L5. Defender for Cloud Apps: Shadow IT and App Governance

What Is Defender for Cloud Apps?

Microsoft Defender for Cloud Apps (MDA, formerly Microsoft Cloud App Security) is a Cloud Access Security Broker (CASB) that provides visibility into cloud app usage, data protection, and threat detection across SaaS applications.

Core capabilities:

• Cloud Discovery: Identify shadow IT by analyzing firewall and proxy logs
• App Connectors: API-based integration with sanctioned apps (Microsoft 365, Salesforce, Box, etc.)
• Conditional Access App Control: Real-time session monitoring and control
• App Governance: Monitor and control OAuth apps registered in your tenant

Cloud Discovery and Shadow IT

Cloud Discovery analyzes traffic logs to identify which cloud applications users are accessing. Discovery methods:

The Cloud App Catalog scores 31,000+ apps on 90+ risk factors across security, compliance, and legal categories. Each app receives a risk score from 1 (highest risk) to 10 (lowest risk). Exam tip: Integration with Defender for Endpoint is the recommended way to discover shadow IT because it does not require separate log collectors and works for remote users not connected to the corporate network.

App Connectors

API connectors provide deep visibility into sanctioned applications:

• Microsoft 365: Full integration (files, activities, accounts)
• Salesforce, Box, Dropbox, Google Workspace: Activity monitoring, file scanning, governance actions
• AWS, Azure, GCP: Cloud platform activity logs

Connectors enable file policy scanning (DLP), activity policies, and anomaly detection within connected apps.

Conditional Access App Control

This feature proxies user sessions through Defender for Cloud Apps to enforce real-time controls:

• Monitor only: Log all activity without blocking
• Block downloads: Prevent file downloads based on conditions (unmanaged device, sensitive label)
• Protect on download: Apply sensitivity labels or encryption on download
• Block upload: Prevent uploading files matching DLP patterns
• Block copy/cut/print: Prevent data exfiltration through clipboard or print

Session policies are created in Defender for Cloud Apps and enforced through Microsoft Entra Conditional Access (the Conditional Access policy routes the session through the proxy). Exam tip: Conditional Access App Control requires a Microsoft Entra Conditional Access policy that routes the session to Defender for Cloud Apps. Both components must be configured.

App Governance

App Governance monitors OAuth applications registered in Microsoft Entra ID:

• Detects overprivileged OAuth apps
• Identifies unused apps with broad permissions
• Monitors app API call patterns for anomalies
• Enables policy-based governance (auto-disable apps matching criteria)

This is critical for detecting OAuth consent phishing attacks where users grant malicious apps access to their data.

Investigation Tools

Key investigation capabilities include:

• Activity log: Searchable log of all user and admin activities across connected apps
• Files page: Inventory of files shared externally or matching DLP policies
• User page: Per-user risk assessment with activity timeline
• IP address ranges: Define corporate IP ranges to distinguish internal from external access