Defender for Cloud Apps
Unlock the complete study guide + 1,040 practice questions across 16 full exams.
Bundled into the existing Microsoft Certified: Identity and Access Administrator Associate premium course — no separate purchase.
Included in this chapter:
- What Defender for Cloud Apps does, and how it connects
- Cloud discovery and the cloud app catalog
- Connected apps: API connectors
- App-enforced restrictions vs Conditional Access app control
- Access policies vs session policies
- OAuth app governance and the cloud app catalog
Three ways to control a cloud-app session
| Control | App-enforced restrictions | Conditional Access app control | API-connected app governance |
|---|---|---|---|
| How it reaches the app | Conditional Access tells the app to self-limit | Reverse proxy inline in the session | App provider's API (connector) |
| When it acts | At sign-in (limited web access) | Live, during the browser session | After the activity, periodically or near real time |
| Where it is configured | Entra Conditional Access (Session grant) | Entra CA 'Use Conditional Access App Control' + DfCA access/session policies | Connected apps + file/activity policies |
| Typical action | Browser-only, no download/print on unmanaged device | Block download, protect on download, block upload | Suspend user, quarantine file, revoke tokens |
| Needs agent on device | No | No (works on unmanaged devices) | No |
| Supported apps | Exchange Online, SharePoint Online, Office | Browser SAML 2.0 / OIDC apps in the catalog | Apps with a Defender for Cloud Apps connector |
Decision tree
Cheat sheet
Unlock with Premium — includes all practice exams and the complete study guide.