Connect Microsoft 365 to Microsoft Defender for Cloud Apps
Microsoft Defender for Cloud Apps is now part of Microsoft 365 Defender, which correlates signals from across the Microsoft Defender suite and provides incident-level detection, investigation, and powerful response capabilities. For more information, see Microsoft Defender for Cloud Apps in Microsoft 365 Defender.
This article provides instructions for connecting Microsoft Defender for Cloud Apps to your existing Microsoft 365 account using the app connector API. This connection gives you visibility into and control over Microsoft 365 use. For information about how Defender for Cloud Apps protects Microsoft 365, see Protect Microsoft 365.
Use this app connector to access SaaS Security Posture Management (SSPM) features, via security controls reflected in Microsoft Secure Score. Learn more.
Defender for Cloud Apps integration with Microsoft 365
Defender for Cloud Apps supports the legacy Microsoft 365 Dedicated Platform as well as the latest offerings of Microsoft 365 services, commonly referred as the vNext release family of Microsoft 365.
In some cases, a vNext service release differs slightly at the administrative and management levels from the standard Microsoft 365 offering.
Defender for Cloud Apps integrates directly with Microsoft 365's audit logs and receives all audited events from all supported services. For a list of supported services, see Microsoft 365 services that support auditing.
Exchange administrator audit logging, which is enabled by default in Microsoft 365, logs an event in the Microsoft 365 audit log when an administrator (or a user who has been assigned administrative privileges) makes a change in your Exchange Online organization. Changes made using the Exchange admin center or by running a cmdlet in Windows PowerShell are logged in the Exchange admin audit log. For more detailed information about admin audit logging in Exchange, see Administrator audit logging.
Events from Exchange, Power BI, and Teams will only appear after activities from those services are detected in the portal.
Multi-geo deployments are only supported for OneDrive
Azure Active Directory integration
If your Azure Active Directory is set to automatically sync with the users in your Active Directory on-premises environment the settings in the on-premises environment override the Azure AD settings and use of the Suspend user governance action is reverted.
For Azure AD sign-in activities, Defender for Cloud Apps only surfaces interactive sign-in activities and sign-in activities from legacy protocols such as ActiveSync. Non-interactive sign-in activities may be viewed in the Azure AD audit log.
If Office apps are enabled, groups that are part of Microsoft 365 are also imported to Defender for Cloud Apps from the specific Office apps, for example, if SharePoint is enabled, Microsoft 365 groups are imported as SharePoint groups as well.
In SharePoint and OneDrive, Defender for Cloud Apps supports user quarantine only for files in Shared Documents libraries (SharePoint Online) and files in the Documents library (OneDrive for Business).
In SharePoint, Defender for Cloud Apps supports quarantine tasks only for files with Shared Documents in path in English.
You must have at least one assigned Microsoft 365 license to connect Microsoft 365 to Defender for Cloud Apps.
To enable monitoring of Microsoft 365 activities in Defender for Cloud Apps, you are required to enable auditing in the Microsoft Purview compliance portal.
Exchange Mailbox audit logging must be turned on for each user mailbox before user activity in Exchange Online is logged, see Exchange Mailbox activities.
You must enable auditing in Power BI to get the logs from there. Once auditing is enabled, Defender for Cloud Apps starts getting the logs (with a delay of 24-72 hours).
You must enable auditing in Dynamics 365 to get the logs from there. Once auditing is enabled, Defender for Cloud Apps starts getting the logs (with a delay of 24-72 hours).
How to connect Microsoft 365 to Defender for Cloud Apps
In the Microsoft 365 Defender portal, select Settings. Then choose Cloud Apps. Under Connected apps, select App Connectors.
In the App connectors page, select +Connect an app, and then select Microsoft 365.
In the Select Microsoft 365 components page, select the options you require, and then select Connect.
- For best protection, we recommend selecting all Microsoft 365 components.
- The Azure AD files component, requires the Azure AD activities component and Defender for Cloud Apps file monitoring (Settings > Cloud Apps > Files > Enable file monitoring).
On the Follow the link page, select Connect Microsoft 365.
After Microsoft 365 is displayed as successfully connected, select Done.
In the Microsoft 365 Defender portal, select Settings. Then choose Cloud Apps. Under Connected apps, select App Connectors. Make sure the status of the connected App Connector is Connected.
SaaS Security Posture Management (SSPM) data is shown in the Microsoft 365 Defender portal on the Secure Score page. For more information, see Security posture management for SaaS apps.
After connecting Microsoft 365, you will see data from a week back including any third-party applications connected to Microsoft 365 that are pulling APIs. For third-party apps that weren't pulling APIs prior to connection, you see events from the moment you connect Microsoft 365 because Defender for Cloud Apps turns on any APIs that had been off by default.
If you have any problems connecting the app, see Troubleshooting App Connectors.
If you run into any problems, we're here to help. To get assistance or support for your product issue, please open a support ticket.