Defender for Cloud Apps Configuration and Discovery

Defender for Cloud Apps: Configuration and Discovery

Understanding Defender for Cloud Apps Discovery

Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security) is a Cloud Access Security Broker (CASB) that provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your cloud services. In the context of the SC-300 (Identity and Access Administrator) exam, understanding how to plan and implement workload identities with Defender for Cloud Apps discovery is essential.

Why Is Defender for Cloud Apps Discovery Important?

Organizations today use hundreds of cloud applications, many of which are adopted without IT approval — a phenomenon known as Shadow IT. Defender for Cloud Apps Discovery is critical because it:

• Identifies Shadow IT: Discovers all cloud apps being used in your organization, including unsanctioned apps that may pose security risks.
• Assesses Risk: Evaluates discovered apps against more than 90 risk factors, helping you understand which apps are compliant and which are risky.
• Protects Workload Identities: Helps secure non-human identities (service principals, managed identities, applications) that interact with cloud services.
• Supports Compliance: Ensures that cloud app usage aligns with organizational compliance and governance requirements.
• Enables Governance: Provides actionable controls to sanction or unsanction apps and enforce policies.

What Is Defender for Cloud Apps Discovery?

Cloud Discovery is a feature within Microsoft Defender for Cloud Apps that analyzes traffic logs to discover and identify cloud applications in use across your environment. It consists of several key components:

1. Cloud Discovery Dashboard: A centralized view showing discovered apps, risk levels, usage patterns, and top users.

2. Cloud App Catalog: A database of over 31,000 cloud apps ranked and scored based on more than 90 risk factors across categories like general, security, compliance, and legal.

3. Log Collectors: Infrastructure components that collect and forward traffic logs (from firewalls, proxies) to Defender for Cloud Apps for analysis.

4. Snapshot Reports: One-time reports generated from manually uploaded traffic logs for ad-hoc analysis.

5. Continuous Reports: Ongoing analysis of all logs forwarded from your network using automated log collectors or integration with Microsoft Defender for Endpoint.

6. App Connectors: API-level connections to specific cloud apps (like Microsoft 365, Google Workspace, Salesforce, etc.) for deeper visibility and control.

How Does Defender for Cloud Apps Discovery Work?

The discovery process follows these steps:

Step 1: Data Collection
Traffic data is collected through one of the following methods:
• Integration with Microsoft Defender for Endpoint (MDE): This is the recommended and easiest method. When Defender for Endpoint is deployed to your endpoints, cloud traffic is automatically analyzed without needing separate log collectors. This provides device-level discovery.
• Log Collectors: Docker-based containers deployed in your network that receive syslog or FTP log data from firewalls and proxies (e.g., Palo Alto, Zscaler, Check Point, Cisco ASA).
• Manual Log Upload: For snapshot reports, you manually upload traffic log files.

Step 2: Log Parsing and Analysis
Defender for Cloud Apps parses the collected logs using built-in parsers for supported firewalls and proxies. The parsed data is matched against the Cloud App Catalog.

Step 3: Discovery and Risk Assessment
Each discovered app is scored based on risk factors including:
• General information (domain registration, consumer popularity)
• Security (encryption, MFA support, audit trail)
• Compliance (certifications like SOC 2, HIPAA, ISO 27001)
• Legal (data ownership, GDPR compliance)

Step 4: Governance Actions
Based on discovery results, administrators can:
• Sanction apps (mark as approved)
• Unsanction apps (mark as blocked) — when integrated with MDE or network appliances, unsanctioned apps can be actively blocked
• Monitor apps with custom tags
• Create app discovery policies to generate alerts when new apps are discovered or usage thresholds are exceeded

Key Configuration Steps for the SC-300 Exam:

1. Setting Up Cloud Discovery:
• Navigate to the Microsoft Defender portal → Cloud Apps → Cloud Discovery
• Choose between snapshot reports or continuous reports
• For continuous reports, configure log collectors or enable MDE integration

2. Configuring Automatic Log Upload:
• Deploy a log collector (Docker container) on a Linux host
• Configure your firewall/proxy to send logs via syslog or FTP to the collector
• Define data sources in the Defender for Cloud Apps portal

3. Microsoft Defender for Endpoint Integration:
• In the Defender portal, navigate to Settings → Cloud Apps → Cloud Discovery → Microsoft Defender for Endpoint
• Enable the integration to allow automatic discovery of cloud app traffic from managed devices
• This provides machine-based discovery which identifies which devices access which cloud apps

4. Creating App Discovery Policies:
• Set policies to alert when a new app in a specific category is discovered
• Set usage-based alerts (e.g., alert when more than 100 users use an unsanctioned app)
• Configure governance actions like tagging or generating alerts

5. Working with the Cloud App Catalog:
• Override risk scores based on your organization's priorities
• Add custom apps that are not in the catalog
• Bulk-sanction or unsanction apps based on risk scores

Relationship to Workload Identities:

In the context of workload identities (service principals, managed identities, app registrations), Defender for Cloud Apps helps you:
• Discover OAuth apps connected to your environment via app connectors
• Identify overprivileged or suspicious OAuth applications
• Monitor app permissions and detect unusual app behavior
• Implement app governance (an add-on feature) to manage and govern OAuth apps accessing Microsoft 365 data
• Create policies to detect and remediate risky OAuth app permissions

Important Features to Remember for the Exam:

• Cloud Discovery vs. App Connectors: Cloud Discovery uses traffic logs to find apps; App Connectors use APIs for deep inspection of specific sanctioned apps.
• Conditional Access App Control: Uses reverse proxy architecture via Azure AD Conditional Access to provide real-time session controls (monitor, block downloads, protect uploads).
• OAuth App Policies: Detect when users grant permissions to third-party OAuth apps and allow governance actions.
• Defender for Endpoint Integration: The most seamless way to enable cloud discovery; works on Windows 10/11 and macOS devices managed by MDE.
• Roles: Global Administrator, Security Administrator, and Cloud App Security Administrator roles can manage Defender for Cloud Apps settings.

Exam Tips: Answering Questions on Defender for Cloud Apps Configuration and Discovery

1. Know the Discovery Methods: The exam frequently tests the differences between snapshot reports (manual upload, one-time), continuous reports (automated log collectors or MDE integration), and app connectors (API-based). If a question asks about the easiest or most efficient way to discover shadow IT, the answer is usually Microsoft Defender for Endpoint integration.

2. Understand Sanctioning vs. Unsanctioning: Sanctioned = approved, Unsanctioned = blocked. Remember that unsanctioning an app does NOT automatically block it unless you have integration with MDE or a supported network appliance configured to enforce blocking.

3. Log Collector Requirements: Know that log collectors are Docker-based and deployed on Linux machines. They receive logs via syslog or FTP from network appliances.

4. OAuth App Governance: For questions about managing workload identities and third-party app permissions, think about OAuth app policies and the App Governance add-on. These are specifically designed to manage non-human identities accessing your cloud environment.

5. Conditional Access App Control vs. Cloud Discovery: These are different features. Cloud Discovery is about finding apps. Conditional Access App Control is about controlling sessions in real-time. Don't confuse them.

6. Risk Score Factors: If asked what determines an app's risk score, remember the four categories: general, security, compliance, and legal. You can also customize risk scoring.

7. Licensing: Defender for Cloud Apps requires a specific license (included in Microsoft 365 E5, EMS E5, or as a standalone license). The exam may test whether a given scenario requires additional licensing.

8. Portal Navigation: Know that Defender for Cloud Apps is now integrated into the Microsoft Defender portal (security.microsoft.com) rather than the legacy standalone portal. Questions may reference navigation paths within the unified portal.

9. Integration Points: Remember the key integrations — Azure AD (now Entra ID) for Conditional Access, Microsoft Defender for Endpoint for discovery, Azure Sentinel (Microsoft Sentinel) for SIEM, and Information Protection for DLP.

10. Scenario-Based Questions Strategy: When presented with a scenario about discovering unauthorized cloud apps, look for keywords like shadow IT, unsanctioned apps, or cloud app usage visibility. These point to Cloud Discovery features. When the scenario involves controlling access or sessions in real-time, think Conditional Access App Control. When it involves managing app permissions and service principals, think OAuth app policies and app governance.

11. Elimination Technique: If you see answer choices mixing Azure AD features with Defender for Cloud Apps features, carefully determine whether the scenario requires identity governance (Azure AD/Entra ID) or cloud app security (Defender for Cloud Apps). The SC-300 exam tests both, and knowing the boundary between them is crucial.

12. Remember the Process Flow: Collect logs → Parse and analyze → Discover apps → Assess risk → Apply governance. This logical flow helps you answer questions about the correct order of configuration steps.