Integrate with Microsoft Power Automate for custom alert automation

Note

Microsoft Defender for Cloud Apps is now part of Microsoft 365 Defender, which correlates signals from across the Microsoft Defender suite and provides incident-level detection, investigation, and powerful response capabilities. For more information, see Microsoft Defender for Cloud Apps in Microsoft 365 Defender.

Defender for Cloud Apps integrates with Microsoft Power Automate to provide custom alert automation and orchestration playbooks. By using the connectors available in Power Automate, you can automate the triggering of playbooks when Defender for Cloud Apps generates alerts. For example, automatically create an issue in ticketing systems using ServiceNow connector or send an approval email to execute a custom governance action when an alert is triggered in Defender for Cloud Apps.

Prerequisites

How it works

On its own, Defender for Cloud Apps provides predefined governance options such as suspend a user or make a file private when defining policies. By creating a playbook in Power Automate using a Defender for Cloud Apps connector, you can create workflows to enable customized governance options for your policies. After the playbook is created in Power Automate, it will be automatically synchronized to Defender for Cloud Apps. Then associate it with a policy in Defender for Cloud Apps to send alerts to Power Automate. Microsoft Power Automate offers several connectors and conditions to create a customized workflow for your organization.

The Defender for Cloud Apps connector in Power Automate supports automated triggers and actions. Power Automate is triggered automatically when Defender for Cloud Apps generates an alert. Actions include changing the alert status in Defender for Cloud Apps.

Create Power Automate playbooks for Defender for Cloud Apps

  1. Create an API token in Defender for Cloud Apps.

  2. Navigate to the Power Automate portal, select My flows, select New flow, and in the drop-down, under Build your own from blank, select Automated cloud flow.

    Power Automate create new flow.

  3. Provide a name for the flow, and in Choose your flow's trigger, type Defender for Cloud Apps and select When an alert is generated.

    Power Automate when an alert is generated.

  4. Under Authentication settings, paste the API token from step 1. Give your connection a name and select Create.

    Power Automate add token.

  5. Now create the playbook according to your requirements. Select +New step to define the workflow that should be triggered when a policy in Defender for Cloud Apps generates an alert. You can add an action, logical condition, switch case conditions, or loops and save the playbook. In this example, we'll be adding a ServiceNow connector.

    Power Automate workflow.

  6. Continue to configure your playbook. The playbook will be automatically synchronized with Defender for Cloud Apps. For more information about creating playbooks in Power Automate, see Create a cloud flow in Power Automate.

  7. In the Microsoft 365 Defender portal, under Cloud Apps, go to Policies -> Policy management. In the row of the policy whose alerts you want to forward to Power Automate, select the three dots and then select Edit Policy.

  8. Under Alerts, select Send Alerts to Power Automate and choose the name of the playbook you created earlier from the drop-down menu.

    Enable Power Automate in policy.

  9. Defender for Cloud Apps playbooks that you've authored or are granted access to can be seen by in the Microsoft 365 Defender portal, by going to Settings, then choosing Cloud Apps, and under System selecting Playbooks.

    view playbooks in Defender for Cloud Apps.

Note

The maximum supported number of Power Platform environments is 180, but there is no limit to the number of playbooks that can be used within each environment.

Next steps

If you run into any problems, we're here to help. To get assistance or support for your product issue, please open a support ticket.

Learn more