This chapter covers Microsoft Defender for Cloud Apps (MDCA), a Cloud Access Security Broker (CASB) solution that provides visibility, data controls, and threat protection for cloud applications. For the SC-200 exam, MDCA is a significant topic, appearing in roughly 10-15% of questions within the Defender XDR domain (Objective 1.4). You will be tested on its architecture, deployment methods, policy configuration, and integration with other Microsoft security tools. Mastering MDCA is essential for any security operations analyst tasked with securing cloud app usage in a hybrid or multi-cloud environment.
Jump to a section
Microsoft Defender for Cloud Apps (MDCA) acts like a corporate security guard stationed at the entrance of a large office building. The guard doesn't just check badges—they also monitor employee behavior, watch for tailgating, and log every entry and exit. In this analogy, the building represents your cloud environment, and employees are users accessing cloud apps. The guard has a list of approved apps (like sanctioned apps) and can block access to unapproved ones (unsanctioned apps). They also have a camera system that records every interaction—this is the log collection from APIs and proxies. When an employee tries to enter at 3 AM from a foreign country, the guard flags this as anomalous and alerts the security team (alerts and investigations). The guard can also enforce policies, like requiring a second form of ID (conditional access) for sensitive areas. Importantly, the guard doesn't just react; they proactively look for patterns—like an employee accessing the server room every day at odd hours—which corresponds to MDCA's anomaly detection and user entity behavioral analytics (UEBA). If the guard sees a known threat actor (e.g., a person on a watchlist) trying to enter, they immediately lock down the building (governance actions like suspending a user or revoking permissions). The guard's logs are sent to a central security operations center (Microsoft Sentinel) for correlation with other data sources. This analogy captures the core functions: discovery, control, protection, and investigation of cloud app usage.
What is Microsoft Defender for Cloud Apps?
Microsoft Defender for Cloud Apps (MDCA) is a Cloud Access Security Broker (CASB) that acts as a gatekeeper between your organization's users and cloud applications. It provides: - Visibility: Discover all cloud apps in use (shadow IT). - Data security: Control data sharing and apply DLP (Data Loss Prevention) policies. - Threat protection: Detect and block malicious activities using UEBA and threat intelligence. - Compliance: Enforce policies for regulatory compliance.
MDCA is natively integrated with Microsoft 365 Defender, Azure Active Directory (Azure AD), and Microsoft Sentinel, making it a central component of the Microsoft security stack.
Why It Exists
Traditional network security perimeters (firewalls, proxies) are ineffective for cloud apps because traffic is encrypted (TLS) and users access apps from anywhere. CASBs fill this gap by monitoring API calls and proxy traffic, allowing security teams to enforce policies regardless of user location or device. MDCA specifically leverages Microsoft's vast threat intelligence and identity protection capabilities.
How It Works Internally
MDCA operates through two primary deployment modes: 1. Log Collector (App Discovery): On-premises or cloud-based agents that collect firewall and proxy logs (e.g., from Palo Alto, Zscaler, or Cisco) and forward them to MDCA for analysis. This helps discover shadow IT. 2. API Connectors: Direct integration with cloud providers (e.g., Microsoft 365, Google Workspace, Salesforce, AWS) via their APIs. This allows MDCA to read metadata and content, apply DLP, and take governance actions (e.g., quarantine files, suspend users).
Additionally, Conditional Access App Control uses reverse proxy architecture. When a user accesses a cloud app, traffic is routed through MDCA's proxy, which can enforce session policies (e.g., read-only, block download) in real time. This requires Azure AD Conditional Access policies to route traffic.
Key Components, Defaults, and Timers
- Cloud Discovery Dashboard: Shows discovered apps, risk scores (1-10), and usage trends. Default data retention is 90 days. - App Risk Score: Based on 80+ risk factors (e.g., encryption, data center location, compliance certifications). Scores range from 1 (least risky) to 10 (most risky). - Policies: Types include: - Access policies: Enforce real-time controls (e.g., block download from unmanaged devices). - Activity policies: Trigger on specific activities (e.g., multiple failed logins). - File policies: Scan files for sensitive content (e.g., credit card numbers) using built-in DLP or custom expressions. - Anomaly detection policies: Built-in UEBA that detects impossible travel, ransomware, etc. - OAuth app policies: Monitor third-party app permissions. - Governance actions: Examples include suspend user, revoke permissions, quarantine file, send email. Actions depend on the app's API capabilities. - Session controls: Supported for major browsers (Edge, Chrome, Firefox) via a browser extension or via Azure AD Conditional Access. Default session timeout is 1 hour. - Log collector: Supports syslog, FTP, or cloud storage (Azure Blob, AWS S3). Default upload interval is every 5 minutes.
Configuration and Verification Commands
In the Microsoft 365 Defender portal, navigate to Cloud Apps > Policies to create policies. For example, to create an activity policy: 1. Go to Policies > Policy management > Create policy > Activity policy. 2. Set Policy name, Severity, and Category. 3. Define Filter (e.g., App = Office 365, Activity = Failed login). 4. Set Governance action (e.g., Suspend user). 5. Enable the policy.
To verify log collection:
Check Cloud Discovery > Dashboard for uploaded data.
Use PowerShell to query MDCA:
Install-Module -Name MSCommerce
Connect-MsolService
Get-MsolCompanyInformationFor API connector status, navigate to Connected apps and verify status is "Connected".
Integration with Related Technologies
Microsoft 365 Defender: MDCA shares alerts and incidents with the unified M365 Defender portal. Investigation of cloud app activities can be done from the incident timeline.
Azure AD: Conditional Access policies can be configured to route traffic through MDCA's reverse proxy. Azure AD Identity Protection's risk events can trigger MDCA policies.
Microsoft Sentinel: MDCA can be connected as a data source, sending alerts and logs for advanced hunting and correlation. The connector uses the Microsoft 365 Defender connector or the Cloud Apps API.
Microsoft Information Protection (MIP): MDCA can apply sensitivity labels to files discovered in cloud apps.
Microsoft Defender for Identity (MDI): MDI's signals (e.g., compromised account) can be used in MDCA policies.
Step-by-Step: Deploying MDCA Log Collector
Create a log collector instance in MDCA portal: Cloud Apps > Cloud Discovery > Create log collector.
Install the collector on a Windows Server or Linux VM. For example, on Windows:
Install-Module -Name CloudAppSecurity
Install-CloudAppSecurityLogCollector -InstanceName <InstanceName>Configure data sources (e.g., Palo Alto firewall) to send logs to the collector via syslog.
Verify logs appear in Cloud Discovery dashboard after a few minutes.
Step-by-Step: Creating a File Policy
Navigate to Policies > Policy management > Create policy > File policy.
Name the policy, e.g., "Block sharing of sensitive data externally".
Set filter: App = Box, File contains sensitive content (e.g., credit card number).
Define actions: Block sharing, notify user, quarantine file.
Enable policy and test with a sample file.
Identify cloud app usage
Use Cloud Discovery to analyze logs from firewalls and proxies. MDCA aggregates logs from log collectors or direct API connectors. The Cloud Discovery dashboard shows discovered apps, users, and IP addresses. This step reveals shadow IT—apps not sanctioned by IT. For example, you might find Dropbox being used alongside OneDrive. The risk score for each app is calculated based on 80+ factors like encryption, GDPR compliance, and data center location. This visibility is the foundation for all subsequent controls.
Sanction and unsanction apps
Based on discovery, categorize apps as sanctioned (allowed) or unsanctioned (blocked). Sanctioned apps are trusted and can have additional policies applied. Unsanctioned apps can be blocked using MDCA's Conditional Access App Control or by configuring your firewall to block them. You can also tag apps for monitoring. For example, if employees use a personal cloud storage app like Google Drive for work, you can unsanction it and block access. This step enforces the first layer of control.
Deploy API connectors for sanctioned apps
For sanctioned apps like Office 365, Salesforce, or Box, connect them via API. This requires admin credentials for each app. Once connected, MDCA can read all metadata and content (files, emails, activities). You can then apply DLP policies, monitor user activities, and take governance actions. For example, you can create a file policy that quarantines any file containing a credit card number shared externally. API connectors provide deep visibility and control.
Configure Conditional Access App Control
To enforce real-time session policies, integrate MDCA with Azure AD Conditional Access. Create a Conditional Access policy that targets specific cloud apps (e.g., Salesforce) and session controls (e.g., require MDCA to monitor or block). When a user accesses the app, traffic is proxied through MDCA. This allows granular controls like blocking downloads, preventing copy-paste, or requiring step-up authentication. Session policies are defined in MDCA's Access policies.
Create and test policies
Create activity, file, access, anomaly, and OAuth app policies. For example, an activity policy could alert on multiple failed logins from a single user. A file policy could block sharing of files labeled 'Highly Confidential'. Test policies in a simulated environment using MDCA's 'Test' mode (for file policies) or by creating a test user. After verification, enable the policies in production. Monitor alerts in the Microsoft 365 Defender portal and fine-tune as needed.
Scenario 1: Shadow IT Discovery and Control
A large enterprise with 10,000 employees suspected employees were using unsanctioned cloud file sharing services. They deployed MDCA log collectors on their on-premises firewalls (Palo Alto) and within Azure (using vnet flow logs). Within 24 hours, MDCA discovered 150 distinct cloud apps in use, including personal Dropbox accounts, WeTransfer, and Google Drive. The security team unsanctioned high-risk apps (e.g., those with poor security posture) and created a policy to block access via Conditional Access App Control. They also communicated the approved list (OneDrive, SharePoint) to all employees. This reduced shadow IT by 80% within a month. Performance considerations: Log collectors require adequate CPU/memory on the VM (4 vCPU, 8 GB RAM recommended). Log volume can be high; MDCA processes up to 10 million events per day per collector. Misconfiguration: If the log collector is not properly sized, logs may be dropped, leading to incomplete visibility.
Scenario 2: Data Loss Prevention for Sensitive Files
A financial services company needed to prevent credit card numbers from being shared externally via Office 365. They connected MDCA to Office 365 via API and created a file policy that scanned all files in SharePoint Online and OneDrive for Business for PCI-DSS data (credit card numbers). The policy was set to block external sharing of any file containing such data and quarantine the file. Additionally, they applied a sensitivity label 'Confidential' automatically via MDCA's integration with Microsoft Information Protection. The policy was tested on a small group of users first. In production, it blocked 50 sharing attempts in the first week, preventing potential data breaches. Common issue: File policy scanning can take up to 15 minutes for large repositories (over 1 million files). Administrators must ensure the policy filters are efficient to avoid performance impact.
Scenario 3: Anomaly Detection and Incident Response
A healthcare organization was targeted by a phishing campaign that compromised a user's credentials. MDCA's anomaly detection policy flagged impossible travel: the user logged in from New York and then from Russia within 5 minutes. The alert was sent to the SOC via Microsoft 365 Defender. The SOC investigated using MDCA's activity log and saw the attacker was downloading patient records from a cloud EHR system. They immediately suspended the user via MDCA's governance action and revoked all active sessions. The incident was then escalated to Microsoft Sentinel for deeper hunting. This scenario highlights the importance of MDCA's UEBA and real-time response. Misconfiguration: If the impossible travel policy threshold is too low (e.g., 10 minutes), it may generate false positives for users with VPNs. Default threshold is 1 hour.
What SC-200 Tests on MDCA
The SC-200 exam objective 1.4 covers: - Deploy and manage Microsoft Defender for Cloud Apps: Understand deployment modes (log collector vs API), onboarding, and configuration. - Configure policies: Specifically, file policies, activity policies, access policies, and anomaly detection policies. Know the difference between types. - Interpret results: Analyze Cloud Discovery dashboards, alerts, and investigations. Understand risk scores and governance actions. - Integrate with other tools: Know how MDCA connects to Azure AD, Microsoft 365 Defender, and Microsoft Sentinel.
Common Wrong Answers and Why
Confusing API connectors with log collectors: Candidates often think API connectors are only for discovery. In reality, API connectors provide deep visibility and governance actions, while log collectors are primarily for discovery (shadow IT). Wrong answer: "API connectors are used for discovering cloud apps." Correct: "API connectors are used for sanctioned apps to apply DLP and governance."
Believing Conditional Access App Control requires a proxy on-premises: Many think you need a physical proxy. Actually, MDCA acts as a reverse proxy in the cloud, routing traffic via Azure AD. Wrong: "Session control requires installing a proxy server." Correct: "Session control uses Azure AD Conditional Access to route traffic through MDCA's cloud proxy."
Assuming all policies work in real-time: File policies are not real-time; they scan files periodically (every few hours). Activity policies are real-time. Wrong: "File policies block sharing instantly." Correct: "File policies have a delay; activity policies are real-time."
Overlooking OAuth app policies: The exam tests OAuth app policies for monitoring third-party app permissions. Candidates forget this policy type.
Specific Numbers and Terms to Memorize
Risk score range: 1-10 (1 least risky, 10 most risky).
Cloud Discovery data retention: 90 days.
Log collector default upload interval: 5 minutes.
Session timeout default: 1 hour.
Supported browsers for session control: Edge, Chrome, Firefox.
Anomaly detection types: Impossible travel, activity from anonymous IP, ransomware, etc.
Edge Cases and Exceptions
Log collector fails to upload: Check firewall ports (syslog: 514, 601; FTP: 21; HTTPS: 443). Also ensure the collector's clock is synchronized.
Session control not working: Verify Azure AD Conditional Access policy is configured with session control, and the user's browser is compatible.
File policy not scanning: Ensure the app connector is healthy and the policy filters are correct; scanning can take up to 24 hours for initial sync.
How to Eliminate Wrong Answers
If a question mentions "discovery" and "logs from firewalls", the answer involves log collectors.
If a question mentions "real-time control" and "block download", think session control via Conditional Access.
If a question mentions "DLP" and "Office 365", think API connector and file policy.
If a question mentions "third-party app permissions", think OAuth app policies.
MDCA is a CASB that provides visibility, data security, and threat protection for cloud apps.
Two deployment modes: Log Collector (for discovery) and API Connector (for sanctioned apps).
Conditional Access App Control uses reverse proxy to enforce real-time session policies.
Risk scores range from 1 (safe) to 10 (risky), based on 80+ factors.
Cloud Discovery data retention is 90 days; log collector upload interval is 5 minutes.
File policies are not real-time; activity policies are real-time.
Supported browsers for session control: Edge, Chrome, Firefox.
OAuth app policies monitor third-party app permissions.
Integration with Azure AD, Microsoft 365 Defender, and Sentinel is key for exam questions.
Governance actions depend on app API capabilities; common actions include suspend user, revoke permissions, quarantine file.
These come up on the exam all the time. Here's how to tell them apart.
Log Collector
Used for discovery of shadow IT from firewall/proxy logs.
Requires on-premises or cloud VM to install collector.
Provides metadata only (app usage, users, IPs).
No ability to apply DLP or governance actions.
Supports syslog, FTP, and cloud storage sources.
API Connector
Used for sanctioned apps to gain deep visibility and control.
No infrastructure needed; direct API integration.
Provides full content access (files, emails, activities).
Can apply DLP policies, governance actions (quarantine, suspend user).
Requires admin credentials for each app; supports Office 365, Salesforce, etc.
Mistake
MDCA only works with Microsoft cloud apps.
Correct
MDCA supports over 20,000 cloud apps via discovery and provides API connectors for major non-Microsoft apps like Salesforce, Box, Dropbox, Google Workspace, and AWS.
Mistake
Log collectors are required for MDCA to work.
Correct
Log collectors are optional for discovery. You can get visibility into sanctioned apps directly via API connectors without log collectors. Log collectors are only needed for shadow IT discovery from network logs.
Mistake
Conditional Access App Control works with any browser.
Correct
Session control requires a modern browser that supports cookies and JavaScript. Officially supported browsers are Microsoft Edge, Google Chrome, and Mozilla Firefox. Internet Explorer and Safari may have limited support.
Mistake
File policies in MDCA scan files in real-time.
Correct
File policies scan files based on a schedule (typically every few hours) or when a file is created/modified, but there is a delay. For real-time blocking of file uploads, use session controls instead.
Mistake
MDCA can block all cloud app access without integration.
Correct
To block access to unsanctioned apps, MDCA needs either Conditional Access App Control (for supported apps) or integration with a proxy/firewall. Without these, MDCA can only alert, not block.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A log collector is used for discovering shadow IT by analyzing firewall and proxy logs; it provides metadata only and cannot apply governance. An API connector integrates directly with a cloud app's API, allowing full content access and governance actions like DLP and user suspension. For the exam, remember: log collectors = discovery; API connectors = control.
Conditional Access App Control uses Azure AD Conditional Access policies to route user traffic through MDCA's reverse proxy. When a user accesses a configured cloud app, the proxy intercepts the session and enforces policies (e.g., block download, read-only). This requires a supported browser and the user to be authenticated via Azure AD. The exam may ask about prerequisites: Azure AD P1 license, supported apps, and browser compatibility.
The default impossible travel policy triggers when a user logs in from two locations that are geographically impossible to reach within 1 hour. For example, a login from New York and then from London within 30 minutes would trigger an alert. The threshold can be customized. The exam may test the default time window (1 hour) and that it uses geographic distance, not just time.
Yes, if you use Conditional Access App Control with Azure AD, you can block access to unsanctioned apps by creating a session policy that blocks the app entirely. However, this only works for apps that support session control (SAML-based apps). For non-SAML apps, you need to block at the firewall level using the discovered IP addresses. The exam may ask about blocking mechanisms.
You can connect MDCA to Sentinel using the Microsoft 365 Defender connector (recommended) or the Cloud Apps API connector. Once connected, MDCA alerts and logs appear in Sentinel for advanced hunting and correlation. This integration is tested in the exam as part of the Defender XDR domain. Know that the connector requires appropriate permissions and can be configured in Sentinel's data connectors blade.
Cloud Discovery data is retained for 90 days by default. This includes logs from log collectors and API connectors. After 90 days, the data is purged. The exam may ask this exact number. You can export data for long-term storage.
OAuth app policies monitor third-party applications that have been granted permissions to access your organization's data via OAuth (e.g., a calendar app that reads your emails). MDCA can detect risky OAuth apps (e.g., with high permissions) and revoke their access. The exam may include scenarios where you need to create an OAuth app policy to block a malicious app.
You've just covered Microsoft Defender for Cloud Apps — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?