Lifecycle management strategy in Defender for Cloud Apps

Note

Microsoft Defender for Cloud Apps is now part of Microsoft 365 Defender and can be accessed through its portal at: https://security.microsoft.com. Microsoft 365 Defender correlates signals from the Microsoft Defender suite across endpoints, identities, email, and SaaS apps to provide incident-level detection, investigation, and powerful response capabilities. It improves your operational efficiency with better prioritization and shorter response times which protect your organization more effectively. For more information about these changes, see Microsoft Defender for Cloud Apps in Microsoft 365 Defender.

By using a lifecycle management strategy, you can ensure your configurations, exclusions, and policies for Microsoft Defender for Cloud Apps remain up to date and are reviewed on an established cadence.

Note

Remember to also check What's New in Defender for Cloud Apps to stay current with new features and releases.

To best maintain Defender for Cloud Apps posture, regularly follow the recommendations below:

Role-based access controls

• Review any users that have access to the Defender for Cloud Apps portal and verify role need
• Inventory external users with access to your environment and determine validity

Real-time controls

• Add applications for additional control and visibility
• Remove old user/group exclusions from Conditional Access policy
• Update SAML certificate for third-party identity provider annually
• Verify app onboarding members

Policy management

• Remove unneeded custom policies
• Review new policy templates
• Enhance policy strategy to determine what can be a saved query versus what requires an alert
• Ensure labeling strategy is in line with current Security and Compliance configuration

Discovery

• Upgrade log collector
• Remove old data sources
• Add/Disable App Connectors

Settings

• Review managed domains
• Verify current IP ranges for Corporate and VPN
• Verify App Tag strategy and add/remove as needed
• Check rights on admin quarantine folder
• Adjust score metrics based on industry best practices
• Review members allowed to view private activities
• Verify integrations are enabled:
  • Microsoft Purview Information Protection
  • Microsoft Defender for Endpoint

Next steps

Defender for Cloud Apps best practices

If you run into any problems, we're here to help. To get assistance or support for your product issue, please open a support ticket.