8.4 Defender for Cloud Apps
Key Takeaways
- Defender for Cloud Apps (formerly Microsoft Cloud App Security / MCAS) is Microsoft's Cloud Access Security Broker (CASB).
- Its four CASB pillars are visibility (Shadow IT discovery), data security, threat protection (UEBA/anomaly detection), and compliance.
- Cloud Discovery analyzes traffic logs to reveal unsanctioned 'Shadow IT' apps and rate their risk.
- Do NOT confuse Defender for Cloud Apps (SaaS app usage/CASB) with Defender for Cloud (cloud resource posture and workload protection).
- App connectors and Conditional Access App Control extend real-time session controls over sanctioned apps.
CASB and the Four Pillars
Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security / MCAS) is Microsoft's Cloud Access Security Broker (CASB). A CASB sits between users and the cloud apps they use to give an organization visibility and control over SaaS application usage — both the apps IT sanctioned and the ones employees adopted on their own. This is one of the most important name-traps on SC-900: it is Cloud Apps (SaaS app usage), not Cloud (resources).
Defender for Cloud Apps is built on the four standard CASB pillars:
| Pillar | What it delivers |
|---|---|
| Visibility | Discover all cloud apps in use, including unsanctioned Shadow IT; assess each app's risk |
| Data security | Find and protect sensitive data in SaaS apps (integrates with Purview information protection / DLP) |
| Threat protection | Detect compromised accounts, insider threats, and anomalies via UEBA and anomaly detection |
| Compliance | Assess apps against regulatory and internal governance requirements |
Shadow IT Discovery (Cloud Discovery)
The most distinctive Defender for Cloud Apps capability is Cloud Discovery / Shadow IT discovery. It analyzes traffic logs (from firewalls, proxies, or Defender for Endpoint) to reveal which cloud apps users are actually accessing — including apps IT never approved. Each discovered app gets a risk score drawn from a cloud app catalog of thousands of apps, so the organization can sanction, unsanction, or block apps. "An employee uploaded company data to an unapproved file-sharing site — how do we even know it's happening?" is a textbook Shadow IT / Defender for Cloud Apps scenario.
App Connectors and Session Control
Beyond discovery, Defender for Cloud Apps governs sanctioned apps using API app connectors (deep visibility into apps like Microsoft 365, Salesforce, Box, ServiceNow) and Conditional Access App Control — a reverse-proxy integration with Microsoft Entra Conditional Access that enforces real-time session controls (for example, block download of sensitive files to unmanaged devices, or monitor risky in-session actions).
The Cloud Apps vs. Cloud Trap
The near-identical names trip up candidates. Read the noun after "cloud":
| Product | Protects | Cue words |
|---|---|---|
| Defender for Cloud Apps | SaaS app usage (CASB) | Shadow IT, app discovery, sanction/unsanction apps, session control, UEBA on SaaS |
| Defender for Cloud | Cloud resources & workloads | Secure score, CSPM, recommendations, regulatory compliance dashboard, VM/container/SQL workload protection |
If the scenario is about which cloud applications employees use and controlling that usage, choose Defender for Cloud Apps. If it is about the security posture of your Azure/AWS/GCP resources and protecting workloads, choose Defender for Cloud (covered in Chapter 6).
Also keep it separate from:
- Defender for Office 365 — protects email/collaboration content, not general SaaS-app discovery.
- Microsoft Purview — Purview classifies and governs data; Defender for Cloud Apps is a security service that can use Purview labels to protect SaaS data but is itself a CASB.
Quick cues
- "Discover unsanctioned cloud apps from traffic logs" → Defender for Cloud Apps (Shadow IT).
- "Block downloads to unmanaged devices in a SaaS session in real time" → Conditional Access App Control in Defender for Cloud Apps.
- "Improve the secure score / posture of cloud resources" → Defender for Cloud (not Cloud Apps).
How Defender for Cloud Apps Gains Visibility
Defender for Cloud Apps gets its visibility in three complementary ways, and recognizing them helps on scenario questions:
- Cloud Discovery (log-based) — ingests traffic logs from firewalls, proxies, or the natively integrated Defender for Endpoint to map which cloud apps users touch, how much data flows, and how risky each app is. This is the Shadow IT engine.
- App connectors (API-based) — connect via vendor APIs to sanctioned apps (Microsoft 365, Salesforce, ServiceNow, Box, Google Workspace, AWS, and more) for deep visibility into activities, files, and accounts, and to apply governance actions.
- Conditional Access App Control (proxy-based) — integrates with Microsoft Entra Conditional Access as a reverse proxy to enforce real-time session controls, such as blocking downloads of sensitive files to unmanaged devices or requiring extra verification mid-session.
These map cleanly onto the four CASB pillars. Visibility comes from Cloud Discovery and connectors. Data security comes from connectors plus integration with Purview sensitive-information types and labels to find and protect data inside SaaS apps. Threat protection comes from UEBA and anomaly-detection policies that flag impossible-travel sign-ins, mass downloads, or unusual admin activity that suggest a compromised account or malicious insider. Compliance comes from assessing discovered apps against regulatory and internal standards.
Worked Selection Scenario
" Discovering unsanctioned apps from logs is Cloud Discovery / Shadow IT; scoring and blocking risky apps is core CASB governance; and preventing sensitive downloads to unmanaged devices in real time is Conditional Access App Control — all delivered by Defender for Cloud Apps. The wrong-but-tempting answer is Defender for Cloud; reread and you will see the scenario is about app usage, not resource posture.
A frequently tested distinction: Microsoft Defender for Cloud Apps is the Cloud Access Security Broker (CASB) that discovers and governs SaaS application use, whereas Microsoft Defender for Cloud protects the security posture of your Azure, AWS, and GCP infrastructure and workloads — the two sound alike but solve completely different problems.
Which Microsoft product is the Cloud Access Security Broker (CASB) that discovers and controls SaaS app usage, formerly called Microsoft Cloud App Security?
Cloud Discovery in Defender for Cloud Apps primarily helps an organization do what?
A scenario asks about improving the secure score and security posture of Azure and AWS resources. Which product fits — and which name-trap should you avoid?