This chapter covers Microsoft Defender for Cloud Apps (MCAS), a Cloud Access Security Broker (CASB) that provides visibility, control over data travel, and sophisticated analytics to protect cloud applications from cyber threats. For the AZ-500 exam, MCAS is a key component of Security Operations (Objective 4.1), typically appearing in 5-10% of questions. You must understand its discovery, protection, and governance capabilities, including app connectors, session controls, and anomaly detection, to answer scenario-based questions correctly.
Jump to a section
Imagine a company where employees secretly run side businesses using company resources—like using the office printer for personal flyers or the corporate Wi-Fi for a side gig. The IT department has no visibility into these activities because they happen outside the official procurement process. Microsoft Defender for Cloud Apps (MCAS) acts like a corporate investigator who monitors all network traffic, identifies unauthorized cloud apps (the side businesses), and reports them to management. Just as the investigator would catalog every app used, assess its risk (e.g., low security, data leakage potential), and block dangerous ones, MCAS discovers shadow IT by analyzing traffic logs from firewalls or proxies. It then provides a risk score for each app, allows IT to sanction (approve) or unsanction (block) them, and can enforce policies like blocking uploads to unsanctioned apps. The key mechanism is that MCAS uses a cloud app catalog with over 31,000 apps, each scored on security, compliance, and legal factors, enabling granular control without disrupting approved business operations.
What is Microsoft Defender for Cloud Apps and Why Does It Exist?
Microsoft Defender for Cloud Apps (MCAS) is a Cloud Access Security Broker (CASB) that sits between users and cloud applications to enforce security policies. Its primary purpose is to address the challenges of shadow IT—the use of unauthorized cloud apps by employees—and to protect sensitive data across sanctioned and unsanctioned cloud services. MCAS integrates with Microsoft 365, Azure Active Directory (now Microsoft Entra ID), and other Microsoft security products to provide a unified view of cloud app usage.
How MCAS Works Internally
MCAS operates through three core mechanisms: discovery, protection, and governance. Discovery involves collecting logs from network devices (e.g., firewalls, proxies) or using API connectors to cloud apps. The logs are parsed to identify app usage, users, and IP addresses. MCAS then matches traffic against its cloud app catalog, which contains over 31,000 apps with risk scores based on 80+ attributes like encryption, data residency, and compliance certifications.
Protection includes real-time session controls using reverse proxy technology. When a user accesses a sanctioned app, traffic can be redirected through MCAS to apply policies such as blocking downloads or requiring multi-factor authentication (MFA). This is achieved by integrating with Microsoft Entra ID Conditional Access, which can route traffic to MCAS via the session control feature.
Governance actions are automated responses triggered by policies. For example, if a user uploads sensitive data to an unsanctioned app, MCAS can automatically block the upload, quarantine the file, or notify the user. These actions are enforced via API calls to the cloud app (e.g., Google Workspace, AWS) or through the reverse proxy for real-time blocking.
Key Components, Values, Defaults, and Timers
Cloud App Catalog: Over 31,000 apps, each with a risk score from 0 to 10 (higher is riskier). The default threshold for unsanctioned apps is a risk score above 7.
App Connectors: Use APIs to connect to cloud apps like Office 365, Google Workspace, Salesforce, and AWS. These connectors provide deep visibility into user activities, file sharing, and permissions. Default sync interval is 1 hour, but can be set to as low as 15 minutes.
Session Controls: Implemented via reverse proxy. The default timeout for a session is 8 hours, configurable up to 24 hours. The proxy intercepts HTTP/HTTPS traffic, and policies are evaluated in real-time.
Anomaly Detection: Uses machine learning to detect risky behaviors like impossible travel (e.g., login from US and China within 5 minutes), mass download, or unusual admin activity. The default alert threshold for impossible travel is a distance greater than 500 km and time difference less than 1 hour.
Log Collector: A Docker container that receives logs from firewalls (e.g., Palo Alto, Zscaler) and forwards them to MCAS. Default port is 443 for HTTPS. Logs are compressed and encrypted before transmission.
Configuration and Verification Commands
To configure MCAS via PowerShell or CLI, you typically use the Microsoft Graph API or the MCAS portal. Below are key commands for deploying a log collector:
# Deploy log collector using Docker on Linux
sudo docker run -d --name mcaslogcollector \
-v /var/log/mcas:/var/log/mcas \
-e COLLECTOR_NAME="MyCollector" \
-e COLLECTOR_TYPE="PaloAlto" \
-e MCAS_TENANT_ID="your-tenant-id" \
-e MCAS_TENANT_KEY="your-tenant-key" \
mcr.microsoft.com/mcas/logcollector:latestTo verify the log collector status:
# Check logs
sudo docker logs mcaslogcollector
# Test connectivity
curl -k https://<your-tenant>.mcas.ms/api/v1/logcollector/pingFor API-based governance, you can use the MCAS API to unsanction an app:
# Using PowerShell with REST API
$tenantId = "your-tenant-id"
$apiKey = "your-api-key"
$body = @{
"filters" = @{
"appId" = @{
"eq" = 12345
}
}
"command" = "unsanction_app"
} | ConvertTo-Json
Invoke-RestMethod -Method Post -Uri "https://<your-tenant>.mcas.ms/api/v1/policies/command" -Headers @{"Authorization" = "Bearer $apiKey"} -Body $bodyInteraction with Related Technologies
MCAS integrates deeply with: - Microsoft Entra ID (Azure AD): Conditional Access policies can redirect users to MCAS for session control. This is configured under Azure AD > Security > Conditional Access > Session > Use Conditional Access App Control. - Microsoft Defender for Endpoint: Alerts from endpoints can be correlated with cloud app activities. For example, if a device is infected, MCAS can block its access to cloud apps. - Microsoft Sentinel: MCAS logs can be streamed to Sentinel for advanced hunting and incident response. Integration is done via the MCAS data connector in Sentinel. - Microsoft Information Protection (MIP): MCAS can apply sensitivity labels to files in cloud apps. For instance, if a file labeled 'Confidential' is shared publicly, MCAS can revoke access automatically.
Step-by-Step: How MCAS Discovers Shadow IT
Log Collection: Network logs from firewalls or proxies are sent to the MCAS log collector (Docker container) via Syslog or FTP. The collector parses logs into a unified format.
Log Parsing and Enrichment: MCAS identifies app URLs, user IPs, and user agents. It enriches data with geographic location and user identity from Entra ID.
App Identification: The parsed traffic is matched against the cloud app catalog. If an app is not in the catalog, it is categorized as 'Unknown' and assigned a risk score based on heuristics.
Risk Scoring: Each discovered app gets a score based on 80+ attributes. The score is updated weekly. Admins can manually override scores.
Policy Evaluation: Policies check conditions like app risk score > 7 or user group. If triggered, actions like 'Unsanction app' or 'Alert admin' are executed.
Reporting: The MCAS dashboard shows discovered apps, total users, and traffic volume. Admins can drill down to see specific user activities.
Step-by-Step: Real-Time Session Control
User Authenticates: User signs into a cloud app like Salesforce via Entra ID. Conditional Access policy triggers and redirects the user to MCAS proxy.
Proxy Interception: MCAS establishes a reverse proxy session. The user's browser communicates with MCAS, which then communicates with the cloud app on behalf of the user.
Policy Inspection: MCAS inspects every request (URL, headers, cookies). Policies check for conditions like 'Block download of files labeled Confidential'.
Action Enforcement: If a policy is violated, MCAS can block the action, show a custom block message, or allow but audit. For example, if a user tries to download a file, MCAS can replace the file with a block page.
Session Termination: The session expires after the configured timeout (default 8 hours) or when the user logs out. MCAS logs all activities for auditing.
Step-by-Step: API-Based Data Protection
App Connector Setup: Admin configures an API connector for a cloud app (e.g., Google Workspace) by providing admin credentials and granting permissions.
Initial Scan: MCAS performs an initial scan of all files and permissions in the app. This can take hours depending on data volume.
Continuous Monitoring: MCAS polls the app API every 1 hour (configurable) for changes like new files, sharing events, or user additions.
Policy Application: Policies can detect oversharing (e.g., file shared with external users) and automatically apply actions like removing external users or moving file to a quarantine folder.
Alerting and Remediation: Alerts are sent to admins. Automated remediation can be configured, such as revoking sharing links or applying a retention label.
Step-by-Step: Anomaly Detection Alerting
Baseline Establishment: MCAS learns normal user behavior over 14 days (default). This includes login times, locations, and app usage patterns.
Real-time Comparison: When a new activity occurs, MCAS compares it to the baseline. For example, a login from a new country triggers an anomaly.
Risk Scoring: Each anomaly gets a risk score (0-100). Scores above 80 trigger an alert by default. The threshold can be adjusted per policy.
Alert Generation: Alerts appear in the MCAS portal and can be forwarded to SIEM like Sentinel. Alerts include details like user, IP, and activity type.
Investigation and Response: Admins can investigate the alert, confirm if it's a true positive, and take action such as suspending the user or requiring MFA.
Deploy Log Collector
Deploy the MCAS log collector as a Docker container on a Linux server (or Windows via Docker). This collector receives logs from firewalls or proxies via Syslog (UDP 514) or FTP (TCP 21). The container parses logs into a unified JSON format, compresses them, and uploads to MCAS over HTTPS (port 443) every 5 minutes by default. You must configure the collector with your tenant ID and API key. Verify deployment by checking logs: `sudo docker logs mcaslogcollector`. Common mistake: forgetting to open firewall ports 514 (Syslog) or 443 (outbound) will cause upload failures.
Configure Cloud Discovery Policies
In the MCAS portal, navigate to Cloud Discovery > Policies. Create a policy to automatically unsanction apps with a risk score above 7. Set conditions: if app risk score > 7, then action: unsanction app. The policy runs every time new logs are processed (every few minutes). You can also set exceptions for specific user groups. For example, allow the IT team to use any app. The policy will generate alerts and apply actions like blocking access via the reverse proxy. Default action is 'Alert only'.
Connect a Cloud App via API Connector
Go to Connected Apps > App Connectors. Select the app (e.g., Salesforce). Provide admin credentials for that app and grant required permissions (read all users, files, activities). MCAS will perform an initial scan. The connector polls the app API every hour for changes. For Office 365, the connector is automatic if MCAS is integrated with Microsoft 365. Ensure the service account has global admin role for full visibility. Common issue: insufficient permissions cause incomplete data.
Create a Data Protection Policy
Under Control > Policies > Create Policy > Data Protection Policy. Choose a template like 'SharePoint Online: Block sharing with external users for files labeled Confidential'. Set conditions: file label is 'Confidential' and sharing type is 'External'. Set action: 'Remove external users' or 'Block sharing'. The policy is enforced via API (for connected apps) or via session control (for browser-based access). You can also set alerts and user notifications. Test the policy with a sample file.
Enable Real-Time Session Control
In Microsoft Entra ID, create a Conditional Access policy. Assign users and cloud apps (e.g., Salesforce). Under Session, select 'Use Conditional Access App Control' and choose 'Monitor only' or 'Block downloads'. This redirects user traffic through MCAS proxy. In MCAS, under Settings > Conditional Access App Control, configure session policies like 'Block download of sensitive files'. The proxy inspects HTTP headers and content. Ensure the cloud app is supported for session control (e.g., Salesforce, Dropbox, AWS).
Enterprise Scenario 1: Shadow IT Discovery in a Large Enterprise
A multinational corporation with 10,000 employees suspects employees are using unauthorized cloud file-sharing apps. The security team deploys MCAS log collectors on their Palo Alto firewalls. They configure the collectors to send logs via Syslog. Within 24 hours, MCAS discovers 300 cloud apps in use, including 50 high-risk apps (risk score > 7). The team creates a policy to automatically unsanction high-risk apps and block access via the reverse proxy. They also set up weekly reports for business unit heads. Performance considerations: log collectors can handle up to 50,000 logs per second; scaling requires multiple collectors. Common misconfiguration: forgetting to whitelist MCAS IPs in the firewall, causing log upload failures.
Enterprise Scenario 2: Data Leakage Prevention with API Connectors
A financial services firm uses Google Workspace and Salesforce. They connect MCAS via API connectors to both. They create a policy to detect files shared externally that contain credit card numbers (via DLP integration). When a file is detected, MCAS automatically revokes external sharing and quarantines the file. They also set up alerts to the security team. The initial scan of Google Drive took 6 hours due to 10 TB of data. Performance: API connectors have rate limits (e.g., Google Workspace: 10,000 API calls per day). MCAS respects these limits to avoid throttling. Misconfiguration: using a regular user account instead of a service account with admin privileges results in incomplete data.
Enterprise Scenario 3: Anomaly Detection for Account Compromise
A healthcare organization uses MCAS to monitor user activities in Office 365. A user's account is compromised; the attacker logs in from Russia while the user is in the US. MCAS's impossible travel anomaly detection triggers an alert (distance > 500 km, time difference < 1 hour). The security team investigates and confirms the compromise. They use MCAS to suspend the user's access to all cloud apps immediately. They also integrate with Microsoft Sentinel for automated playbook response. Common pitfall: not setting up the baseline correctly—if the user travels frequently, false positives occur. Tuning the anomaly threshold to 90 (instead of default 80) reduces noise.
What AZ-500 Tests on MCAS (Objective 4.1)
The exam focuses on three areas: (1) Cloud Discovery and shadow IT identification, (2) Data protection via policies and session controls, (3) Anomaly detection and response. Specific objective codes: 4.1.1 (Configure and manage Microsoft Defender for Cloud Apps), 4.1.2 (Implement cloud application security controls), 4.1.3 (Manage cloud app permissions). Questions often present a scenario requiring you to choose the correct tool: MCAS vs. Microsoft Defender for Endpoint vs. Azure Sentinel.
Most Common Wrong Answers
Choosing 'Conditional Access' instead of 'Session Control': Candidates see a need to block downloads and think Conditional Access alone can do it. Reality: Conditional Access redirects traffic to MCAS, but the actual blocking is done by MCAS session policy. The exam expects you to know that session control is configured in MCAS, not in Conditional Access.
Selecting 'App connector' for real-time blocking: App connectors are API-based and provide retrospective control (e.g., remove sharing after the fact). For real-time blocking, you need session control (reverse proxy). The exam tests the distinction.
Assuming MCAS can block all apps: MCAS can only block apps that are supported for session control (about 200+ apps). For unsupported apps, it can only provide visibility and API-based governance (e.g., unsanction app).
Specific Numbers and Terms
Cloud app catalog: 31,000+ apps
Default risk score threshold for unsanction: 7
Impossible travel: distance > 500 km, time difference < 1 hour
Default session timeout: 8 hours (max 24)
Log collector default upload interval: 5 minutes
Anomaly detection baseline: 14 days
App connector sync interval: 1 hour (minimum 15 minutes)
Edge Cases and Exceptions
Session control for mobile apps: Session control only works for browser-based access, not native mobile apps. The exam may ask about limitations.
App connector permissions: For Google Workspace, the service account must have domain-wide delegation. For Salesforce, the user must have 'Manage Users' permission.
Log collector for cloud proxies: If using a cloud proxy like Zscaler, you can use the MCAS integration directly without a log collector.
How to Eliminate Wrong Answers
If the scenario mentions 'real-time blocking' or 'inline control', eliminate options that only offer API-based governance (e.g., app connectors).
If the scenario is about discovering unauthorized apps, look for 'Cloud Discovery' or 'Log collector'.
If the scenario involves DLP for files already stored, app connectors are appropriate.
Remember: MCAS is a CASB; it does not replace endpoint protection or SIEM.
MCAS is a CASB that provides visibility, data protection, and threat detection for cloud apps.
Cloud Discovery uses log collectors to identify shadow IT; the catalog has over 31,000 apps.
Session control (reverse proxy) enables real-time blocking and monitoring for supported apps.
App connectors provide API-based governance for deep control over files and permissions.
Anomaly detection baseline is 14 days; impossible travel triggers if distance > 500 km and time < 1 hour.
Integration with Entra ID Conditional Access is required for session control.
Default session timeout is 8 hours; configurable up to 24 hours.
The exam tests the difference between real-time (session control) and retrospective (API) controls.
These come up on the exam all the time. Here's how to tell them apart.
Session Control (Reverse Proxy)
Real-time enforcement (block downloads, require MFA)
Works only for browser-based access
Supports about 200+ cloud apps
Requires Conditional Access integration
Inspects HTTP traffic and content
App Connectors (API-based)
Asynchronous enforcement (remove sharing, quarantine files)
Works for native apps and browsers
Supports major apps like Office 365, Salesforce, Google Workspace, AWS
Requires admin credentials for the app
Provides deep visibility into file permissions and user activities
Mistake
MCAS can block all cloud apps in real time.
Correct
MCAS can only block apps that are supported for session control (reverse proxy), which is about 200+ apps. For unsupported apps, it can only provide visibility and API-based governance (e.g., unsanction app), which is not real-time blocking.
Mistake
Conditional Access alone can enforce download blocking.
Correct
Conditional Access can redirect traffic to MCAS for session control, but the actual blocking policy is configured in MCAS. The exam expects you to know that session control is a feature of MCAS, not Conditional Access.
Mistake
App connectors provide real-time protection.
Correct
App connectors use APIs and operate asynchronously. They can detect and remediate issues after they happen (e.g., remove external sharing), but not in real time. Real-time protection requires session control.
Mistake
The log collector is required for all MCAS features.
Correct
Log collectors are only needed for Cloud Discovery from network appliances. If you use API connectors for cloud apps, you get visibility without a log collector. However, for shadow IT discovery, log collectors are essential.
Mistake
MCAS works with any cloud app out of the box.
Correct
MCAS has a catalog of over 31,000 apps, but deep integration (session control, API connector) is available only for a subset. For unknown apps, MCAS provides basic discovery and risk scoring but limited control.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
MCAS focuses on cloud app security (shadow IT, data protection in SaaS apps), while Microsoft Defender for Endpoint protects endpoints (devices) from malware and attacks. They integrate: MCAS can use endpoint signals for anomaly detection (e.g., if a device is compromised, block its cloud access). For the exam, know that MCAS is for cloud apps, not endpoints.
First, integrate MCAS with Entra ID Conditional Access: create a policy that targets Salesforce and assigns session control 'Use Conditional Access App Control'. Then, in MCAS, create a session policy under Control > Policies > Create Policy > Session Policy. Set condition: app = Salesforce, action = Block download. Test by accessing Salesforce via browser. Remember, this only works for browser sessions, not the native Salesforce mobile app.
Yes, but limited. For unsanctioned apps, MCAS can only provide visibility and allow you to block access via the reverse proxy if the app is supported for session control. For unsupported unsanctioned apps, you can only use API-based governance if you connect them via app connectors (which requires the app to have an API). Otherwise, you can only alert and manually block at the firewall level.
The default threshold is a risk score greater than 7 (on a scale of 0 to 10). You can change this in the Cloud Discovery policy. The exam may ask the default value, so remember 7.
MCAS uses machine learning to establish a baseline of user locations over 14 days. When a login occurs, it compares the location to previous logins. If the distance between two consecutive logins is greater than 500 km and the time difference is less than 1 hour, it triggers an alert. This indicates the user couldn't have physically traveled that distance. The default alert threshold is 80 (risk score).
Log collectors are only needed for Cloud Discovery from network appliances to identify shadow IT. If you only care about sanctioned apps (like Office 365) and have API connectors, you don't need a log collector. However, to discover unauthorized apps, you need log collectors or a cloud proxy integration.
You need a Google Workspace account with super admin privileges and must enable domain-wide delegation for the MCAS service account. The service account needs OAuth scopes for admin APIs (e.g., for Drive, Gmail, Calendar). Without domain-wide delegation, MCAS cannot read all users' data.
You've just covered Microsoft Defender for Cloud Apps (MCAS) — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?