What is Microsoft Defender for Cloud Apps?

At its core, MDCA is a Cloud Access Security Broker (CASB). It sits between your users and cloud applications (like Microsoft 365) to provide:

1. Visibility: Discover and identify cloud services and apps being used, including Shadow IT. For M365, it gives deep insights into activities within Exchange Online, SharePoint Online, OneDrive, Teams, etc.
   

2. Data Security: Identify and control sensitive information (DLP capabilities) within M365, preventing data leakage.
   

3. Threat Protection: Detect anomalous behavior, malware, and other threats targeting your M365 data and users.
   

4. Compliance: Assess if your cloud app usage, including M365 configurations, aligns with compliance requirements.

How MDCA Improves Microsoft 365 Security:

1. Enhanced Visibility & Activity Monitoring:

   • MDCA logs detailed activities within M365 (file shares, downloads, logins, admin changes, mail rule creations, etc.). This is far more granular than standard M365 audit logs alone and is presented in a way that’s easier to query and investigate.
     

   • You can see who is accessing what, from where, and what they’re doing with the data.

2. Advanced Threat Detection & Anomaly Detection:

   • MDCA uses User and Entity Behavior Analytics (UEBA) to learn normal user patterns. It can then flag suspicious activities like:
     
     • Impossible travel: Logins from geographically distant locations in a short time.
       

     • Mass downloads/deletions: A user suddenly downloading or deleting an unusual number of files.
       

     • Suspicious inbox rules: Creation of forwarding rules that might exfiltrate email.
       

     • Ransomware activity: Rapid encryption of files.
       

     • Compromised account activity: Unusual administrative actions.

3. Data Loss Prevention (DLP) and Information Protection:

   • Integration with Microsoft Purview Information Protection: MDCA can read sensitivity labels applied by Purview.
     

   • Content Inspection: It can scan files in SharePoint Online and OneDrive for sensitive data (credit card numbers, PII, custom keywords, etc.) even if they aren’t labeled.
     

   • Policies: You can create policies to automatically:
     
     • Apply sensitivity labels.
       

     • Restrict sharing (e.g., remove external sharing links for files containing PII).
       

     • Quarantine files.
       

     • Notify admins or users.

4. OAuth App Governance (Third-Party App Control):

   • Many users grant third-party apps access to their M365 data (e.g., “Login with Microsoft,” calendar sync apps). Some of these apps can be risky.
     

   • MDCA discovers these OAuth apps, assesses their permission levels and community trust, and allows you to:
     
     • Approve/Ban apps: Sanction safe apps and ban risky ones organization-wide.
       

     • Revoke app access: For specific users or for an entire app.
       

     • Get alerted on new, risky apps being authorized.

5. Conditional Access App Control (Session Control):

   • This is a powerful feature used in conjunction with Microsoft Entra Conditional Access.
     

   • When a user session to M365 apps (like SharePoint, Exchange Online) is routed through MDCA (as a reverse proxy), you can apply real-time controls:
     
     • Block downloads/uploads: Prevent users on unmanaged devices from downloading sensitive files.
       

     • Monitor sessions: Log all activities without blocking.
       

     • Block copy/paste: Prevent data exfiltration.
       

     • Apply labels on download: Ensure files downloaded to unmanaged devices are labeled and protected.
       

     • Block specific activities: e.g., prevent printing from an unmanaged device.

6. Security Configuration Assessment:

   • While more directly handled by Microsoft Defender for Cloud (for Azure resources) or Microsoft Secure Score, MDCA contributes by identifying misconfigurations or risky behaviors within the M365 app context that could indicate broader security posture weaknesses.

Configuration Examples to Provide Protection:

Here’s how you might configure MDCA (steps are generalized as the UI can evolve, but concepts remain):

Prerequisite: Connect Microsoft 365 to Defender for Cloud Apps.

• Go to the Microsoft Defender XDR portal (security.microsoft.com) -> Settings -> Cloud Apps -> Connected apps.
  

• Click “+Connect an app” and select Microsoft 365. Follow the wizard to authorize the connection.

Example 1: Alert on Suspicious Inbox Forwarding Rules

• Goal: Detect potential email exfiltration by compromised accounts.
  

• Configuration:
  1. In the Microsoft Defender XDR portal, go to Cloud Apps -> Policies -> Policy management.
     

  2. Click Create policy and select Activity policy.
     

  3. Name: “Suspicious Inbox Forwarding Rule Creation”
     

  4. Severity: High
     

  5. Category: Threat Detection
     

  6. Triggers (Activities matching all of the following):
     • Activity type: Create inbox rule (or similar, depending on the exact activity name for Exchange Online).
       

     • App: Microsoft Exchange Online
     • Rule details/parameters: (You might need to use advanced filters here) Look for rule actions like Forward to, Redirect to where the recipient domain is Not in your organization’s approved domains.
  7. Actions:
     • Send alert: Email security admins, create an incident in Microsoft Sentinel.
       

     • (Optional Governance Action): Suspend user in Microsoft Entra ID (use with extreme caution and after thorough testing).
  8. Save the policy.

Example 2: Block Download of “Highly Confidential” Files to Unmanaged Devices

• Goal: Prevent sensitive data from being downloaded to personal or untrusted devices.
  

• Prerequisites:
  • Microsoft Entra ID P1/P2 for Conditional Access.
    

  • Sensitivity labels (“Highly Confidential”) configured in Microsoft Purview Information Protection.
    

  • Unmanaged devices identified (e.g., via Intune compliance or Hybrid Azure AD Join status).
• Configuration:
  • Step A: Create a Conditional Access Policy in Entra ID:
    1. Go to portal.azure.com -> Microsoft Entra ID -> Security -> Conditional Access.
       

    2. Create a new policy.
       

    3. Name: “MDCA Session Control for SharePoint Unmanaged Devices”
       

    4. Users: All users (or a pilot group).
       

    5. Target resources (Cloud apps or actions): Select SharePoint Online.
       

    6. Conditions:
       • Device platforms: Any device.
         

       • Locations: Any location.
         

       • Client apps: Browser, Mobile apps and desktop clients.
         

       • Filter for devices: Exclude devices Marked as compliant (or Hybrid Azure AD Joined).
    7. Access controls -> Session: Select Use Conditional Access App Control and choose Block downloads (Preview) or Use custom policy... if you want more granular MDCA control.
       

    8. Enable policy.
  • Step B: (If “Use custom policy…” was chosen above) Create a Session Policy in MDCA:
    1. In the Microsoft Defender XDR portal, go to Cloud Apps -> Policies -> Policy management.
       

    2. Click Create policy and select Session policy.
       

    3. Name: “Block Highly Confidential Downloads to Unmanaged”
       

    4. Session control type: Control file download (with DLP).
       

    5. Triggers (Activities matching all of the following):
       • App: Microsoft SharePoint Online
       • Device Tag: Does not equal Intune Compliant (or your identifier for managed devices).
         

       • Sensitivity label (from Microsoft Purview Information Protection): Equals Highly Confidential.
         

       • Activity type: File download.
    6. Actions:
       • Select Block.
         

       • Customize block message for the user.
         

       • Send alert.
    7. Save the policy.

Example 3: Detect and Alert on Mass Downloads from OneDrive

• Goal: Identify potential data theft or compromised accounts.
  

• Configuration:
  1. In the Microsoft Defender XDR portal, go to Cloud Apps -> Policies -> Policy management.
     

  2. Many anomaly detection policies are built-in. Look for “Mass Download” or similar. If it exists, review its settings and enable it.
     

  3. If creating new, select Create policy -> Anomaly detection policy.
     

  4. Name: “Mass Download from OneDrive”
     

  5. Scope: You can scope it to specific users/groups, or all users.
     

  6. Conditions: MDCA’s UEBA engine will handle most of this. You’ll primarily enable the detection type for “Mass Download” and ensure it’s active for Microsoft OneDrive for Business.
     

  7. Risk factors/thresholds: Adjust sensitivity if needed (e.g., number of downloads, timeframe).
     

  8. Actions:
     • Send alert: Email security admins.
       

     • Create an alert in Microsoft Defender XDR.
  9. Save the policy.

Example 4: Govern Risky OAuth Apps

• Goal: Prevent risky third-party apps from accessing M365 data.
  

• Configuration:
  1. In the Microsoft Defender XDR portal, go to Cloud Apps -> OAuth apps.
     

  2. Review the list of apps. Filter by permissions (e.g., Mail.ReadWrite.All, Files.ReadWrite.All), community trust level, or last used.
     

  3. For a suspicious or overly permissive app:
     
     • Click on the app.
       

     • You can choose to Ban app. This prevents new users from authorizing it and revokes existing authorizations.
  4. Create a Policy for new OAuth apps:
     • Go to Cloud Apps -> Policies -> Policy management.
       

     • Click Create policy and select OAuth app policy.
       

     • Name: “Alert on New High-Permission OAuth Apps”
       

     • Severity: Medium/High
       

     • Triggers:
       • Permission level: High
       • Community use: Rare or Uncommon
       • (Optional) Specific permissions: e.g., Mail.Read.All
     • Actions:
       • Send alert.
       • (Optional Governance Action): Revoke app.
     • Save the policy.

Key Considerations:

• Licensing: MDCA is typically part of Microsoft 365 E5, EMS E5, or available as a standalone license.
  

• Alert Fatigue: Start with a few high-priority policies and tune them. Don’t enable everything at once.
  

• User Impact: Be mindful of policies that might block legitimate user activity. Communicate changes and have a process for exceptions if needed.
  

• Integration: MDCA works best when integrated with other Microsoft Defender XDR components and Microsoft Sentinel for a holistic security view and response capability.

By leveraging these capabilities and configurations, Defender for Cloud Apps significantly strengthens the security posture of your Microsoft 365 environment, providing deep visibility, data protection, and threat detection beyond the native capabilities of M365 itself.