Domain 3 of 4 · Chapter 4 of 4

Defender for Cloud Apps

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Microsoft Certified: Identity and Access Administrator Associate premium course — no separate purchase.

Included in this chapter:

  • What Defender for Cloud Apps does, and how it connects
  • Cloud discovery and the cloud app catalog
  • Connected apps: API connectors
  • App-enforced restrictions vs Conditional Access app control
  • Access policies vs session policies
  • OAuth app governance and the cloud app catalog

Three ways to control a cloud-app session

ControlApp-enforced restrictionsConditional Access app controlAPI-connected app governance
How it reaches the appConditional Access tells the app to self-limitReverse proxy inline in the sessionApp provider's API (connector)
When it actsAt sign-in (limited web access)Live, during the browser sessionAfter the activity, periodically or near real time
Where it is configuredEntra Conditional Access (Session grant)Entra CA 'Use Conditional Access App Control' + DfCA access/session policiesConnected apps + file/activity policies
Typical actionBrowser-only, no download/print on unmanaged deviceBlock download, protect on download, block uploadSuspend user, quarantine file, revoke tokens
Needs agent on deviceNoNo (works on unmanaged devices)No
Supported appsExchange Online, SharePoint Online, OfficeBrowser SAML 2.0 / OIDC apps in the catalogApps with a Defender for Cloud Apps connector

Decision tree

What is the goal?pick the connection methodCloud discoveryscore apps, sanctionFind shadow ITAPI connectorgovern users / filesGovern a connected appOAuth app policyban / revoke consentRisky 3rd-party consentControl a livebrowser session?Limit in-app actionsApp-enforced restrictionsOffice: browser-onlyOffice app, lightCA app control: in or inside?route to reverse proxyAny app, real timeAccess policyblock the sessionKeep it outSession policyblock / protectdownload, block uploadControl inside

Cheat sheet

  • Match the Defender for Cloud Apps job to its connection method
  • Cloud discovery scores apps against a 31,000+ app catalog on 90+ risk factors
  • Snapshot reports are manual uploads; continuous reports are auto-forwarded
  • Feed continuous discovery via Defender for Endpoint, a log collector, an SWG, or the API
  • Discovery data refreshes four times a day, so it is near-current, not live
  • Unsanctioning an app generates a block script, not just a label
  • App connectors govern an app through its provider API, after the fact
  • Connector data scans run every 12 hours plus near real time on change
  • Multi-instance connectors work for Salesforce but not Microsoft 365 or Azure
  • App-enforced restrictions make the app self-limit, with no proxy
  • Conditional Access app control is a reverse proxy for real-time browser control
  • Deploy Conditional Access app control from a Conditional Access policy, not from the proxy console
  • A proxied session shows a .mcas.ms URL suffix
  • Access policy blocks the session at sign-in; session policy controls activity inside it
  • Session policies block download, protect on download, or block upload
  • Session controls cover browsers only, not desktop or native clients
  • Conditional Access app control policies act at the app level, not per file
  • OAuth app governance surveys delegated consent, scored High, Medium, or Low
  • Banning an OAuth app disables its enterprise application and revokes access
  • OAuth app policies automate revoke or alert on consent criteria
  • Built-in OAuth anomaly policies catch misleading names and malicious consent
  • Pick app-enforced restrictions, CA app control, or the API connector by where enforcement must happen

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. Enable instant visibility, protection, and governance actions for your apps
  2. Protect apps with Microsoft Defender for Cloud Apps Conditional Access app control
  3. Manage OAuth apps
  4. Set up Cloud Discovery
  5. OAuth app policies