M07 · Defender for Cloud Apps

Course: Microsoft Defender — Security Operations Fundamentals Module duration: 3.0 hours (including lab) Format: Instructor-led, hands-on

Currency note (as of June 2026): MDCA (Cloud App Security) portal location, policy templates, and app-governance labels change frequently; much of MDCA now surfaces inside the unified Defender portal. Verify paths against current Microsoft Learn before relying on specifics.

Learning objectives

By the end of this module you will be able to:

  1. Explain how Defender for Cloud Apps (MDCA) discovers and assesses SaaS application usage.
  2. Describe OAuth app governance and the risks of over-permissioned apps.
  3. Explain session controls and conditional access app control (CAAC).
  4. Create a simple app policy and review policy matches.

1. What MDCA is and how it sees cloud apps

Microsoft Defender for Cloud Apps (MDCA) is a Cloud Access Security Broker (CASB) — it gives visibility and control over the SaaS applications your organization uses. It gathers signal through three mechanisms:

  • Traffic logs — uploaded from firewalls/proxies (or via integration) to discover which cloud apps are in use (the basis of Shadow IT discovery).
  • API connectors — connect directly to sanctioned apps (e.g., Microsoft 365, and third-party SaaS) to read activity, files, and settings for deeper monitoring and control.
  • Reverse proxy (Conditional Access App Control) — sits in the session path to monitor and enforce controls in real time during a user’s browser session.
flowchart TD LOGS["Firewall/proxy traffic logs"] --> MDCA["Defender for Cloud Apps"] API["API connectors to sanctioned SaaS"] --> MDCA PROXY["Reverse proxy (CAAC) in session path"] --> MDCA MDCA --> OUT["Discovery, policies, alerts, session controls"]

Diagram alt text: Three input sources feed into Defender for Cloud Apps: firewall and proxy traffic logs, API connectors to sanctioned SaaS apps, and a reverse proxy providing conditional access app control in the session path. Defender for Cloud Apps then produces discovery, policies, alerts, and session controls.

2. Shadow IT discovery

Shadow IT is cloud-app usage that IT/security did not sanction. MDCA’s Cloud Discovery capability analyzes traffic logs to reveal it:

  • Cloud Discovery dashboard — shows discovered apps, users, traffic volume, and risk.
  • App risk scoring — each app gets a risk score based on security, compliance, and legal factors (e.g., encryption at rest, certifications, data-residency) from a large app catalog.
  • Sanctioned / unsanctioned tagging — you mark apps as sanctioned (approved) or unsanctioned (to be blocked/discouraged). Unsanctioning can feed block actions via integrated enforcement.

In the lab you will review the Cloud Discovery dashboard, identify a high-risk app, and mark it unsanctioned.

SaaS Security Posture Management (SSPM)

Beyond discovery, MDCA assesses the security configuration of connected SaaS apps — surfacing misconfigurations (e.g., weak sharing or MFA settings) as posture recommendations, so you can harden apps, not just monitor them.

3. OAuth app governance

Modern SaaS lets users consent to third-party apps that request OAuth permissions to their data (e.g., “read your mail,” “manage your files”). This is powerful and risky:

  • Over-permissioned apps — an app may request far more access than it needs; if compromised or malicious, those permissions become an attack path that bypasses passwords and MFA (the app holds a token, not a credential).
  • App governance surfaces, for each OAuth app: its permissions/consent grants, how many users consented, publisher verification status, and risk indicators (e.g., unused high privileges, suspicious consent patterns).
  • You can investigate and remediate — disable or revoke a risky app’s access.

In the lab you will examine an OAuth app’s permissions and reason about its risk. Consent-phishing (“illicit consent grant”) maps to ATT&CK and is a growing identity-centric attack — over-permissioned apps are exactly what it abuses.

4. Session controls and Conditional Access App Control (CAAC)

Conditional Access App Control (CAAC) routes a user’s app session through MDCA’s reverse proxy (integrated with Microsoft Entra Conditional Access), enabling real-time controls inside the session:

  • Monitor — log session activity for visibility.
  • Block — prevent specific actions (e.g., downloading a sensitive file to an unmanaged device).
  • Limit — allow the action but constrain it (e.g., view-only, block copy/print, apply a label).

This enforces Zero Trust at the session level: even after a user authenticates, what they can do depends on real-time conditions (device state, data sensitivity).

5. App policies

MDCA policies detect and respond to risky activity. Common types:

  • Activity policies — fire on specific user activities (e.g., mass download, admin action from a risky location).
  • File policies — detect sensitive files shared too broadly or stored where they should not be.
  • Anomaly detection policies — machine-learning baselines of normal behavior that flag deviations (e.g., impossible travel, unusual download volume) — many are on by default.

Each policy match raises an alert that you investigate in the MDCA/Defender alerts queue and act on. In the lab you will create a simple app policy, review the matches it generates, and take a remediation action on a policy-triggered alert.

6. Module summary

  • MDCA is a CASB that sees cloud apps via traffic logs (discovery), API connectors (deep monitoring), and a reverse proxy (real-time session control).
  • Cloud Discovery reveals Shadow IT, scores app risk, and supports sanctioned/unsanctioned tagging; SSPM assesses connected apps’ configuration posture.
  • OAuth app governance exposes consent grants, permissions, and publisher verification — over-permissioned apps are a token-based attack path that bypasses passwords/MFA.
  • CAAC enforces monitor / block / limit controls inside a session.
  • Policies (activity, file, anomaly) detect risky behavior and raise alerts to investigate and remediate.

Glossary (first-use acronyms in this module)

  • CAAC — Conditional Access App Control.
  • CASB — Cloud Access Security Broker.
  • MDCA — Microsoft Defender for Cloud Apps.
  • MFA — Multifactor Authentication.
  • OAuth — open authorization standard for delegated app access via tokens.
  • SaaS — Software as a Service.
  • SSPM — SaaS Security Posture Management.

Sources

Citations recorded per CLAUDE.md. Living documents; “as of June 2026” stamps indicate currency.

  1. Microsoft Learn — “Microsoft Defender for Cloud Apps overview.” https://learn.microsoft.com/defender-cloud-apps/what-is-defender-for-cloud-apps
  2. Microsoft Learn — “Set up Cloud Discovery.” https://learn.microsoft.com/defender-cloud-apps/set-up-cloud-discovery
  3. Microsoft Learn — “App governance in Microsoft Defender for Cloud Apps.” https://learn.microsoft.com/defender-cloud-apps/app-governance-manage-app-governance
  4. Microsoft Learn — “Protect apps with Conditional Access App Control.” https://learn.microsoft.com/defender-cloud-apps/proxy-intro-aad
  5. Microsoft Learn — “Control cloud apps with policies.” https://learn.microsoft.com/defender-cloud-apps/control-cloud-apps-with-policies
  6. Microsoft Learn — “SaaS security posture management (SSPM).” https://learn.microsoft.com/defender-cloud-apps/security-saas
  7. MITRE ATT&CK — Cloud techniques, including consent/account abuse. https://attack.mitre.org/matrices/enterprise/cloud/

M07 of 10 · Microsoft Defender — Security Operations Fundamentals · maps to curriculum.md → M07 learning objectives 1–4. Student handout — distribute freely to learners. No answer keys contained.