Defender for Cloud Apps: The A.I. Response and the Human Element
In the first two parts of this series, we followed the path of an attack as it moved through different layers of the environment. We started at the front gate with Microsoft Defender for Office 365, where email threats are filtered and malicious messages are stopped before they ever reach the user. Then we shifted to the endpoint, where Microsoft Defender for Endpoint steps in when something manages to slip past the inbox and attempts to execute on a device.
But attackers rarely stop there. They keep trying. If one method doesn't work, they switch tactics. Now A.I. is playing a factor here as well. In, my opinion, we need to protect it as an asset just the same. In the first two parts of this series, we followed the path of an attack as it moved through different layers of the environment. We started at the front gate with Microsoft Defender for Office 365, where email threats are filtered and malicious messages are stopped before they ever reach the user. Then we shifted to the endpoint, where Microsoft Defender for Endpoint steps in when something manages to slip past the inbox and attempts to execute on a device.
But attackers rarely stop there. They keep trying. If one method doesn't work, they switch tactics. Once an attacker gains access to a system or account, the next stop is often the cloud. That’s where the real prize usually lives — applications, identities, and most importantly, data.
And just like any good superhero story, when the fight moves to a new part of the city, another hero joins the team.
Enter Microsoft Defender for Cloud Apps. Sometimes you need something in the shadows to fight off the threats in the shadows. One of the many things Defender for Cloud apps can assist with is control of Shadow IT. At this point, with Defender for Endpoint integrated with Defender for Cloud apps, we have the ability to Unsanction unwanted applications, block those apps via indicators with Defender for Endpoint.
If Defender for Office 365 protects the gates and Defender for Endpoint protects the streets, Defender for Cloud Apps is watching the skyscrapers where the organization’s data lives. It provides visibility into how cloud applications are being used, helps detect risky behavior, and gives security teams the ability to control how users interact with sensitive information inside those apps.
In this part of the series, we’ll take a closer look at how Defender for Cloud Apps works with Conditional Access to protect cloud applications, and how organizations can apply those same controls to emerging tools like AI platforms.
What is Defender for Cloud apps?
Microsoft Defender for Cloud Apps is Microsoft’s Cloud Access Security Broker (CASB) that provides visibility into cloud application usage and allows organizations to monitor activity, detect threats, and apply real-time security controls to protect data within SaaS applications.
In this part of the series, we’ll take a closer look at how Defender for Cloud Apps works with Conditional Access to protect cloud applications, and how organizations can apply those same controls to emerging tools like AI platforms.
Because as more applications move to the cloud, protecting the data inside those services become one of the most powerful ways it does this is by working together with Conditional Access. Instead of simply allowing or blocking access to an application, Defender for Cloud Apps can apply real-time session controls that monitor what users are doing and step in when something risky happens.
Before we get any deeper into the origin story of Defender for Cloud apps, let's take a look at the licensing.
Licensing for Defender for Cloud apps
I have included a reference table below showing some of the licensing options available for Defender for Cloud apps.
I recommend looking at the Security add-on if you are using Business Premium or if you are using Microsoft 365 E3 (A3). I feel like the security add-on is a really great value add, especially when comparing what is included in each add-on.
Conditional Access App Controls (CAAC)
One of the most powerful capabilities of Microsoft Defender for Cloud Apps is its ability to work alongside Microsoft Entra Conditional Access to enforce real-time access controls.
Rather than simply allowing or blocking access to an application, organizations can apply session-based policies that inspect user activity and protect data while a user is actively working inside a cloud application.
This approach allows security teams to apply protections such as:
• blocking downloads of sensitive data
• preventing copy and paste of confidential information
• watermarking documents viewed in the browser
• monitoring unusual user behavior
• restricting access based on device risk or location
These protections are made possible through Conditional Access App Control, which integrates Microsoft Defender for Cloud Apps directly into the authentication and session pipeline.
When a user signs in to an application, Conditional Access can route the session through Defender for Cloud Apps, allowing security teams to apply real-time monitoring and control.
In other words, Defender for Cloud Apps doesn’t just watch what happens in the cloud—it can actively intervene when risky behavior is detected.
Prerequisites for Conditional Access App Controls (CAAC)
This section has some critical information around applications and IF they can be onboarded into Defender for Cloud apps. Not all applications are supported. Not all applications are created equal. Please also know that different applications may or may not have limitations on controls via conditional access. Whew, now that I have that out of the way, here is some additional information.
DISCLAIMER: I want to caution you to test this at a small scale if you are considering testing or piloting, if possible, with scoped conditional access and scoped cloud apps policies if in use. Be careful of how you write each policy, you could risk lockout or loss of access to data.
In order for supported applications to be connected to CAAC they need to meet the following criteria:
I discussed in a previous article on how to onboard Microsoft 365 applications via the Monitoring Conditional Access policy into CAAC. I will also leave some references for onboarding applications into conditional access app controls.
More about onboarding applications into CAAC here:
Connecting Applications to Defender for Cloud apps (Connecting via API)
While I am talking about onboarding of CAAC, it is worth making mention that Microsoft 365 and Entra Applications are ready to connect fully for anomaly detection policies via Defender for Cloud apps.
The following reference shows all of the current supported applications. Please take into consideration, you may need licensing with into the third-party in order to access the Cloud apps API. It is critical to check all of the applications you may be planning to connect and evaluate the compatibility.
Reference for Connecting Applications: Connect apps to get visibility and control - Microsoft Defender for Cloud Apps | Microsoft Learn
Top Three Potential Use Cases
If your organization allows access from unmanaged devices to Office 365, SharePoint, OneDrive for Business, etc., this is a recommended method to prevent data leaks to unmanaged devices. In my opinion, these are pretty good places to start.
Block Leakage of Sensitive Data Connected Apps
Connect Microsoft 365 applications and use content filtering to block downloads of sensitive data to unmanaged devices. Session Controls via Conditional Access and content filtering to block exfiltration of sensitive data. Be sure to enabled File monitoring after you connect Microsoft 365 apps. This will allow you to block based on content inspection by filtering for sensitive information types and trainable classifiers from Purview.
Continuous Monitoring & Anomaly Detection Connected Apps
Logs can be ingested via multiple sources. This article references the integration between Defender for Endpoint and Defender for Cloud apps. Applications connect via API. The applications must be compatible and have the correct licensing.
Detect Shadow IT on Managed Devices Only
Detection of Shadow IT within the organization. This will allow you to see any unauthorized applications including any Generative A.I. or unwanted third-party applications. This is assumed Devices are either directly enrolled into Defender for Endpoint or enrolled via Microsoft Intune integration/Endpoint Detection and Response (EDR).
Unsanctioning an application within the firewalls and Secure web Gateways require a little more effort and configuration if those are in use. For now, Defender for Endpoint, is the blocking mechanism.
Defender for Endpoint should be in active mode; however, you may have limited functionality within Microsoft Edge in passive mode for Defender for Endpoint.
Some organization can be shocked when they get insight into applications that are in use. You can also review OAuth approvals for applications within your organization. (More on this in a future article)
Here are some more prerequisites to be aware of around the solution for blocking applications via Defender for Endpoint and Defender for Cloud apps.
2. Defender for Endpoint Integration is enabled within Defender for Cloud apps Cloud Discovery settings - This allows app controls access, once you mark the application unsanctioned in defender for cloud apps, that is when it creates the indicator within Defender for Endpoint. (This is the integration).
3. Defender for Endpoint should be in Active mode. This means you will be using network protection via the Anti-Virus policy. Network protection can only be used if there is no third-party Anti-virus present on the Endpoint. Network protection is what covers the third-party browsers (Opera, Brave, Chrome, Firefox).
When an application is marked unsanctioned within Defender for Cloud apps, an indicator for a Block on that web application is created within Defender for Endpoint. This utilizes the back-end Web content filtering mechanism to force a block on the Endpoint via smart screen and Network protection via the Anti-Virus policy.
The Human Element - Mobility, Flexibility, Unmanaged Devices
This is where you will need to meet the requirements with conditional access for compatible applications. This is where you can police activity on unmanaged devices if your organization requires that flexibility. It is recommended the devices are fully Intune and Defender for Endpoint managed.
However, I understand that may not always be the case. If there are unmanaged devices accessing your resources and data from Microsoft 365. These are some of the capabilities you will have at the cloud app level via Entra SAAS integration.
When Conditional Access routes a session through Microsoft Defender for Cloud Apps, security teams can apply real-time controls to how users interact with SaaS applications. Some examples include:
Recommended by LinkedIn
Block downloads Prevent users from downloading files from applications like SharePoint or OneDrive when they are accessing the service from an unmanaged or risky device. This also applied to malware type files. Defender for Endpoint integration loans its engine, definitions, etc. to Defender for Cloud apps to allow for content inspection scanning via Conditional Access (That's pretty cool if you ask me).
Monitor activity Track user actions within cloud applications to identify unusual behavior or potential insider threats.
Inspect uploads Analyze files being uploaded to cloud applications and detect sensitive data such as financial information, personal data, or confidential documents.
Watermark documents Apply dynamic watermarks to viewed documents to discourage screenshots or unauthorized sharing.
Block copy and paste Prevent users from copying sensitive information from protected applications and pasting it into external locations, helping reduce the risk of data exfiltration. This is important because you can tie this into scan for sensitive information types and trainable classifiers. You saw an example above of a SSN and Credit Card number being blocked. This was the alert that was generated as a result of those actions. See the screenshot below:
The A.I. Response - From Session Controls to Anomaly Detection
Microsoft Defender for Cloud Apps includes several built-in anomaly detection policies that use behavioral analytics and machine learning to detect suspicious activity across cloud applications. These detections are powered by both API integrations with Microsoft 365 and Entra ID and real-time session controls when Conditional Access routes a session through Defender for Cloud Apps.
Below are some of the most common anomaly detection policies and how they work. Please note that the policies below are only for Microsoft 365 and Entra Applications. Anomaly detection will vary per supported application, licensing and requirements. Please reference: Connect apps to get visibility and control - Microsoft Defender for Cloud Apps | Microsoft Learn
Three things you will want to have deployed for use within Defender for Cloud apps automated actions are:
Impossible Travel
This policy detects when a user signs in from two geographically distant locations within a timeframe that would be impossible for normal travel. For example, if a user signs in from New York and then appears to access resources from Europe shortly afterward, the system can flag this as suspicious activity.
This detection relies on telemetry from Microsoft Entra ID and Microsoft 365. This can remediate with Confirmed User Compromised (User Risk). This forces all sessions to disconnect, suspends access, and forces the user to perform a Self-Service password reset based on potential compromise. * Please note that logging into remote locations may trigger this so you can add trusted IP addresses to Defender for Cloud apps to allow for those to be excluded or added to the filter to avoid too many false positives.
Available through: Connected App (API monitoring)
Activity from Suspicious IP Address
Defender for Cloud Apps continuously evaluates activity against threat intelligence feeds. If user activity originates from an IP address known to be associated with malicious activity, bot networks, or compromised infrastructure, an alert can be generated.
This detection is particularly useful for identifying compromised accounts. These IP addresses can either come from the allow/block list within the Defender XDR and/or are known to the A.I. as malicious IP addresses. Defender for Cloud apps will tag malicious IP addresses as such and access will be blocked from the app and from the Endpoint level based on the assumed Defender for Endpoint and Cloud app integration.
Available through: Connected App (API monitoring)
Anomalous Behavior Detection
Using user and entity behavior analytics (UEBA), Defender for Cloud Apps builds a baseline of normal activity patterns for each user. When the system detects behavior that significantly deviates from that baseline—such as unusual file access, login patterns, or data movement—it generates an alert.
This machine learning model continuously improves as more activity is observed. There are triggers here that are set by default, you can make these loose or tighter based on organizational need or potential compliance. Some of these anomaly detection policy settings and triggers are determined by A.I. Some policies have tunable thresholds.
Available through: Connected App (API monitoring)
Mass Download Detection
This policy detects when a user downloads an unusually large number of files in a short period of time. This type of activity can indicate potential data exfiltration or an attacker attempting to extract sensitive information from cloud storage.
In Microsoft 365 environments, this detection is commonly associated with SharePoint and OneDrive activity. This is a typical behavior of a leaver type employee downloading their entire OneDrive before exiting the organization. This could also be a compromised account data exfiltration event. Access to files and sites can be revoked via automation. Data that is missing sensitivity or has weak labels can be scanned and auto labeled (Veto's user assigned label) if obfuscation is being attempted.
Available through: Connected App (API monitoring) Limited support: Session control
Mass Deletion Detection
Mass deletion detection identifies when large numbers of files are deleted from cloud storage in a short timeframe. This behavior is sometimes associated with ransomware activity or malicious insiders attempting to destroy evidence. This is a typical behavior of a leaver type employee downloading their entire OneDrive before exiting the organization. This could also be a compromised account data exfiltration event (Scorched Earth).
This detection relies on activity monitoring through API connections to Microsoft 365 services.
Available through: Connected App (API monitoring)
Suspicious Inbox Rule Detection
Attackers who compromise accounts often create inbox rules to hide malicious emails or redirect messages to external accounts. Defender for Cloud Apps monitors mailbox configuration changes and can generate alerts when suspicious rules are created.
This policy helps detect business email compromise scenarios. This behavior is an event that would be triggered by inbox rule creation post account compromise. The A.I. response will utilize the same confirmed user compromise.
Available through: Connected App (API monitoring)
OAuth App Anomaly Detection
This policy identifies risky or suspicious OAuth applications that users grant access to within Microsoft 365. Attackers sometimes leverage malicious OAuth apps to maintain persistence or access sensitive data without needing a password.
Defender for Cloud Apps monitors these app permissions and can alert security teams when risky authorization patterns are detected. This will detect if a new application or potential malicious application has access to your environment and can automatically revoke that access.
Available through: Connected App (API monitoring)
Activity from Anonymous Proxy or TOR
This detection identifies access attempts originating from anonymization services such as TOR networks or proxy infrastructure. These services are frequently used by attackers attempting to hide their true location.
Alerts generated from this policy can indicate potential account compromise.
Available through: Connected App (API monitoring)
Malware Detection in Files
Defender for Cloud Apps can inspect files uploaded to cloud applications and scan them for malware. This capability helps prevent malicious files from being introduced into collaboration environments such as SharePoint or OneDrive.
When sessions are routed through Conditional Access App Control, files can be inspected in real time.
Available through: Connected App (API monitoring) Session Control (real-time inspection)
Sensitive Data Exposure Detection
This policy identifies files containing sensitive information such as personally identifiable information (PII), financial data, or internal documents. Defender for Cloud Apps can alert security teams or enforce policies to protect that data.
When used with Conditional Access App Control, uploads and downloads can be inspected during active sessions.
Available through: Connected App (API monitoring) Session Control (real-time inspection)
The Wrap Up
There is so much possibility with Defender for Cloud apps and the XDR. We have now taken a look at three Defenders, the part they play Individually, and how they can work as a team. The next piece of the XDR to explore is going to be Microsoft Purview. We will want to visit Data Protection and Sensitivity Labels. These are important for keeping sensitive data out of Microsoft 365 Copilot and Copilot Chat. Purview adds protection to the data layer of the XDR and also ties into Defender for Endpoint for Endpoint Data Loss Prevention.
So, stay turned for the next hero and the next spotlight. We are getting closer to Security Copilot and keeping sensitive data out of Microsoft 365 Copilot.
I appreciate you taking the time to read my content and I appreciate you! Stay safe Defenders!
you about to get a call from DC comics lol