Defender for Cloud Apps (MDA)

Overview

What is MDA?

Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security) is a comprehensive Cloud Access Security Broker (CASB) that provides multifunction visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your cloud services. both Microsoft and third-party.

Capabilities

Core Capabilities

Shadow IT Discovery

Discover and identify 31,000+ cloud apps in use across your organization. Assess risk and compliance for each app and make informed sanctioning decisions.

Information Protection

Apply sensitivity labels, DLP policies, and encryption across cloud apps. Protect sensitive data wherever it travels in your SaaS ecosystem.

Threat Protection

Detect anomalous behaviors, impossible travel, suspicious inbox rules, and ransomware indicators. Use UEBA for identity-centric threat detection.

App Governance

Monitor OAuth apps, detect overprivileged or malicious apps, and enforce app governance policies to reduce risk from third-party integrations.

Conditional Access App Control

Enforce real-time session controls using reverse proxy architecture. Monitor, block downloads, and protect sensitive data during user sessions.

SaaS Security Posture Management

Get security recommendations for SaaS configurations across Microsoft 365, Salesforce, ServiceNow, and other connected apps through Secure Score.

Hands-on Labs

Defender for Cloud Apps Labs

Practical SaaS security labs. discover shadow IT, enforce session controls, investigate risky apps, and implement cloud DLP across your organization.

01

Beginner⏱ 60 min · 8 steps

Set Up Cloud Discovery & Shadow IT Analysis

Configure Cloud Discovery with firewall and proxy log uploads, analyze shadow IT findings across your enterprise, risk-score unsanctioned SaaS applications, and create app governance policies to block high-risk cloud services.

02

Intermediate⏱ 90 min · 12 steps

Deploy App Connectors & Session Controls

Connect enterprise SaaS apps (Microsoft 365, Salesforce, Box) via API connectors, configure Conditional Access App Control with Azure AD, create session policies that block downloads of sensitive files in real time, and test enforcement end-to-end.

03

Intermediate⏱ 100 min · 14 steps

Investigate Risky OAuth Apps & Service Accounts

Audit OAuth app permissions across your tenant, identify over-privileged third-party applications, create policies to detect high-risk OAuth consent grants, revoke suspicious app access, and remediate compromised service accounts in a production environment.

04

Advanced⏱ 150 min · 18 steps

Implement Cloud DLP Across SaaS Applications

Create file policies with DLP content inspection for credit card numbers and PII, configure automatic sensitivity labeling for documents in cloud storage, set up alert workflows and incident reports for policy violations, and generate compliance reports for auditors.

05

Advanced⏱ 120 min · 15 steps

AI App Discovery and Governance

Discover shadow AI and LLM applications across the organization, assess AI app risk scores, configure session policies for AI tools, monitor sensitive data shared with AI services, and build an enterprise AI governance framework.

Scripts

MDA Scripts

Ready-to-run PowerShell scripts for lab simulations. View all scripts →

Script	Description	Level	Parameters
Invoke-MDADiscovery.ps1	Cloud app discovery via Graph API: apps, OAuth registrations, alerts	Intermediate	`-InstallModules`
Invoke-MDASessionPolicy.ps1	CA App Control session policies for monitoring or blocking	Intermediate	`-TargetAppName, -PolicyMode`

Learn

MDA Resources

📘

MDA Documentation

Official Defender for Cloud Apps documentation

🎓

MDA Training

Microsoft Learn training for Cloud App Security

💡

Best Practices

Security best practices for Cloud App Security

📋

Cloud Discovery Policies

Create policies for shadow IT discovery and governance

FAQ

Defender for Cloud Apps FAQ

What is Cloud Discovery and how does it find shadow IT?

Cloud Discovery analyses traffic data to identify all cloud applications in use across your organisation, including those not sanctioned by IT:

Log-based discovery: Upload firewall/proxy logs (Palo Alto, Zscaler, Fortinet, Cisco, etc.) to generate a snapshot report of all cloud apps accessed
Continuous discovery: Deploy Docker-based log collectors that automatically upload logs for real-time, continuous monitoring
MDE integration: The most seamless approach: if devices are onboarded to MDE, cloud discovery data is collected automatically from endpoint traffic. No log collectors or proxy configuration needed.
App catalogue: Each discovered app is scored against 90+ risk factors: security controls, compliance certifications, legal terms, and industry reputation. Apps are categorised as Sanctioned, Unsanctioned, or Under Review.

Typical findings: organisations discover 400–1000+ cloud apps in use, with 60–70% being unsanctioned. Cloud Discovery provides the visibility foundation for cloud governance.

Cloud Discovery setup

What is Conditional Access App Control?

Conditional Access App Control uses a reverse-proxy architecture to intercept and control user sessions in cloud applications in real time:

How it works: An Entra ID Conditional Access policy routes user sessions through the MDA proxy. The proxy inspects every request and response, applying policies in real time.
Session policies: Block downloads of sensitive files from unmanaged devices, apply sensitivity labels to uploaded files, block copy/paste of sensitive content, watermark displayed content, and monitor all session activity
Access policies: Block access entirely from untrusted locations, require specific device conditions (Intune compliant, domain-joined), or restrict app access based on user risk level
Supported apps: All SAML 2.0 and OIDC apps integrated with Entra ID. Featured apps (M365, Salesforce, Box, etc.) are pre-configured; custom apps require manual onboarding.

This provides zero-trust enforcement at the session level: allow users to access the app but control what they can do based on real-time conditions.

Conditional Access App Control

How does MDA detect risky OAuth applications?

MDA provides a comprehensive OAuth app inventory that monitors every third-party application with access to your M365 data:

Permission analysis: Shows exactly what permissions each app holds (e.g., Mail.ReadWrite, Files.ReadWrite.All) and whether they are delegated (user-level) or application (tenant-level)
Publisher verification: Highlights apps from unverified publishers who have not attested their identity through the Microsoft Partner Network
Data access patterns: Monitors how much data each app accesses, from which mailboxes/sites, and whether access patterns are normal or anomalous
Community usage: Indicates whether the app is commonly used across Microsoft tenants or is rare/targeted
Automated policies: Create OAuth app policies that automatically alert, revoke, or ban apps matching specific criteria (e.g., "unverified publisher + high permissions + low community usage")

In a typical M365 tenant, 40–60% of OAuth apps have permissions exceeding their legitimate need. MDA identifies these for review and remediation.

OAuth app management

What licensing is required for MDA?

MDA licensing options:

Microsoft 365 E5 / E5 Security: Full MDA capabilities including Cloud Discovery, API connectors, Conditional Access App Control, session policies, OAuth governance, file policies with DLP, and anomaly detection
EMS E5: Includes MDA as part of Enterprise Mobility + Security
Standalone licence: Microsoft Defender for Cloud Apps can be purchased as a standalone per-user licence
Microsoft 365 E3: Does not include MDA. Requires E5 upgrade or standalone add-on.

Conditional Access App Control (session policies) additionally requires Entra ID P1 for the Conditional Access policy, which is included in M365 E3/E5.

MDA overview

How many SaaS apps does MDA support?

MDA supports the cloud app ecosystem at multiple levels:

Cloud App Catalogue: 31,000+ apps catalogued with risk scoring based on security, compliance, and legal factors. Covers virtually every SaaS app in use.
API connectors (deep integration): 15+ connectors for major apps: Microsoft 365, Azure, AWS, GCP, Salesforce, Box, Dropbox, Google Workspace, ServiceNow, Okta, GitHub, Atlassian, and more. These provide activity logs, file scanning, user accounts, and governance actions.
Conditional Access App Control: Any SAML 2.0 or OIDC app integrated with Entra ID can be proxied for session-level controls. Featured apps are pre-configured; custom apps can be manually onboarded.

The distinction matters: all 31,000+ apps can be discovered and risk-scored, apps with API connectors provide deep visibility and governance, and apps onboarded to CA App Control get real-time session enforcement.

Connect apps

Does MDA provide DLP for cloud apps?

Yes. MDA extends data protection to files stored in and shared from connected cloud applications:

File policies: Scan files across all connected apps for sensitive content using built-in DLP (300+ sensitive info types), Purview Data Classification Service, or custom regex patterns
Content inspection: Supports documents, spreadsheets, presentations, PDFs, and text files up to 50 MB
Governance actions per app: SharePoint (remove sharing, apply label, quarantine), Box (quarantine, remove collaborators), Salesforce (remove sharing), Google Drive (remove collaborators, revoke access)
Auto-labeling: Automatically apply Microsoft Purview sensitivity labels to files matched by DLP policies, regardless of which cloud app hosts them
External sharing detection: Identify files shared externally or publicly that contain sensitive data, and automatically remediate by removing sharing links

MDA DLP complements Purview DLP by extending protection to third-party SaaS apps beyond the Microsoft 365 ecosystem.

File policies

← Back to Defender XDR