1.4 Defender for Cloud Apps

60–90 minutes · Module 1 · Free

Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that provides visibility, control, and threat protection across SaaS applications — both Microsoft apps (Exchange Online, SharePoint, Teams, OneDrive) and third-party apps (Salesforce, Google Workspace, Dropbox, Box, and hundreds of others). It is also the shadow IT discovery tool: the way you find out that marketing has been using an unsanctioned file-sharing service for the last six months.

Shadow IT is a real problem

Most organisations underestimate the number of cloud apps their employees use. Cloud discovery typically reveals 3-5x more apps than IT is aware of. Many of these are legitimate productivity tools, but some introduce serious data leakage and compliance risks.

Cloud Discovery. Analyses firewall and proxy logs, or uses the Defender for Endpoint agent, to identify every cloud application accessed by users. Assigns risk scores based on compliance certifications, security features, and general trustworthiness. This is how you build an inventory of what your organisation actually uses versus what it officially sanctions.

App Connectors. API-based connections to sanctioned SaaS applications that provide deep visibility into user activity, file sharing, and configuration. Connected apps generate detailed activity logs that feed into investigation workflows.

Conditional Access App Control. A reverse proxy that enables real-time session controls. It can monitor, block downloads, enforce DLP, or require step-up authentication for specific actions within connected apps — even if the app itself does not support these controls natively.

App Governance. An add-on capability that monitors OAuth apps registered in Entra ID. It detects overprivileged apps, unusual app activity patterns, and potentially malicious app registrations. This is critical for consent phishing investigation (Module 15) — the scenario where an attacker tricks a user into granting permissions to a malicious application.

Policies. Activity policies alert on specific user actions. File policies detect sensitive data sharing. Anomaly detection policies catch impossible travel, suspicious inbox activity, and mass file downloads.

Key data tables

CloudAppEvents — activity across connected cloud apps.

How it connects

Alerts feed into the Defender XDR unified incident queue. Cloud discovery data is enriched by the Defender for Endpoint agent (network connection visibility). OAuth app data connects to Entra ID enterprise application management. Session control integrates with Entra ID conditional access policies.

Key takeaways

Defender for Cloud Apps provides visibility into SaaS usage — both sanctioned and shadow IT
App governance monitors OAuth apps for consent phishing detection (Module 15)
Conditional Access App Control enables session-level controls on third-party apps
The CloudAppEvents table captures activity across all connected cloud apps

Licensing

Included in M365 E5. App governance is an add-on. Cloud discovery basic reports are available with Defender for Endpoint P2.

Check your understanding

1. Your organisation discovers employees are using an unapproved file sharing service. Which Defender for Cloud Apps feature identified this?

Cloud Discovery

App Governance

Conditional Access App Control

Cloud Discovery analyses network traffic (via firewall logs or the Defender for Endpoint agent) to identify all cloud apps in use — sanctioned and unsanctioned. This is the shadow IT discovery tool.

2. A user is tricked into granting a malicious app access to read their mailbox and files. Which component detects this?

Cloud Discovery

App Governance

Activity Policies

App Governance monitors OAuth app registrations in Entra ID. It detects overprivileged apps and unusual activity patterns — exactly the scenario in a consent phishing attack (Module 15).

← 1.5 Entra ID Protection 1.3 Defender for Identity →