This chapter covers Microsoft Defender for Cloud Apps, a Cloud Access Security Broker (CASB) solution that protects your organization's cloud applications. For the SC-900 exam, this topic appears in Domain 3: Security Solutions, Objective 3.2, and typically accounts for 5-10% of exam questions. You must understand its architecture, core capabilities (discovery, protection, detection, and governance), and how it integrates with other Microsoft security products like Defender for Endpoint and Azure AD. This chapter provides the depth needed to answer scenario-based questions and differentiate Defender for Cloud Apps from other Microsoft security tools.
Jump to a section
Imagine a large corporate office building with multiple entrances, thousands of employees, and hundreds of third-party vendors. The building has a security guard at the main entrance who checks IDs (authentication) and logs who enters. But that guard only sees people coming through the front door. What if employees use side doors, or vendors access the building through a separate contractor entrance? What if an employee brings in a guest without logging them? The single guard cannot monitor all activity across the entire building. Now imagine a centralized security operations center (SOC) that receives feeds from every door sensor, badge reader, camera, and Wi-Fi access point in the building. The SOC correlates all this data to detect anomalies: an employee swiping into a restricted area at 3 AM, a vendor badge used in two different floors simultaneously, or a contractor who never left. The SOC can also set policies—for example, if someone tries to enter a floor they don't have clearance for, the SOC automatically locks that door and alerts security. This SOC is Microsoft Defender for Cloud Apps. It doesn't replace the front-door guard (Azure AD authentication) but aggregates logs from all cloud apps (the doors), analyzes user behavior (the badge swipes), and enforces policies (lock doors, alert guards). It can even act as a proxy (like a security checkpoint inside the lobby) to inspect all traffic to and from cloud apps in real time. Without this SOC, you would have blind spots—users accessing shadow IT apps, compromised accounts exfiltrating data, or unusual activity that a single guard could never catch.
What is Microsoft Defender for Cloud Apps?
Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that provides visibility into cloud app usage, data protection controls, threat detection, and compliance assessment for SaaS, PaaS, and IaaS applications. It acts as a gateway between your users and cloud apps, enforcing policies and monitoring activity. The service is available in two deployment modes:
Log collection mode (passive): Integrates with firewall and proxy logs to discover shadow IT.
API-based mode (active): Connects directly to cloud app APIs (e.g., Microsoft 365, Salesforce, Box) for deeper visibility and control.
Proxy-based mode (real-time): Uses a reverse proxy to inspect traffic in real time for session-level controls.
Core Capabilities
Shadow IT Discovery – Identifies cloud apps in use by analyzing traffic logs from network appliances (e.g., Zscaler, Palo Alto) or Microsoft Defender for Endpoint. The Cloud App Catalog contains over 31,000 apps, each risk-scored based on factors like encryption, data residency, and compliance certifications.
App Governance – Once apps are discovered, admins can sanction (allow), unsanction (block), or monitor them. Sanctioned apps can be connected via API for deeper control.
Information Protection – Integrates with Microsoft Information Protection (MIP) to apply sensitivity labels to files in cloud apps, enforce DLP policies, and control sharing.
Threat Detection – Uses behavioral analytics (UEBA) and machine learning to detect anomalous user behavior, such as impossible travel, mass download, or unusual admin activity. Alerts are generated with severity levels (low, medium, high).
Access Control – Real-time session controls via the proxy allow admins to block downloads, restrict access from unmanaged devices, or require step-up authentication.
Compliance – Provides dashboards for regulatory compliance (GDPR, HIPAA, etc.) and generates reports on data exposure.
How It Works Internally
#### Log Collection for Discovery
Defender for Cloud Apps can consume logs from over 20 log sources, including:
Syslog (Cisco, Juniper, Fortinet)
FTP/SFTP batch uploads
Microsoft Defender for Endpoint (via Windows Defender Advanced Threat Protection)
Cloud Discovery Dashboard (built-in)
Logs are uploaded to a dedicated storage account in Azure. The service parses these logs to extract user IP, destination URL, timestamps, and data volume. It then matches the destination URLs against the Cloud App Catalog to identify which apps are being used. Results appear in the Cloud Discovery report within 1-2 hours after upload.
Key Defaults: - Log upload limit: 100 MB per file, up to 1 GB per day per tenant. - Data retention: 90 days for discovery data. - Supported log formats: CEF, W3C, and custom formats via parser.
#### API Integration
For sanctioned apps, you can connect Defender for Cloud Apps using the app's API. This enables:
Real-time monitoring of user activities (e.g., file downloads, permission changes)
DLP policy enforcement (e.g., block sharing of files labeled 'Confidential')
Malware detection (e.g., scan files uploaded to Box for known hashes)
Connecting an app requires admin credentials for that app. Once connected, Defender for Cloud Apps polls the app's API every 15 minutes by default (configurable) to fetch activity logs and file metadata.
#### Proxy-Based Session Controls
When you configure Conditional Access App Control (CAAC), Defender for Cloud Apps acts as a reverse proxy. Traffic is routed through the Microsoft proxy (managed by Defender for Cloud Apps). The flow: 1. User authenticates with Azure AD. 2. Azure AD evaluates Conditional Access policies. If the policy requires session control, the user is redirected to Defender for Cloud Apps proxy. 3. Defender for Cloud Apps inspects the request, applies policies (block, monitor, allow with restrictions), and forwards the request to the cloud app. 4. The response is also inspected before being sent to the user.
This allows real-time actions like:
Blocking downloads of sensitive files.
Inserting a watermark on viewed documents.
Requiring step-up authentication (MFA) before accessing certain apps.
Configuration and Verification Commands
Defender for Cloud Apps is managed via the Microsoft 365 Defender portal (https://security.microsoft.com). There is no PowerShell or CLI for core configuration, but you can use the following:
PowerShell for Cloud Discovery: Use Get-MgComplianceEdiscoveryCase (Microsoft Graph) to export activity logs.
API: Use the Defender for Cloud Apps API (https://api.cloudappsecurity.com) to programmatically manage policies and alerts.
Example to list connected apps via API:
GET https://api.cloudappsecurity.com/api/v1/apps
Authorization: Bearer <token>Integration with Other Microsoft Products
Azure AD: Defender for Cloud Apps uses Azure AD identities for user context. Conditional Access policies can trigger session controls.
Microsoft 365 Defender: Alerts from Defender for Cloud Apps appear in the unified alerts queue.
Microsoft Defender for Endpoint: Endpoint data enriches discovery (e.g., user device info).
Microsoft Sentinel: Can ingest Defender for Cloud Apps logs for SIEM correlation.
Microsoft Information Protection: Sensitivity labels are applied to files in cloud apps.
Licensing and Limits
Standalone: Available as a subscription (per user/month).
Included with: Microsoft 365 E5, Microsoft 365 E5 Security, Azure AD Premium P2.
API rate limits: 10,000 API calls per tenant per day for third-party apps.
Max connected apps: 50 per tenant (API-based).
1. Discover Shadow IT Apps
The first step is to enable Cloud Discovery by configuring log collection. You can either deploy the Cloud Discovery log collector on a Windows server or connect Defender for Endpoint. The log collector forwards firewall logs to Defender for Cloud Apps. Once logs are uploaded, the service parses them and identifies cloud app usage. The Cloud Discovery dashboard shows a list of discovered apps, each with a risk score (1-10, with 10 being riskiest). Admins can then sanction or unsanction apps. Sanctioned apps can be connected via API for deeper control. This step is critical for gaining visibility into shadow IT—apps used without IT approval. The default data retention for discovery data is 90 days.
2. Connect Sanctioned Apps via API
After sanctioning an app, you connect it using the app's API. For example, to connect Salesforce, you provide admin credentials. Defender for Cloud Apps then polls the Salesforce API every 15 minutes to fetch activity logs and file metadata. This enables visibility into user actions (e.g., export reports, modify permissions) and file-level DLP. The connection requires app-specific permissions (e.g., 'Read all data'). Once connected, you can create policies that trigger on specific activities. For instance, a policy can alert when a user downloads more than 100 files in 10 minutes. The API integration also allows Defender for Cloud Apps to apply sensitivity labels to files directly.
3. Create Data Protection Policies
With API connectivity, you can create policies to protect data. For example, a DLP policy can block sharing of files labeled 'Highly Confidential' with external users. Policies are based on conditions like file label, user group, app, and activity type. When a policy is triggered, it can take governance actions such as 'Block sharing', 'Remove external user', or 'Send alert'. Policies are evaluated in real time for API-connected apps. For proxy-based sessions, policies are enforced during the session. For example, a session policy can block upload of files containing credit card numbers. Policies can also trigger automated responses like applying a label or quarantining a file.
4. Deploy Conditional Access App Control
To enforce real-time session controls, you must configure Conditional Access App Control (CAAC). First, create a Conditional Access policy in Azure AD that targets specific cloud apps (e.g., Salesforce) and requires a session control. The policy redirects the user to Defender for Cloud Apps proxy. In Defender for Cloud Apps, you create session policies that define actions like block download, protect file (apply label), or monitor. For example, a session policy can block download of files from unmanaged devices. The proxy intercepts the user's request, applies the policy, and forwards it. This works for any SAML or OIDC app. Note: CAAC requires Azure AD P1 and Defender for Cloud Apps licenses.
5. Investigate and Respond to Alerts
Defender for Cloud Apps generates alerts for suspicious activities. Alerts have severity levels: Low, Medium, High. For example, an impossible travel alert (user logs in from New York and then from London within 1 hour) triggers a high-severity alert. Admins can investigate by reviewing the user's activity timeline, which shows all connected app activities. From the alert, you can take actions like suspend user, revoke sessions, or require MFA. Alerts are also sent to Microsoft 365 Defender unified alerts. You can create custom alert policies based on user groups, IP ranges, or specific activities. The investigation experience includes a built-in UEBA dashboard that shows user risk scores.
Enterprise Scenario 1: Shadow IT Discovery
A global financial services firm with 10,000 employees suspects employees are using unapproved cloud apps to share sensitive client data. They deploy Defender for Cloud Apps log collectors on their perimeter firewalls (Cisco ASA). Over 30 days, they discover 1,500 distinct cloud apps in use, including file-sharing apps like Dropbox and WeTransfer. The risk scores reveal that 200 apps have poor security (no encryption, no SOC 2). The firm sanctions only Microsoft OneDrive and Box, and blocks all others via firewall policies. They also create a policy to alert when any user uploads more than 50 MB of data to an unsanctioned app. This reduces data leakage incidents by 40% within three months.
Enterprise Scenario 2: Real-Time Session Control for Sensitive Apps
A healthcare organization uses Salesforce to manage patient records. They need to ensure that clinicians accessing Salesforce from personal devices cannot download patient data. They deploy Conditional Access App Control. When a clinician on a personal device tries to access Salesforce, Azure AD evaluates a Conditional Access policy that requires session control. The user is redirected to Defender for Cloud Apps proxy. A session policy blocks all downloads and applies a 'Patient Confidential' watermark to viewed pages. If the clinician tries to upload a file containing PHI, it is blocked. This satisfies HIPAA requirements without requiring device management.
Common Misconfigurations
Not connecting apps via API: Some admins rely solely on log discovery and never connect sanctioned apps. This means no DLP or threat detection for those apps.
Overly broad session policies: Blocking all downloads from all apps can disrupt legitimate work. Best practice is to scope policies to specific user groups (e.g., external contractors) and specific apps.
Ignoring alert fatigue: Default policies generate many low-severity alerts. Tune policies by excluding known safe IP ranges or raising thresholds (e.g., 100 downloads instead of 10).
What SC-900 Tests on Defender for Cloud Apps
The SC-900 exam focuses on understanding the purpose and capabilities of Defender for Cloud Apps, not deep configuration. Key objective codes: - 3.2.1 Describe the capabilities of Microsoft Defender for Cloud Apps (shadow IT, information protection, threat detection, governance). - 3.2.2 Describe how Defender for Cloud Apps integrates with other Microsoft security solutions.
Common Wrong Answers and Why Candidates Choose Them
'Defender for Cloud Apps is an antivirus solution.' – Wrong. Candidates confuse it with Microsoft Defender for Endpoint. Defender for Cloud Apps is a CASB, not endpoint protection.
'It only works with Microsoft 365 apps.' – Wrong. It supports over 31,000 third-party apps via API and proxy.
'It replaces Azure AD Conditional Access.' – Wrong. It complements Conditional Access by providing session-level controls, but Conditional Access is still required for authentication policies.
'Discovery requires API connection to each app.' – Wrong. Discovery works via log collection from firewalls, no API needed. API is for deeper control after sanctioning.
Specific Numbers and Terms to Memorize
31,000+ apps in the Cloud App Catalog.
90 days retention for discovery data.
15 minutes default API polling interval.
Risk scores from 1 to 10.
Deployment modes: Log collection, API, proxy.
Key features: Shadow IT discovery, DLP, UEBA, session controls, compliance.
Edge Cases and Exceptions
Proxy mode only works for SAML/OIDC apps. If an app uses legacy authentication, session controls are not supported.
API connections require admin consent. If admin credentials change, the connection breaks and must be re-established.
Log collection does not work with encrypted traffic (HTTPS) unless the firewall decrypts it. Most firewalls can be configured to decrypt SSL/TLS for inspection.
How to Eliminate Wrong Answers
If a question mentions 'blocking downloads in real time', the answer is 'session control via proxy' (not API, which is near real-time).
If a question asks about 'discovering which cloud apps are being used', the answer involves 'log collection from firewalls' or 'Cloud Discovery'.
If a question mentions 'applying sensitivity labels', think 'Microsoft Information Protection integration'.
Microsoft Defender for Cloud Apps is a CASB that provides shadow IT discovery, DLP, threat detection, and session controls for cloud apps.
Discovery uses log collection from firewalls or Defender for Endpoint; no API needed for discovery.
API integration is required for deeper visibility and governance on sanctioned apps, with a default 15-minute polling interval.
Session controls require Conditional Access policies and work only with SAML/OIDC apps via a cloud proxy.
The Cloud App Catalog contains over 31,000 apps, each with a risk score from 1 to 10.
Defender for Cloud Apps integrates with Microsoft Information Protection to apply sensitivity labels to files in cloud apps.
Alerts are generated with severity levels (low, medium, high) and can be investigated in the activity timeline.
These come up on the exam all the time. Here's how to tell them apart.
Microsoft Defender for Cloud Apps
CASB for cloud app visibility and control
Protects data in cloud apps (SaaS, PaaS, IaaS)
Deploys via log collection, API, or proxy
Focuses on user behavior and app-level threats
Integrates with Azure AD for Conditional Access
Microsoft Defender for Endpoint
Endpoint detection and response (EDR)
Protects devices (Windows, macOS, Linux, mobile)
Deploys agent on endpoints
Focuses on malware, exploits, and device-level threats
Integrates with Microsoft 365 Defender for cross-domain hunting
Mistake
Defender for Cloud Apps only protects Microsoft 365 apps.
Correct
It protects over 31,000 cloud apps, including third-party SaaS like Salesforce, Box, and Dropbox, via API and proxy integrations.
Mistake
Shadow IT discovery requires installing software on every endpoint.
Correct
Discovery works by collecting logs from existing network appliances (firewalls, proxies) or using Defender for Endpoint data—no endpoint agent needed for log collection.
Mistake
Session controls are applied automatically to all cloud apps.
Correct
Session controls require specific Conditional Access policies in Azure AD that redirect traffic to Defender for Cloud Apps proxy, and the app must support SAML/OIDC.
Mistake
Defender for Cloud Apps can block malware from being uploaded to cloud apps.
Correct
It can detect known malware using threat intelligence, but it does not perform real-time malware scanning of file content. For real-time scanning, combine with Microsoft Defender for Office 365.
Mistake
You need to deploy a separate proxy server for session controls.
Correct
The proxy is cloud-based and managed by Microsoft. No on-premises proxy is required; traffic is redirected via Conditional Access policies.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Azure AD Conditional Access controls access based on user, device, location, and risk at authentication time. Defender for Cloud Apps provides session-level controls after authentication, such as blocking downloads or applying watermarks. They work together: Conditional Access redirects users to Defender for Cloud Apps proxy for session policies. For the exam, remember that Conditional Access is about 'who can access' while Defender for Cloud Apps is about 'what they can do during the session'.
Shadow IT discovery works by collecting traffic logs from network appliances (firewalls, proxies) or using Microsoft Defender for Endpoint. The logs are uploaded to Defender for Cloud Apps, which parses them and matches destination URLs against the Cloud App Catalog. The catalog assigns a risk score to each app. Results appear in the Cloud Discovery dashboard within 1-2 hours. No API connection is needed for discovery; API is for sanctioned apps.
Yes, through session controls using the proxy mode. When a user accesses a cloud app via the proxy, Defender for Cloud Apps can inspect the request and block download actions based on policy (e.g., file sensitivity label, user group, device compliance). This requires Conditional Access policies to route traffic through the proxy. API-based controls are not real-time; they can block sharing after the fact.
API-based protection connects directly to the cloud app's API, providing near real-time (every 15 minutes) visibility into activities and file metadata. It can enforce DLP policies (e.g., block sharing) but not real-time session controls. Proxy-based protection intercepts user traffic in real time, allowing actions like blocking downloads, inserting watermarks, or requiring step-up authentication. Proxy requires Conditional Access policies and works only with SAML/OIDC apps.
Yes, Defender for Cloud Apps is licensed per user. It is included in Microsoft 365 E5, Microsoft 365 E5 Security, and Azure AD Premium P2. It can also be purchased as a standalone subscription. Each licensed user can be monitored across up to 50 connected apps. Unlicensed users are not monitored.
Defender for Cloud Apps uses UEBA (User and Entity Behavior Analytics) to detect impossible travel. It compares the geographic location of successive logins from the same user. If two logins occur from locations that are geographically impossible to travel between within the time difference (e.g., New York and London within 1 hour), it generates an alert. The alert severity is typically high. This detection works for any connected app via API or proxy.
The Cloud App Catalog is a database of over 31,000 cloud apps, each with a risk score (1-10) based on factors like encryption, data residency, compliance certifications, and security practices. It is used during shadow IT discovery to identify and assess apps. Admins can use the catalog to sanction or unsanction apps. The catalog is updated regularly by Microsoft.
You've just covered Microsoft Defender for Cloud Apps — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?