Microsoft securityIntermediate44 min read

What Is Defender for Cloud Apps? Security Definition

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

Defender for Cloud Apps is a security service from Microsoft that helps you monitor and control the use of cloud apps in your organization. It lets you see which cloud apps people are using, check for risky activities, and protect sensitive data from being shared or stolen. Think of it as a security guard for all the cloud apps your company uses.

Common Commands & Configuration

Set-MgPolicyConditionalAccessPolicy -ConditionalAccessPolicyId "policy-id" -Conditions -Applications -IncludeApplications "microsoftdefendercloudapp"

Configures an Azure AD conditional access policy to route traffic to Defender for Cloud Apps for session control. Used when setting up Conditional Access App Control.

Tests knowledge of how to link Azure AD conditional access with Defender for Cloud Apps for session enforcement. May appear in SC-900 or AZ-104 as steps to enable CAAC.

Add-MgRoleManagementDirectoryRoleAssignment -PrincipalId "user-id" -RoleDefinitionId "a9b5b0e6-5c6e-4a6c-8b2c-8c8c8c8c8c8c" -DirectoryScopeId "/"

Assigns a role (e.g., Cloud App Security admin) to a user in Azure AD. Required to grant administrative access to Defender for Cloud Apps portal.

Tests the understanding of RBAC for Defender for Cloud Apps. The correct role ID for Cloud App Security admin is often provided or must be known from documentation.

New-CASPolicy -PolicyName "Block Unauthorized Download" -PolicyType "Session" -Apps @("Dropbox") -Actions @("BlockDownload") -SessionControls @{CopyToClipboard = $false; Print = $false}

Creates a session policy in Defender for Cloud Apps to block downloads and clipboard access in Dropbox for unmanaged devices.

Important for AZ-104 and SC-900 where session policy configuration is tested. The exact syntax varies but the logic of session controls is key.

Get-CASAlert -Severity High | Where-Object {$_.Name -like "Impossible travel*"}

Retrieves high-severity alerts related to impossible travel anomalies detected by Defender for Cloud Apps UEBA.

Tests candidate ability to filter and investigate UEBA alerts. Common in scenario-based questions for SC-900.

Register-CASApp -AppId "custom-app" -Type "Custom App" -ApiUrl "https://customapp.example.com/api"

Registers a custom cloud app with Defender for Cloud Apps for discovery and monitoring via the custom cloud app catalog.

Less common but appears in advanced scenarios for custom app integration. Relevant for AWS/GCP cross-cloud environments.

Update-CASAppConnector -AppConnectorId "connector-id" -Enabled $true -ScanExistingFiles $false

Updates an existing app connector (e.g., for Box or Dropbox) to disable scanning of existing files, allowing only real-time monitoring.

Tests understanding of API connector configuration and the difference between scanning existing vs. new files. Often an exam distractor.

Set-MgOrganization -Settings -M365Settings -EnableMipSync $true

Enables synchronization between Microsoft Purview Information Protection labels and Defender for Cloud Apps for DLP policy enforcement.

Crucial for SC-900 questions about label-based DLP. Ensures that sensitivity labels are respected across cloud apps.

Defender for Cloud Apps appears directly in 257exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on Google ACE. Practise them →

Must Know for Exams

For the SC-900 (Microsoft Security, Compliance, and Identity Fundamentals) exam, Defender for Cloud Apps is a key concept because the exam covers cloud security fundamentals and the CASB model. You need to understand that Defender for Cloud Apps is a CASB that provides visibility, data security, and threat protection for cloud apps. Exam questions may ask you to identify which Microsoft security solution is used for shadow IT discovery or to control cloud app usage. You should know the three core functions: Cloud Discovery, API-based governance, and Conditional Access App Control.

For the AZ-104 (Microsoft Azure Administrator) exam, Defender for Cloud Apps is relevant in the context of security and compliance. While AZ-104 focuses on Azure administration, you may encounter questions about integrating Defender for Cloud Apps with Azure AD Conditional Access policies. You might be asked how to configure Conditional Access App Control to protect access to third-party SaaS apps. Understanding the relationship between Azure AD, Conditional Access, and Defender for Cloud Apps is important.

For the Azure Fundamentals (AZ-900) exam, Defender for Cloud Apps appears as part of the Azure security services overview. You do not need deep configuration knowledge, but you should know what Defender for Cloud Apps does and when to use it. Questions may ask you to match security services with their functions, such as which service helps discover shadow IT.

For AWS certification exams like AWS Cloud Practitioner, AWS Developer Associate, and AWS Solutions Architect Associate, Defender for Cloud Apps is not a primary focus because it is a Microsoft product. However, it can appear as a supporting concept in questions about multi-cloud security or third-party security tools. You might need to recognize that if an organization uses both AWS and Microsoft 365, they can use Defender for Cloud Apps to monitor Microsoft cloud apps, but for AWS-specific resources, they would use AWS tools like AWS CloudTrail or Amazon GuardDuty. In these exams, the term is most likely to appear in scenario-based questions about integrating security across platforms.

For Google certifications like Google Cloud Digital Leader and Google ACE, similarly, Defender for Cloud Apps appears only in the context of multi-cloud or hybrid environments. You may need to understand that it is a CASB for Microsoft cloud apps and that Google has its own equivalent, like Google Workspace security features or third-party CASBs. These exams emphasize concepts rather than detailed product knowledge, so you should focus on the general role of a CASB rather than specific Defender for Cloud Apps features.

Simple Meaning

Imagine you run a large office building with many rooms, each room representing a different cloud application like Google Drive, Dropbox, Salesforce, or Microsoft 365. Your employees move around the building, carrying documents and talking to each other. As the building manager, you want to know who is entering which room, what they are doing inside, and whether anyone is trying to take sensitive files out the back door. You also want to make sure no one brings in dangerous items or leaves doors unlocked at night.

Defender for Cloud Apps is like an advanced security system for this building. It has cameras at every entrance and exit, a logbook that records every key card swipe, and sensors that detect unusual behavior, like someone entering a room at 3 AM or trying to copy a huge amount of data to a personal USB drive. It also has a rulebook that you can set: for example, if someone tries to upload a file marked 'Confidential' to a personal cloud storage app, the system can block that action or alert you.

In the real world, companies use many different cloud apps for email, file sharing, project management, and customer relationship management. Each app has its own security settings, and it is very hard to keep track of who is doing what across all of them. Defender for Cloud Apps connects to these apps through APIs and gives you a single dashboard where you can see everything. It can discover shadow IT, meaning apps that people use without official approval. It can also label and protect sensitive data, enforce policies, and even quarantine risky sessions in real time.

All of this helps you answer three big questions: What cloud apps are being used? Who is using them? And are they using them safely? Without a tool like Defender for Cloud Apps, you are essentially flying blind, hoping that each individual app's built-in security is enough. With Defender for Cloud Apps, you get a unified view and automated controls that make your cloud environment much safer.

For example, if an employee tries to sign in from a country where your company has no offices, the system can block that sign-in or require additional verification. If someone downloads thousands of files from a shared drive in a few minutes, Defender for Cloud Apps can flag that as potential data exfiltration. It can even warn you if a cloud app itself has been compromised, like if a vendor reports a security breach.

In short, Defender for Cloud Apps gives you visibility and control over the cloud apps your organization uses, helping you prevent data leaks, comply with regulations, and respond to threats faster. It turns the chaos of multiple cloud apps into something you can manage and secure.

Full Technical Definition

Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that integrates with Microsoft's security ecosystem and third-party cloud services to provide visibility, data governance, and threat protection for cloud applications. It operates primarily through API-based connectors, reverse proxy capabilities, and integration with identity providers like Azure Active Directory. The service supports both Microsoft cloud services (Microsoft 365, Azure) and thousands of third-party apps such as Salesforce, Box, Dropbox, Google Workspace, and AWS.

At its core, Defender for Cloud Apps has several key components. The first is Cloud Discovery, which uses logs from network traffic to identify which cloud apps are being used in the environment. This can be done using log collectors that forward firewall and proxy logs, or through integration with Microsoft Defender for Endpoint. Cloud Discovery provides a risk score for each app based on over 80 risk factors, including industry standards like ISO 27001, SOC 2, and GDPR compliance. The result is a comprehensive inventory of sanctioned and unsanctioned cloud apps.

The second component is App Connectors (API-based). These connectors use the APIs of the cloud apps themselves to receive metadata about files, user activities, and security configurations. For example, a connector to Microsoft 365 can pull data about file sharing permissions, login attempts, and admin actions. These connectors support real-time monitoring and allow the application of policies that can automatically quarantine files, revoke sharing links, or disable user accounts. API-based monitoring is the most comprehensive way to govern cloud app usage because it has deep access to the app's data and activities.

The third component is Conditional Access App Control (CAAC), which operates as a reverse proxy at the session level. When a user accesses a cloud app, traffic can be routed through Defender for Cloud Apps, allowing it to inspect and control actions in real time. For example, if a user tries to upload a file to a cloud storage app from an unmanaged device, CAAC can block the upload, restrict download, or require the user to sign in again. This feature uses Azure Active Directory Conditional Access policies to redirect traffic to the Defender for Cloud Apps proxy. It does not require agents on the device and works with any modern browser.

The fourth component is Information Protection and Data Loss Prevention (DLP). Defender for Cloud Apps integrates with Microsoft Information Protection (MIP) to apply sensitivity labels and classification to files. When a file is created or uploaded to a cloud app, Defender for Cloud Apps can scan it for sensitive content like credit card numbers, passport IDs, or custom patterns, and then apply labels, encryption, or restrict sharing. It can also enforce policies like blocking the external sharing of files labeled 'Highly Confidential'.

Threat detection is another major function. Defender for Cloud Apps uses user and entity behavior analytics (UEBA) and machine learning to detect anomalous behaviors. It looks at metrics like impossible travel (e.g., a user logs in from two distant locations within an impossible time frame), suspicious mass download activity, and ransomware indicators (e.g., high file modification rate with a known ransomware extension). When a threat is detected, it can trigger automated responses such as suspending a user account, blocking an IP address, or initiating an investigation in Microsoft 365 Defender.

Deployment of Defender for Cloud Apps typically starts with integrating it into Azure Active Directory and connecting to chosen cloud apps. Organizations can set up Cloud Discovery by deploying log collectors on their network or using Microsoft Defender for Endpoint to forward traffic logs. The next step is configuring App Connectors for high-priority cloud apps. Then, administrators define policies for governance, DLP, and threat detection. Conditional Access App Control is configured via Azure AD Conditional Access policies that target specific apps.

From a protocols and standards perspective, Defender for Cloud Apps uses HTTPS for all communications with cloud apps and Azure AD. Log collectors use Syslog over UDP/TCP to receive traffic logs from firewalls and proxies. The service supports the OAuth 2.0 and OpenID Connect protocols for API access to third-party apps. Integration with Microsoft Graph API is used for Microsoft 365 services. The UEBA engine processes millions of signals and applies statistical models to establish baselines and detect anomalies.

In an enterprise implementation, Defender for Cloud Apps is typically deployed as part of a larger Microsoft 365 Defender suite, which includes Defender for Endpoint, Defender for Identity, and Defender for Office 365. These products share signals and provide a unified security operations platform. For example, if Defender for Endpoint detects a malware infection on a device, it can feed that context into Defender for Cloud Apps, which can then block that device from accessing cloud apps.

Scalability is handled by Microsoft's cloud infrastructure, and the service can manage environments with tens of thousands of users and hundreds of cloud apps. Data retention for logs and activities is configurable from 30 to 180 days depending on the license. The service also provides rich auditing and reporting capabilities, including predefined reports for compliance with standards like GDPR, HIPAA, and PCI DSS.

Overall, Defender for Cloud Apps is not a single product but a comprehensive platform that combines discovery, API monitoring, proxy control, and advanced analytics to secure cloud application usage. It supports hybrid environments where some apps are sanctioned and others are not, and it adapts to the dynamic nature of cloud adoption.

Real-Life Example

Imagine you are the manager of a large public library. The library has many different sections: a reading room, a computer lab, a children's area, a reference section, and a storage room for rare books. Library members (users) come and go, borrowing books, using computers, and sometimes photocopying documents. As the manager, you want to make sure everyone follows the rules: no one takes rare books home, no one prints inappropriate material, and no one uses the library computers to visit harmful websites.

Now imagine that in addition to the physical library, your library also has a digital branch where members can access ebooks, online databases, and streaming services from home. This digital branch uses multiple third-party services: one for ebooks, one for audiobooks, one for academic journals, and one for video streaming. Each service has its own login system and its own set of rules. You cannot easily see what your members are doing across all these services.

Defender for Cloud Apps is like a central security command center for your entire library, both physical and digital. It installs a special visitor management system at the entrance that logs every person who enters, what room they go to, and how long they stay. In the digital world, it connects to each ebook and streaming service through their digital back doors (APIs) to see who is downloading what and how much. If a member downloads 50 ebooks in one minute, the system triggers an alarm because that is unusual behavior - maybe they are trying to steal the entire collection.

The command center also has a rulebook you can write. For example, if a member tries to access a rare book section that requires special permission, the system can deny entry or send you an alert. In the digital world, if someone tries to share a sensitive academic journal article with an account outside your organization, the system can block that action. The system can even temporarily suspend a member's digital borrowing privileges if they try to log in from a country where your library has no members, which could indicate a stolen password.

What makes Defender for Cloud Apps powerful is that it does not just watch one service; it watches all of them from one place. You can see a dashboard that shows which digital services are most used, which members have the highest activity, and which services have the most risky behavior. This is like having a single pane of glass that shows the entire library, instead of having to walk to each room and check separately.

In this analogy, the library members represent employees or users, the physical and digital sections represent different cloud apps, and the command center represents Defender for Cloud Apps. The rare books represent sensitive data. The rulebook represents security policies. The digital back doors represent API connectors. The visitor log represents Cloud Discovery logs. And the ability to block or restrict actions represents Conditional Access App Control.

Just as a library command center helps you protect the collection and ensure a safe environment, Defender for Cloud Apps helps you protect your data and enforce security policies across all the cloud apps your organization uses.

Why This Term Matters

In today's IT environments, the average organization uses hundreds of cloud applications, many of which are not officially approved or even known to the IT department. This phenomenon, known as shadow IT, creates serious security risks because those apps may store sensitive data, have weak security controls, or be vulnerable to breaches. Defender for Cloud Apps matters because it gives IT and security teams the visibility they need to discover these apps and take action. Without such a tool, you are essentially trusting that every cloud app your employees use is secure, which is rarely true.

Data protection is another critical reason. Many data breaches happen not because an attacker broke into a system, but because an employee accidentally shared a sensitive file with the wrong person or uploaded it to a public cloud storage app. Defender for Cloud Apps can automatically detect and quarantine files that contain credit card numbers, social security numbers, or other sensitive data. It can also prevent users from sharing files with external domains that are not trusted. This capability is essential for compliance with regulations like GDPR, HIPAA, and PCI DSS, which require organizations to protect personal and sensitive data.

Threat detection is also a major benefit. Attackers often use compromised cloud app credentials to access corporate data. Defender for Cloud Apps can detect signs of a breach, such as impossible travel, mass file downloads, or logins from known malicious IP addresses. When a threat is detected, it can automatically take action, like disabling a user account or blocking a device. This reduces the window of time an attacker has to cause damage.

Finally, Defender for Cloud Apps integrates deeply with the rest of the Microsoft security stack. This means that if you already use Microsoft 365 Defender, Azure Active Directory, or Defender for Endpoint, you get better security overall because signals from one product enhance the others. For example, a suspicious user activity detected in Defender for Cloud Apps can trigger a risk score change in Azure AD, which can then require multi-factor authentication on the next login. This kind of integration makes security operations more efficient and effective.

How It Appears in Exam Questions

In SC-900 and AZ-900 exams, you will often see multiple-choice questions that ask you to identify the function of Defender for Cloud Apps. For example: 'Which Microsoft security service provides cloud discovery and shadow IT detection?' or 'What type of security solution is Microsoft Defender for Cloud Apps?' You might also get scenario-based questions: 'A company wants to monitor which cloud apps its employees are using and enforce data loss prevention rules. Which service should they use?' The answer is Defender for Cloud Apps.

For AZ-104, questions may be more technical and scenario-based. For instance: 'You need to ensure that when users access a third-party SaaS app from unmanaged devices, they cannot download files. You configure a Conditional Access policy in Azure AD. What else must you configure to enforce this control?' The answer is Conditional Access App Control in Defender for Cloud Apps. Another question pattern: 'A company wants to automatically block the external sharing of files labeled 'Confidential' in Microsoft 365. Which feature of Defender for Cloud Apps should you use?' Answer: Data Loss Prevention policies with sensitivity labels.

For AWS certifications, you might see questions like: 'A company uses both AWS and Microsoft 365. They want to gain visibility into employee usage of Microsoft 365 apps and protect against data leaks. Which Microsoft security tool would be most appropriate?' The answer is Defender for Cloud Apps. These questions test your understanding of cross-platform security tools, not deep technical implementation.

For Google certifications, scenario-based questions might ask: 'A company uses Google Workspace and Microsoft 365. They want a single dashboard to monitor risky activities across both platforms. Which approach is best?' The correct answer might involve using a CASB like Defender for Cloud Apps for Microsoft 365 and combining it with Google's own security tools. You may also be asked about the limitations: 'Which of the following is NOT a feature of Defended for Cloud Apps?' with options like 'Network firewall management' as a distractor.

Common tricky question patterns include those that confuse Defender for Cloud Apps with Microsoft Defender for Endpoint or Defender for Office 365. For example, a question might say: 'An organization wants to detect malware on user devices. Which Defender product should they use?' That would be Defender for Endpoint, not Defender for Cloud Apps. Another trap: 'Which service provides real-time session control for cloud app usage?' That is Conditional Access App Control, a component of Defender for Cloud Apps. Questions may also test your understanding of the three pillars: discovery, control, and protection.

Practise Defender for Cloud Apps Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

Contoso, a mid-sized company, uses Microsoft 365 for email and file storage, but employees also use unsanctioned apps like personal Dropbox and Google Drive to share files. The IT team is worried about data leaks and wants to understand the extent of shadow IT.

They deploy Defender for Cloud Apps and configure Cloud Discovery by installing a log collector on their firewall. Within a week, the dashboard shows that employees are using 45 different cloud apps, many of which have low security ratings. The team is surprised to see that a finance analyst has been using a free file-sharing app that is not encrypted and does not comply with GDPR.

They also set up an App Connector for Microsoft 365. The connector reveals that several sensitive financial spreadsheets are shared externally with personal email addresses. Defender for Cloud Apps automatically applies a DLP policy that blocks external sharing of any file that contains a credit card number. It also flags a user who downloaded 500 files in 10 minutes from a SharePoint site, indicating potential data exfiltration.

The IT team then enables Conditional Access App Control. When a user tries to access Salesforce from a personal device in a coffee shop, they are prompted for multi-factor authentication, and then the session is controlled so that download and print options are blocked. This prevents data from being saved locally on an untrusted device.

Contoso's security posture improves dramatically. They now have a complete inventory of cloud apps, automated controls to protect sensitive data, and real-time visibility into risky user activities. All of this was achieved with Defender for Cloud Apps without needing to install agents on every device or reconfigure each cloud app individually.

Common Mistakes

Thinking Defender for Cloud Apps only works with Microsoft cloud apps like Microsoft 365.

Defender for Cloud Apps supports thousands of third-party cloud apps including Google Workspace, Salesforce, Dropbox, and AWS, not just Microsoft services.

Understand that Defender for Cloud Apps is a CASB that works across multiple cloud providers, both Microsoft and non-Microsoft.

Confusing Defender for Cloud Apps with Microsoft Defender for Endpoint.

Defender for Endpoint protects devices (endpoints) from malware and attacks, while Defender for Cloud Apps protects cloud applications and data. They are different products that can work together.

Remember: Endpoint = devices; Cloud Apps = cloud services. Check the question for context: device vs. cloud app.

Believing Cloud Discovery requires no configuration and works automatically.

Cloud Discovery needs logs from network firewalls or proxies to be sent to Defender for Cloud Apps. Without log collectors or integration with Defender for Endpoint, it cannot discover apps.

Cloud Discovery requires traffic logs. You must configure log collectors or enable integration with a supported source like Defender for Endpoint.

Assuming Conditional Access App Control (CAAC) works without Azure AD Conditional Access.

CAAC is triggered by Azure AD Conditional Access policies. You must first create a Conditional Access policy that targets the cloud app and routes traffic through Defender for Cloud Apps.

CAAC is not standalone; it is a feature that extends Azure AD Conditional Access. You must set up the policy in Azure AD, then configure controls in Defender for Cloud Apps.

Thinking Defender for Cloud Apps can replace all other security tools.

Defender for Cloud Apps is a CASB, not a full security suite. It focuses on cloud app usage, but you still need endpoint protection (Defender for Endpoint), email security (Defender for Office 365), identity protection (Azure AD Identity Protection), and network security.

Defender for Cloud Apps is one layer of a defense-in-depth strategy. It integrates with other security tools but does not replace them.

Forgetting that the service requires proper licensing.

Defender for Cloud Apps requires a separate license or a Microsoft 365 E5 license. Basic Microsoft 365 E3 licenses do not include it.

Check licensing requirements before implementation. The service is available as a standalone product or as part of Microsoft 365 E5.

Assuming all cloud apps can be monitored with the same level of granularity.

App Connectors (API-based) provide deep monitoring for supported apps like Microsoft 365 and Salesforce, but for other apps, only Cloud Discovery logs may be available, offering less detail.

The level of monitoring depends on whether Defender for Cloud Apps has an App Connector for that specific app. For unsupported apps, you only get network-level discovery.

Exam Trap — Don't Get Fooled

{"trap":"A question describes a scenario where an organization wants to prevent users from uploading files to personal cloud storage (e.g., Dropbox) from corporate devices. The multiple-choice options include 'Configure a DLP policy in Defender for Cloud Apps' and 'Use Conditional Access App Control in Defender for Cloud Apps.'

","why_learners_choose_it":"Learners see 'DLP' and think data loss prevention is the obvious answer because the scenario involves preventing file uploads.","how_to_avoid_it":"Understand that Conditional Access App Control operates as a reverse proxy and can block upload/download actions in real time during a session. DLP policies in Defender for Cloud Apps are more about scanning and labeling files after they are stored, not blocking the action itself in real time.

For blocking uploads during a session, you need Conditional Access App Control."

Commonly Confused With

Defender for Cloud AppsvsMicrosoft Defender for Endpoint

Defender for Endpoint protects devices (endpoints) from malware, attacks, and vulnerabilities. Defender for Cloud Apps protects cloud applications and their data. Defender for Endpoint focuses on the device level, while Defender for Cloud Apps focuses on the cloud service level.

If a laptop gets infected with ransomware, Defender for Endpoint would detect and block the malware. If that ransomware tries to steal files from a cloud app like OneDrive, Defender for Cloud Apps could detect the abnormal upload and block it.

Defender for Cloud AppsvsMicrosoft Defender for Office 365

Defender for Office 365 specifically protects email and Microsoft Teams from phishing, malware, and spam. Defender for Cloud Apps protects all cloud apps including email, but also extends to other SaaS apps like Salesforce and Dropbox. Defender for Office 365 is part of the email security layer; Defender for Cloud Apps is a broader CASB.

Defender for Office 365 would block a phishing email in your inbox. Defender for Cloud Apps would detect if someone tried to share a sensitive email attachment to an external cloud storage app.

Defender for Cloud AppsvsAzure Active Directory Identity Protection

Azure AD Identity Protection is focused on detecting and protecting against identity-based risks, such as compromised user accounts and risky sign-ins. Defender for Cloud Apps uses identity signals from Azure AD but also analyzes app-level activities and data risks. Identity Protection is about the identity itself; Cloud Apps is about the data and apps the identity accesses.

Azure AD Identity Protection might flag a sign-in from a suspicious location. Defender for Cloud Apps might notice that after that sign-in, the user downloaded 1000 files from a cloud app, which is a data exfiltration behavior.

Defender for Cloud AppsvsAWS CloudTrail

AWS CloudTrail is a service that logs API activity for AWS resources. It is specific to the AWS cloud platform. Defender for Cloud Apps is a multi-cloud CASB that can monitor Microsoft 365, Google Workspace, and other apps, but it does not directly log AWS API calls. For AWS, you would use CloudTrail and consider third-party CASBs that support AWS.

If you want to see who launched an EC2 instance in AWS, you use CloudTrail. If you want to see who shared a sensitive file from Microsoft 365, you use Defender for Cloud Apps.

Defender for Cloud AppsvsMicrosoft Cloud App Security

Microsoft Cloud App Security was the previous name for Defender for Cloud Apps. The product was renamed to align with the Microsoft Defender family, but the functionality is essentially the same. The older name may still appear in legacy documentation or old exam questions.

An older certification question might reference 'Microsoft Cloud App Security' but the correct answer today is 'Microsoft Defender for Cloud Apps'.

Step-by-Step Breakdown

1

Deploy Cloud Discovery by collecting traffic logs from network devices or using Defender for Endpoint.

You need to provide Defender for Cloud Apps with network traffic data. This can be done by installing log collectors on your firewalls and proxies, which forward system logs via Syslog. Alternatively, if you use Defender for Endpoint, it can automatically forward cloud app traffic logs. This step is essential to discover which cloud apps are being used in the environment.

2

Review the Cloud Discovery dashboard to identify discovered cloud apps and their risk scores.

Once logs are flowing, Defender for Cloud Apps analyzes the data and presents a dashboard showing all cloud apps accessed, each with a risk score based on factors like compliance standards, data encryption, and reputation. You can see the number of users, data volume, and transaction counts. This helps you identify shadow IT and decide which apps to sanction or block.

3

Connect App Connectors for the cloud apps you want deep monitoring on.

For apps like Microsoft 365, Salesforce, Google Workspace, and Box, you can configure API-based connectors. You authenticate with the app using admin credentials or service accounts. This gives Defender for Cloud Apps access to metadata about files, user activities, and configuration settings. It enables granular policies like file sharing restrictions and user activity monitoring.

4

Configure policies for data protection, threat detection, and access control.

You create policies in Defender for Cloud Apps for various purposes. Data protection policies use content inspection to detect sensitive data and enforce actions like blocking external sharing. Threat detection policies use UEBA to find anomalous behavior. Access policies can be set to require MFA or block access based on location, device, or other conditions when used with CAAC.

5

Enable Conditional Access App Control (CAAC) via Azure AD Conditional Access.

In Azure AD, you create a Conditional Access policy that targets specific cloud apps and includes a session control to 'Use Conditional Access App Control.' This redirects user traffic through Defender for Cloud Apps proxy. You then define the session policies in Defender for Cloud Apps, such as blocking download, upload, or print actions. This works for both web and mobile app sessions.

6

Integrate with other Microsoft 365 Defender products for correlated threat detection.

Defender for Cloud Apps can share alerts and signals with Microsoft 365 Defender, Defender for Endpoint, and Defender for Identity. When you enable integration, alerts from Defender for Cloud Apps appear in the unified Microsoft 365 Defender portal. This allows security teams to investigate and respond to threats across endpoints, identities, and cloud apps from a single console.

7

Monitor alerts and respond automatically using automated investigation and remediation.

Defender for Cloud Apps generates alerts for policy violations and detected threats. You can configure automated responses like suspending a user account, revoking sharing permissions, or initiating a playbook in Microsoft 365 Defender. You can also manually investigate by reviewing user activity logs, file access history, and incident timelines. The goal is to quickly contain and remediate threats.

8

Continuously tune policies and review Cloud Discovery data to adapt to changes.

As new cloud apps emerge and user behavior changes, you should regularly review Cloud Discovery reports and adjust policies. New App Connectors may become available for services not previously covered. You should also update risk scores based on your organization's evolving security requirements. This ensures that your cloud security posture remains effective over time.

Practical Mini-Lesson

To get the most out of Defender for Cloud Apps in a real organization, you need a clear deployment strategy. First, assess your existing cloud app usage. Do you know which apps are used? Most organizations discover that the number of apps in use is three to four times higher than expected. Start by deploying Cloud Discovery using log collectors on your perimeter firewalls or by enabling integration with Microsoft Defender for Endpoint. This will give you a baseline.

Next, prioritize which cloud apps to connect via App Connectors. For Microsoft 365, the connector is trivial to set up and provides enormous value. For other high-risk apps like Salesforce or Dropbox, connect them as well. The App Connector will pull user activity logs, file metadata, and sharing permissions. This is where you get real visibility into data exposure.

Then, create a few essential DLP policies. For example, create a policy that blocks external sharing of any file containing a Social Security Number or credit card number. Test this policy in audit mode first to see how many files would be affected. Gradually switch to enforcement. This prevents accidental data leaks and helps with compliance.

Set up anomaly detection policies. The default settings are often good, but you should customize them. For example, set a policy to alert when a user downloads more than 100 files in 10 minutes. Adjust the thresholds based on your organization's normal behavior. If you get too many false positives, users will ignore alerts. If you set it too high, you might miss real incidents.

Enable Conditional Access App Control (CAAC) for your most sensitive apps. This requires Azure AD Conditional Access policies. For instance, create a policy that applies to all users accessing a financial SaaS app from non-corporate networks. The session control can block downloads and require MFA. This is especially useful for contractors or remote workers who use personal devices.

One practical issue that can go wrong is overblocking. If your policies are too aggressive, you may block legitimate business activity. For example, a DLP policy that blocks all external sharing might prevent a sales person from sending a proposal to a customer. To avoid this, use policies with exception lists or require user justification. Also, audit mode is your friend during tuning.

Another common problem is log collector failure. If the log collector goes offline, Cloud Discovery stops receiving data. Set up monitoring and alerts for your log collectors. Regularly check that logs are being received in Defender for Cloud Apps. Also, ensure that your firewall or proxy logs include the necessary fields: user IP, destination URL, bytes transferred, etc.

From a professional perspective, understanding Defender for Cloud Apps is critical for any security operations center (SOC) role. Analysts need to know how to investigate alerts from Defender for Cloud Apps, how to use the activity log timeline, and how to correlate events with other Defender products. Administrators need to know how to configure policies, manage connectors, and integrate with Azure AD.

Finally, keep in mind that Defender for Cloud Apps is part of the Microsoft 365 Defender ecosystem. If your organization has Microsoft 365 E5, you already have the license. Many businesses underutilize it because they do not know how to configure it. Investing time in learning and implementing Defender for Cloud Apps can significantly reduce your cloud security risk.

Shadow IT Discovery and Cloud App Governance

Microsoft Defender for Cloud Apps is central to identifying and managing Shadow IT within an organization. Shadow IT refers to cloud applications and services used by employees without explicit IT approval or oversight. These unmanaged apps can introduce significant security risks, including data leakage, non-compliance with regulations, and exposure to malware.

Defender for Cloud Apps provides automated discovery capabilities through integration with network traffic logs, proxy servers, and firewalls. The Cloud Discovery feature analyzes traffic metadata from sources such as Microsoft Defender for Endpoint, Zscaler, or Palo Alto Networks to generate a comprehensive inventory of all cloud apps in use. This discovery process categorizes apps by risk score based on factors like encryption standards, data center location, and compliance certifications (e.

g., SOC 2, ISO 27001). For each discovered app, Defender for Cloud Apps assigns a risk score from 1 to 10, with higher scores indicating higher risk. Admins can then investigate usage patterns, including the number of users, data uploaded or downloaded, and transaction volumes.

Once risky apps are identified, Defender for Cloud Apps enables governance actions such as blocking access via conditional access policies in Azure AD, sending alerts to security teams, or requiring app adoption through sanctioned alternatives. In the context of Microsoft security exams (SC-900, AZ-104), understanding how Defender for Cloud Apps discovers Shadow IT and enforces governance is critical. Exam questions often test the ability to interpret Cloud Discovery dashboards, assess risk scores, and configure app tagging (sanctioned, unsanctioned, or monitored).

Candidates must grasp the integration between Defender for Cloud Apps and Azure AD Identity Protection for real-time session enforcement. The ability to identify unmanaged apps and apply automated policies reduces the attack surface and ensures compliance with data protection standards. For the AWS Cloud Practitioner and Google ACE exams, cross-cloud Shadow IT detection is also relevant, as Defender for Cloud Apps can monitor multicloud environments including AWS and Google Cloud services.

The architectural principle remains consistent: visibility across all cloud usage is foundational to any security posture. Defender for Cloud Apps provides this visibility through a centralized console, making it easier for security teams to detect anomalies, enforce policies, and generate audit reports. For developers preparing for AWS Developer Associate or Azure Developer exams, understanding how to integrate Defender for Cloud Apps APIs for custom discovery reports or automated remediation is valuable.

Ultimately, Shadow IT discovery is not just about finding apps; it is about applying continuous governance to maintain a least-privilege cloud environment. The Cloud Discovery feature in Defender for Cloud Apps is a direct answer to the question of how to gain visibility into unsanctioned application usage. When combined with Conditional Access App Control, organizations can protect data in real time by controlling access to both sanctioned and unsanctioned apps.

This section emphasizes that effective cloud security begins with discovery, and Defender for Cloud Apps provides the tools necessary to turn visibility into actionable protection.

Conditional Access App Control (CAAC) for Real-Time Session Protection

Conditional Access App Control (CAAC) is a core feature of Microsoft Defender for Cloud Apps that provides real-time monitoring and control over user sessions in cloud applications. It acts as a reverse proxy, intercepting user traffic to sanctioned cloud apps and applying granular access policies based on user identity, device health, location, and data sensitivity. This feature is particularly important for protecting sensitive data in apps like Microsoft 365, Salesforce, Dropbox, or Box.

When a user accesses a cloud app from an untrusted device, CAAC can enforce read-only access, block downloads, or require multi-factor authentication. The technical underpinning involves routing traffic through Defender for Cloud Apps itself, which then inspects each request and response in real time. For example, if a user tries to download a confidential document from SharePoint, CAAC can block the download or apply a watermark to the document displayed on screen.

The configuration of CAAC begins in Azure AD where conditional access policies are set to route traffic to Defender for Cloud Apps. The policies are then refined in the Defender for Cloud Apps portal, specifying actions such as block, allow, or monitor for specific app activities. Integration with Microsoft Purview Information Protection (formerly Azure Information Protection) allows CAAC to classify and protect documents based on sensitivity labels.

For instance, a policy can block copying text from a document labeled 'Highly Confidential' to an external app. The exam relevance for SC-900 and AZ-104 lies in understanding how to configure session policies, control access from managed versus unmanaged devices, and enforce data loss prevention (DLP) rules through CAAC. Questions often present scenarios where an organization needs to prevent data exfiltration from a cloud app while allowing productivity, and the correct answer involves enabling CAAC with specific session controls.

For AWS Cloud Practitioner and Google ACE exams, the concept of a reverse proxy for cloud app access mirrors similar services like AWS WAF or Google Cloud Armor, but CAAC is specifically tailored for SaaS applications. Developers studying for AWS Developer Associate or Azure Developer exams should know how to test CAAC policies using a non-production tenant and how to troubleshoot blocked sessions. Common troubleshooting includes verifying that the app is listed in the Defender for Cloud Apps app catalog, that Azure AD conditional access policies correctly route traffic, and that relevant IP ranges are not bypassed.

CAAC supports over 20,000 cloud apps, making it a versatile tool for multicloud governance. Understanding the difference between app-level controls (via Azure AD) and session-level controls (via CAAC) is a frequent exam pitfall. CAAC operates at the session layer, providing a more granular control than simple allow/block policies.

It also generates detailed audit logs that feed into Microsoft Sentinel for advanced threat hunting. Conditional Access App Control is a powerful mechanism for applying least-privilege access to cloud applications in real time, directly addressing the need for data protection without disrupting user workflows. This feature is a staple in Microsoft security exams and represents a key differentiator for Defender for Cloud Apps compared to standalone CASB solutions.

Data Loss Prevention (DLP) Policies in Defender for Cloud Apps

Data Loss Prevention (DLP) is a critical security capability within Microsoft Defender for Cloud Apps that helps organizations prevent unauthorized sharing, transfer, or leakage of sensitive information across cloud applications. Defender for Cloud Apps extends Microsoft's DLP capabilities beyond just Microsoft 365 to over 20,000 third-party cloud apps including Dropbox, Google Drive, Box, Salesforce, and Slack. The DLP policies in Defender for Cloud Apps work by applying content inspection rules that scan files and data in transit (via session monitoring) and at rest (through API integration).

When a policy condition is met, such as detecting a credit card number or an employee's personally identifiable information (PII), the system can trigger actions like blocking the download, quarantining the file, alerting the data owner, or even automatically applying a sensitivity label. For example, a DLP policy can be configured to block the upload of files containing Social Security numbers to any external share in Box. The integration with Microsoft Purview Information Protection ensures that sensitivity labels and metadata are respected globally.

In security exams such as SC-900 and AZ-104, understanding how DLP policies are created and enforced in Defender for Cloud Apps is essential. Candidates must know the different deployment models: API-based enforcement (asynchronous scanning of stored files) and session-based enforcement (real-time inline monitoring). API-based DLP uses the cloud app's own APIs to scan already stored files, while session-based DLP monitors user activity as it happens.

Both methods have their place in a defense-in-depth strategy. For example, API-based DLP is ideal for large-scale bulk scanning of existing data in apps like SharePoint Online, while session-based DLP is better for preventing immediate data exfiltration during active sessions. Exam questions often test the ability to choose the appropriate DLP control technique based on a scenario.

Another important concept is the 'Policy of Last Resort' approach, where DLP policies in Defender for Cloud Apps can be set to catch any data that falls through other controls. The DLP policies use over 200 built-in sensitive information types (e.g.

, passport numbers, health records) and custom patterns. For AWS Cloud Practitioner and Google ACE exams, understanding how Defender for Cloud Apps can protect data in multicloud environments is a key differentiator. Developers studying for AWS Developer Associate or Azure Developer exams should know how to use the Defender for Cloud Apps APIs to programmatically retrieve DLP alerts and integrate with custom workflows.

Troubleshooting DLP misconfigurations often involves checking that the relevant app connector is properly configured and that the sensitive information types are correctly defined. It is critical to understand that DLP policies in Defender for Cloud Apps enforce actions only on files that the connector can access. If the connector lacks necessary permissions (e.

g., read access to a folder), the policy may not trigger. The exam clue for this issue often appears in questions about why a DLP alert was not generated despite a policy being active.

The correct answer typically involves checking the app connector permissions. DLP in Defender for Cloud Apps provides a unified way to protect sensitive data across the cloud ecosystem, aligning with regulatory requirements like GDPR, HIPAA, and PCI DSS. This feature is heavily tested in Microsoft security exams due to its breadth and integration with other Microsoft security products.

Anomaly Detection and User Entity Behavior Analytics (UEBA)

Defender for Cloud Apps employs advanced User Entity Behavior Analytics (UEBA) to detect anomalous user activities that may indicate a security threat, such as account compromise, insider threats, or privilege escalation. UEBA works by establishing a baseline of normal behavior for each user based on historical patterns including login times, geographic locations, access frequencies, and data exfiltration volumes. Any deviation from this baseline triggers an alert.

For example, if a user who normally logs in from New York suddenly logs in from an unfamiliar IP address in Russia and attempts to download thousands of files, Defender for Cloud Apps will flag this as a suspicious activity. The system uses machine learning algorithms to reduce false positives while maintaining high detection sensitivity. Anomaly detection policies are divided into standard patterns such as 'Impossible travel' (two logins from distant locations within a short time), 'Activity from anonymous IPs', 'Risky IP addresses', 'Unusual file download', 'Unusual administrative activity', and 'Suspicious inbox forwarding'.

Each policy can be fine-tuned with specific thresholds and response actions, such as suspending the user, requiring Azure AD conditional access, or sending alerts to security teams. The integration with Azure AD Identity Protection provides a combined risk score that enriches the anomaly detection process. In Microsoft security exams (SC-900 and AZ-104), candidates must be able to explain how UEBA works and how to configure anomaly detection policies.

Questions often present a log of user activities and ask which pattern is being exhibited, or which policy would be best to detect the specific threat. For example, a question might describe a user account that downloads an entire SharePoint library over two days, which should be matched to 'Unusual file download' policy. Another common exam scenario involves determining whether a detected anomaly is a true positive by correlating with Azure AD sign-in logs and Defender for Endpoint alerts.

For AWS Cloud Practitioner and Google ACE exams, the concept of UEBA translates to services like Amazon GuardDuty or Google Cloud Chronicle, but the implementation mechanics differ. Understanding that Defender for Cloud Apps UEBA relies on data from Cloud App Discovery, connector APIs, and Microsoft 365 logs is key. Developers preparing for AWS Developer Associate or Azure Developer exams should know how to consume Defender for Cloud Apps UEBA alerts via Microsoft Graph Security API for integration into custom dashboards or ticketing systems.

Troubleshooting UEBA performance often involves ensuring that enough baseline data is collected (at least 30 days) and that the user population is sufficiently active. If an organization sees too many false positives, adjusting the sensitivity of the 'Impossible travel' policy (e.g.

, increasing the required distance threshold) can help. Conversely, if true threats are missed, lowering the alert volume threshold may be necessary. Exam clues frequently revolve around the need to calibrate UEBA after a merger or acquisition due to changed user behavior patterns.

UEBA can detect lateral movement within cloud apps, such as an attacker moving from email to file storage. Overall, anomaly detection in Defender for Cloud Apps is a cornerstone for proactive threat detection in cloud environments, offering continuous learning and adaptation to new patterns, which makes it indispensable for modern security ops.

Troubleshooting Clues

Defender for Cloud Apps session policy not enforcing for a specific cloud app

Symptom: Normal access observed without any blocking or monitoring even though session policy is active.

The app may not be fully supported by Conditional Access App Control, or the Azure AD conditional access policy is not correctly routing traffic to Defender for Cloud Apps. Verify that the app is in the Defender for Cloud Apps catalog and the conditional access policy includes the required conditions (e.g., device platform).

Exam clue: In exams, this issue appears as 'Why is the session policy not enforced?' and the correct answer often involves missing or misconfigured conditional access policy in Azure AD.

DLP alerts not generated for sensitive data in Google Drive

Symptom: Files with PII are not flagged by DLP policies even though policies are configured.

The Google Drive app connector may not have sufficient permissions to scan content (e.g., only metadata). Check that the connector uses OAuth with read and scan permissions, and that the sensitive information types are correctly defined and not expired.

Exam clue: Exam scenario: 'An admin configured DLP for Google Drive but no alerts appear.' The solution is to re-authorize the app connector with correct API scopes.

Impossible travel anomaly detection generating excessive false positives

Symptom: Multiple alerts for users who travel legitimately between time zones.

The default sensitivity of the impossible travel policy is based on geographic distance and time window. If the organization has frequent international travelers, the policy threshold should be adjusted (e.g., increase required distance from 500 km to 1500 km) or exclude trusted IP ranges.

Exam clue: Exam question will ask how to reduce false positives for impossible travel alerts. The answer is to modify the policy sensitivity or add trusted locations.

Cloud Discovery report missing data for a network segment

Symptom: No traffic from a branch office appears in the Cloud Discovery dashboard.

The log collector for that network may not be configured, or the firewall/proxy logs are not being forwarded to Defender for Cloud Apps. Ensure that the log source (e.g., Zscaler, Palo Alto) is correctly set up in the data sources section and that the log format matches.

Exam clue: In exams, this is a common troubleshooting scenario: 'A new office is not showing in Cloud Discovery.' The fix is to deploy and configure a log collector in that network.

App connector showing 'Disconnected' status

Symptom: The command 'Get-CASAppConnector' returns status 'Disconnected' for a previously working connector.

The OAuth token for the app connector has expired or was revoked. This often happens when an admin revokes permissions in the third-party app (e.g., Box). Re-authenticate the connector in Defender for Cloud Apps portal.

Exam clue: Exam will test why an API connection fails and the troubleshooting step to re-authenticate the connector's OAuth consent.

Policy not applying to a specific user group

Symptom: A governance action (e.g., block download) is not triggered for certain users.

The policy scope may be set to 'All users' but there is an exclusion rule for a group to which those users belong, or the conditional access policy has an exclusion clause. Check both Azure AD conditional access and Defender for Cloud Apps policy scopes.

Exam clue: This issue is used in exams to test understanding of policy inheritance and exclusion lists. The answer involves reviewing exclusion groups in both systems.

Session policy watermark not appearing in Salesforce

Symptom: Watermark is not displayed on Salesforce pages even though session policy is configured.

Conditional Access App Control watermarking may not work if the session is not fully routed through the proxy (e.g., if the app uses native mobile apps instead of a web browser). Ensure the policy is configured for browser applications and that the user access is via a supported browser.

Exam clue: Exam question: 'Why is the watermark not visible?' Correct answer: The policy is not applied to native mobile app sessions, only browser-based access.

Memory Tip

Think 'Cloud Apps CASB' = Cloud Discovery + API Connectors + Conditional Access (CAAC). The three legs of a stool that hold up cloud security.

Learn This Topic Fully

This glossary page explains what Defender for Cloud Apps means. For a complete lesson with labs and practice, see the topic guide.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Quick Knowledge Check

1.Which feature of Defender for Cloud Apps provides real-time session monitoring and control over user activities in a SaaS application?

2.An organization notices that DLP policies configured in Defender for Cloud Apps are not detecting sensitive data stored in Box. The app connector shows 'Connected' status. What is the most likely cause?

3.When configuring Conditional Access App Control for a custom LOB application, what prerequisite must be met?

4.An administrator sees a high volume of 'Impossible travel' alerts for a user who works remotely from different time zones. How should the administrator reduce false positives?

5.In Defender for Cloud Apps, what is the primary purpose of the 'Cloud Discovery' dashboard?