Defender for Cloud Apps & Defender for Identity
Defender for Cloud Apps is your CASB for SaaS security β shadow IT, session controls, and app governance. Defender for Identity protects on-premises Active Directory from lateral movement and credential theft.
Part 1: Microsoft Defender for Cloud Apps
What is it?
Think of Defender for Cloud Apps as a security guard for all the cloud services your organisation uses.
Employees use dozens of cloud apps β Dropbox, Salesforce, Slack, Google Drive, and many more. Some are approved by IT. Many are not. Defender for Cloud Apps watches all of them.
Itβs like having a guard who can see every app employees connect to, flag the risky ones, and even step in during a session to say βYou can view that file, but you canβt download itβ β in real time.
Shadow IT discovery
The problem: Employees often use cloud apps that IT doesnβt know about β personal Dropbox accounts, random file-sharing sites, unapproved project management tools. This is called shadow IT.
The solution: Defender for Cloud Apps analyses firewall and proxy logs to discover every cloud app in use across the organisation. It then scores each app for risk based on factors like compliance certifications, security controls, and legal terms.
Alex discovered that SecureBank employees were using 147 cloud apps β but IT had only approved 23. Twelve of those unapproved apps had high-risk scores.
App governance
Once you know what apps are in use, you can control them:
- Sanction apps you approve (mark as safe)
- Unsanction risky apps (block access)
- Monitor apps that are borderline β watch their usage before deciding
App governance also covers OAuth apps β third-party apps that employees grant access to their Microsoft 365 data. Defender for Cloud Apps can detect when an app requests excessive permissions.
Session policies and conditional access app control
This is one of the most powerful features:
- Real-time session monitoring β watch what users do inside cloud apps as it happens
- Conditional access app control β enforce rules mid-session. For example:
- Allow viewing documents in Salesforce but block downloads from unmanaged devices
- Allow access to SharePoint but add a watermark to downloaded files
- Block copy/paste of sensitive content from a cloud app
Session policies work with Entra ID Conditional Access to proxy user sessions through Defender for Cloud Apps.
File policies and threat detection
- File policies: Scan files stored in connected cloud apps for sensitive data (credit card numbers, national ID numbers, health records). Alert or quarantine when found.
- Anomaly detection: Uses machine learning to detect unusual behaviour β like a user suddenly downloading thousands of files, or logging in from an impossible location.
Scenario: Alex discovers a rogue app at SecureBank
During a routine shadow IT review, Alex notices a file-sharing app called βQuickShareβ that 40 employees are using. Defender for Cloud Apps scored it 2/10 for risk:
- No encryption in transit
- Hosted in a jurisdiction with weak data protection laws
- No SOC 2 or ISO 27001 compliance
Alex takes action:
- Unsanctions QuickShare β Defender blocks access for all users
- Creates a policy to detect and block similar high-risk file-sharing apps automatically
- Reports to Director Reyes with a dashboard showing all 12 high-risk apps and recommended alternatives
Director Reyes approves a company-wide communication directing employees to use OneDrive instead.
Part 2: Microsoft Defender for Identity
What is it?
Think of Defender for Identity as a security camera system for your on-premises Active Directory.
Active Directory (AD) is the system that manages user accounts, passwords, and permissions in traditional corporate networks. Attackers love targeting AD because if they compromise it, they can access everything.
Defender for Identity watches all the activity in AD β logins, permission changes, network scans β and spots the patterns that indicate an attack is underway. Itβs like having cameras that donβt just record, but also recognise suspicious behaviour and alert security.
How it works
Defender for Identity installs lightweight sensors directly on your domain controllers (the servers that run Active Directory). These sensors monitor:
- Authentication traffic (whoβs logging in, from where)
- Directory queries (whoβs looking up user accounts or group memberships)
- Network activity (unusual scanning or enumeration)
The sensors send data to the Defender for Identity cloud service, which analyses it for threat patterns.
What threats does it detect?
| Threat Category | Example | What It Means |
|---|---|---|
| Reconnaissance | An account queries AD for all admin group members | An attacker is mapping out the network to find high-value targets |
| Credential theft | Pass-the-hash or pass-the-ticket attacks detected | An attacker has stolen credential material and is reusing it |
| Lateral movement | An account authenticates to 15 servers in 2 minutes | An attacker is hopping between machines looking for valuable data |
| Domain dominance | A new account is added to Domain Admins | An attacker has gained the highest level of access in AD |
| Compromised identity | An account logs in from a location it has never used before | A user account may be under someone elseβs control |
Scenario: Alex catches lateral movement at SecureBank
Defender for Identity alerts Alex: a service account (svc-backup) just authenticated to 23 servers in under 3 minutes using pass-the-hash.
What Alex sees in the Defender portal:
- The service account normally only connects to the backup server
- The authentication pattern matches a known lateral movement technique
- The timeline shows the account was accessed from a workstation in the lobby β not the server room
Alexβs response:
- Disables the service account immediately
- Checks the lobby workstation β finds it was left unlocked
- Resets the service account credentials
- Creates an alert rule for any service account authenticating to more than 3 servers
Defender for Identity caught this in real time because it learned the normal behaviour pattern of svc-backup and flagged the deviation.
Signals feed into Defender XDR
Defender for Identity doesnβt work alone. Its identity signals are sent to the Defender XDR portal where theyβre correlated with:
- Email threats (Defender for Office 365)
- Device threats (Defender for Endpoint)
- Cloud app threats (Defender for Cloud Apps)
If an attacker steals credentials from a device (Endpoint), uses them to move laterally through AD (Identity), and accesses cloud apps (Cloud Apps) β XDR connects all three into one incident.
Comparison: Three identity-related security tools
The exam often tests whether you know the difference between these three overlapping tools:
| Feature | What It Protects | Where It Works | Key Focus |
|---|---|---|---|
| Defender for Cloud Apps | SaaS applications (Dropbox, Salesforce, M365 apps) | Cloud β monitors cloud app sessions and data | Shadow IT discovery, session control, app governance, file policies |
| Defender for Identity | On-premises Active Directory | On-premises β sensors on domain controllers | Lateral movement, credential theft, reconnaissance, domain dominance |
| Entra ID Protection | Cloud identities in Microsoft Entra ID | Cloud β analyses sign-in signals | Risky sign-ins, risky users, sign-in risk policies, user risk policies |
Exam shortcut: If the question mentions SaaS apps or shadow IT = Defender for Cloud Apps. On-premises AD or lateral movement = Defender for Identity. Cloud sign-in risk or risky users = Entra ID Protection.
π¬ Video walkthrough
π¬ Video coming soon
Defender for Cloud Apps and Identity β SC-900 Module 8
Defender for Cloud Apps and Identity β SC-900 Module 8
~9 minFlashcards
Knowledge Check
Director Reyes asks Alex to find out what unapproved cloud apps SecureBank employees are using. She wants to block any high-risk file-sharing apps immediately. Which product and features should Alex use?
A service account that normally connects only to the backup server suddenly authenticates to 30 different servers using pass-the-hash in under 5 minutes. Which Defender product detects this threat?
SecureBank wants to allow employees to view documents in Salesforce from unmanaged personal devices but prevent them from downloading those documents. Which feature enables this?
Next up: Defender Vulnerability Management and Defender Threat Intelligence β understanding whatβs wrong inside your environment and what threats are coming from outside.