Connect apps to get visibility and control with Microsoft Defender for Cloud Apps
Microsoft Defender for Cloud Apps is now part of Microsoft 365 Defender, which correlates signals from across the Microsoft Defender suite and provides incident-level detection, investigation, and powerful response capabilities. For more information, see Microsoft Defender for Cloud Apps in Microsoft 365 Defender.
App connectors use the APIs of app providers to enable greater visibility and control by Microsoft Defender for Cloud Apps over the apps you connect to.
Microsoft Defender for Cloud Apps leverages the APIs provided by the cloud provider. All communication between Defender for Cloud Apps and connected apps is encrypted using HTTPS. Each service has its own framework and API limitations such as throttling, API limits, dynamic time-shifting API windows, and others. Microsoft Defender for Cloud Apps worked with the services to optimize the usage of the APIs and to provide the best performance. Taking into account different limitations services impose on the APIs, the Defender for Cloud Apps engines use the allowed capacity. Some operations, such as scanning all files in the tenant, require numerous APIs so they're spread over a longer period. Expect some policies to run for several hours or several days.
Defender for Cloud Apps supports multiple instances of the same connected app. For example, if you have more than one instance of Salesforce (one for sales, one for marketing) you can connect both to Defender for Cloud Apps. You can manage the different instances from the same console to create granular policies and deeper investigation. This support applies only to API connected apps, not to Cloud Discovered apps or Proxy connected apps.
Multi-instance is not supported for Microsoft 365 and Azure.
How it works
Defender for Cloud Apps is deployed with system admin privileges to allow full access to all objects in your environment.
The App Connector flow is as follows:
Defender for Cloud Apps scans and saves authentication permissions.
Defender for Cloud Apps requests the user list. The first time the request is done, it may take some time until the scan completes. After the user scan is over, Defender for Cloud Apps moves on to activities and files. As soon as the scan starts, some activities will be available in Defender for Cloud Apps.
After completion of the user request, Defender for Cloud Apps periodically scans users, groups, activities, and files. All activities will be available after the first full scan.
This connection may take some time depending on the size of the tenant, the number of users, and the size and number of files that need to be scanned.
Depending on the app to which you're connecting, API connection enables the following items:
- Account information - Visibility into users, accounts, profile information, status (suspended, active, disabled) groups, and privileges.
- Audit trail - Visibility into user activities, admin activities, sign-in activities.
- Account governance - Ability to suspend users, revoke passwords, etc.
- App permissions - Visibility into issued tokens and their permissions.
- App permission governance - Ability to remove tokens.
- Data scan - Scanning of unstructured data using two processes -periodically (every 12 hours) and in real-time scan (triggered each time a change is detected).
- Data governance - Ability to quarantine files, including files in trash, and overwrite files.
The following tables list, per cloud app, which abilities are supported with App connectors:
Since not all app connectors support all abilities, some rows may be empty.
Users and activities
|App||List accounts||List groups||List privileges||Log on activity||User activity||Administrative activity|
|Citrix share file|
|DocuSign||Supported with DocuSign Monitor||Supported with DocuSign Monitor||Supported with DocuSign Monitor||Supported with DocuSign Monitor|
|GCP||Subject Google Workspace connection||Subject Google Workspace connection||Subject Google Workspace connection||Subject Google Workspace connection||✔||✔|
|Google Workspace||✔||✔||✔||✔||✔ - requires Google Business or Enterprise||✔|
|Okta||✔||Not supported by provider||✔||✔||✔|
|Salesforce||Supported with Salesforce Shield||Supported with Salesforce Shield||Supported with Salesforce Shield||Supported with Salesforce Shield||Supported with Salesforce Shield||Supported with Salesforce Shield|
|Webex||✔||✔||✔||Not supported by provider|
|Workday||✔||Not supported by provider||Not supported by provider||✔||✔||Not supported by provider|
|Workplace by Meta||✔||✔||✔||✔||✔|
User, app governance, and security configuration visibility
|App||User governance||View app permissions||Revoke app permissions||SaaS Security Posture Management (SSPM)|
|AWS||Not applicable||Not applicable|
|Azure||Not supported by provider|
|Box||✔||Not supported by provider|
|Citrix Share file||✔|
|GCP||Subject Google Workspace connection||Not applicable||Not applicable|
|Okta||Not applicable||Not applicable||✔|
|Webex||Not applicable||Not applicable|
|Workday||Not supported by provider||Not applicable||Not applicable|
|Workplace by Meta|
|App||DLP - Periodic backlog scan||DLP - Near real-time scan||Sharing control||File governance||Apply sensitivity labels from Microsoft Purview Information Protection|
|AWS||✔ - S3 Bucket discovery only||✔||✔||Not applicable|
|Citrix share file|
|GCP||Not applicable||Not applicable||Not applicable||Not applicable||Not applicable|
|Google Workspace||✔||✔ - requires Google Business Enterprise||✔||✔||✔|
|Okta||Not applicable||Not applicable||Not applicable||Not applicable||Not applicable|
|Service Now||✔||✔||Not applicable|
|Workday||Not supported by provider||Not supported by provider||Not supported by provider||Not supported by provider||Not applicable|
|Workplace by Meta|
When working with the Microsoft 365 connector, you'll need a license for each service where you want to view security recommendations. For example, to view recommendations for Microsoft Forms, you'll need a license that supports Forms.
For some apps, it may be necessary to allow list IP addresses to enable Defender for Cloud Apps to collect logs and provide access for the Defender for Cloud Apps console. For more information, see Network requirements.
To get updates when URLs and IP addresses are changed, subscribe to the RSS as explained in: Microsoft 365 URLs and IP address ranges.
Defender for Cloud Apps is deployed in Azure and fully integrated with ExpressRoute. All interactions with the Defender for Cloud Apps apps and traffic sent to Defender for Cloud Apps, including upload of discovery logs, is routed via ExpressRoute for improved latency, performance, and security. For more information about Microsoft Peering, see ExpressRoute circuits and routing domains.
Disable app connectors
- Before disabling an app connector, make sure you have the connection details available as you will need them if you want to re-enable the connector.
- These steps cannot be used to disable Conditional Access App Control apps and Security configuration apps.
To disable connected apps:
- In the Connected apps page, in the relevant row, select the three dots and choose Disable App connector.
- In the pop-up, click Disable App connector instance to confirm the action.
Once disabled, the connector instance will stop consuming data from the connector.
Re-enable app connectors
To re-enable connected apps:
- In the Connected apps page, in the relevant row, select the three dots and choose Edit settings. This starts the process to add a connector.
- Add the connector using the steps in the relevant API connector guide. For example, if you are re-enabling GitHub, use the steps in Connect GitHub Enterprise Cloud to Defender for Cloud Apps.
If you run into any problems, we're here to help. To get assistance or support for your product issue, please open a support ticket.