select “Use Conditional Access App Control”
- Choose “Monitor only” (for testing) or “Use custom policy” (for enforcement)
-
Sign in to the app as a user covered by the policy — this onboards the app to Defender for Cloud Apps automatically (for gallery apps)
-
Create access or session policies in Defender for Cloud Apps (covered in the next module)
Supported apps
| App Type | Onboarding |
|---|---|
| Featured Microsoft apps (SharePoint, Exchange, Teams, etc.) | Automatic — just create the CA policy |
| Featured third-party apps (Salesforce, Box, Dropbox, etc.) | Automatic — sign in after CA policy creation |
| Custom/non-gallery apps | Manual onboarding — add the app in Defender for Cloud Apps settings |
Scenario: Priya implements CA App Control for SharePoint
🔐 Priya Sharma at Meridian Health wants to prevent clinicians from downloading patient files when using personal devices:
-
Conditional Access policy:
- Users: All clinical staff
- Cloud apps: SharePoint Online
- Conditions: Device state = unmanaged (not compliant, not hybrid joined)
- Session: Use Conditional Access App Control → Use custom policy
-
Session policy in Defender for Cloud Apps:
- Activity type: Download file
- Filter: Files labelled “Confidential” or “Patient Data”
- Action: Block
Result: Clinicians on personal devices can view patient files in the browser but cannot download them. On managed hospital devices, downloads work normally. Every blocked attempt is logged for audit.
🎬 Video walkthrough
🎬 Video coming soon
Defender for Cloud Apps Discovery & Control — SC-300 Module 20
Defender for Cloud Apps Discovery & Control — SC-300 Module 20
~12 minFlashcards
Knowledge Check
Anika's client wants to identify all cloud apps being used across the organisation without installing any new infrastructure. The client already has Defender for Endpoint on all devices. What should Anika configure?
Priya wants clinicians on unmanaged devices to view SharePoint files but not download them. She doesn't need advanced controls — just block downloads. What's the simplest approach?
After enabling Conditional Access App Control for Salesforce, Anika notices the URL changes to salesforce.com.mcas.ms when users access the app. A user reports that a custom Salesforce plugin no longer works. What is the most likely cause?
Next up: Defender for Cloud Apps: Policies & OAuth Governance — how to create access and session policies, manage OAuth app risks, and use the cloud app catalog for governance.