Microsoft Defender for Cloud Apps in Microsoft Defender XDR

Note

Want to experience Microsoft Defender XDR? Learn more about how you can evaluate and pilot Microsoft Defender XDR.

Applies to:

Microsoft Defender for Cloud Apps is now part of Microsoft Defender XDR. The Microsoft Defender portal allows security admins to perform their security tasks in one location. This simplifies workflows, and adds the functionality of the other Microsoft Defender XDR services. Microsoft Defender XDR will be the home for monitoring and managing security across your Microsoft identities, data, devices, apps, and infrastructure.

SOC analysts will be able to triage, investigate and hunt across all Microsoft Defender XDR workloads, including cloud apps.

Defender for Cloud Apps alerts will continue to appear in Microsoft Defender XDR's incidents queue and alerts queue, but now with relevant content inside the alert pages available in the Microsoft Defender portal, in a unified format with the proper adaptations to each alerts type. For more information, see Investigate incidents in Microsoft Defender XDR.

Take a look in Microsoft Defender XDR at https://security.microsoft.com.

Learn more about the benefits: Overview of Microsoft Defender XDR.

Quick reference

The images and the tables below list the changes in navigation between Microsoft Defender for Cloud Apps and Microsoft Defender XDR.

Discover

Defender for Cloud Apps Microsoft Defender XDR
Cloud Discover dashboard Cloud apps -> Cloud discovery
Discovered Apps tab on Cloud Discovery page
Discovered resources tab on Cloud Discovery page
IP addresses tab on Cloud Discovery page
Users tab on Cloud Discovery page
Devices tab on Cloud Discovery page
Cloud app catalog Cloud apps -> Cloud app catalog
Create Cloud Discovery snapshot report On the Cloud Discovery page, under Actions

Investigate

Defender for Cloud Apps Microsoft Defender XDR
Activity log Cloud apps -> Activity log
Files Cloud apps -> Files
Users and accounts Assets -> Identities
Security configuration available in Microsoft Defender for Cloud
Identity security posture Microsoft Defender for Identity's identity security posture assessments
OAuth apps Cloud apps -> OAuth apps
Connected apps Settings -> Cloud apps -> Connected apps

Control

Defender for Cloud Apps Microsoft Defender XDR
Policies Cloud apps -> Policy management. Note: Microsoft Entra ID Protection policies will be removed gradually from the Cloud apps policies list. To configure alerts from these policies, see Configure Microsoft Entra IP alert service
Templates Cloud apps -> Policy templates

Settings

Defender for Cloud Apps Microsoft Defender XDR
Settings Settings -> Cloud apps
Settings/Governance log Cloud apps -> Governance log
Security extensions -> Playbooks Settings -> Cloud apps
Security extensions -> SIEM agents Settings -> Cloud apps
Security extensions -> External DLP Settings -> Cloud apps
Security extensions -> API tokens Settings -> Cloud apps
Manage admin access -> Admin roles Permissions-> Cloud apps-> Roles
Manage admin access -> Activity privacy permissions Permissions-> Cloud apps-> Activity privacy permissions
Exported reports Reports -> Cloud apps -> Exported reports
Scoped deployment and privacy Settings -> Cloud Apps -> Scoped deployment and privacy
Connected Apps / App connectors Settings -> Cloud Apps -> Connected apps -> App Connectors
Conditional Access App Control Settings -> Cloud apps -> Connected apps -> Conditional Access App Control apps
IP address ranges Settings -> Cloud apps
User groups Settings -> Cloud apps

The capabilities on the following pages are fully integrated into Microsoft Defender XDR, and therefore don't have their own standalone experience in Microsoft Defender XDR:

What's changed

Learn about the changes that have come with the integration of Defender for Cloud Apps and Microsoft Defender XDR.

Global search in Microsoft Defender XDR (using the search bar at the top of the page) now includes an additional searchable entity: it allows you to search for connected apps in Defender for Cloud Apps.

Search for connected apps.

Assets and identities

As part of the creation of a dedicated Assets section that spans the entire Microsoft Defender XDR experience, the Users and Accounts section of Defender for Cloud Apps is rebranded as the Identities section. No changes to functionality are expected.

Preview features in Defender for Cloud Apps

Turn on the preview experience setting to be among the first to try upcoming features.

Note

This feature is now available in public preview.

  1. Sign into Microsoft Defender XDR as a Global administrator, Security administrator, or Security Operator.

  2. Select Settings > Cloud apps > Preview features > Enable preview features.

  3. Select Save to save your changes.

You'll know you have preview features turned on when you see that the Enable preview features check box is selected. For example:

Screenshot that shows how to enable preview features.

For more information, see Microsoft Defender for Cloud Apps preview features.

Redirection from the classic Microsoft Defender for Cloud Apps portal to Microsoft Defender XDR

Customers still using the classic Microsoft Defender for Cloud Apps portal are all automatically redirected to Microsoft 365, and customers using preview features with the classic portal now have no option to switch back. If you're not using preview features, admins can still update the redirect setting as needed to continue using the classic Defender for Cloud Apps portal.

Note

If something isn't working for you or if there's anything you're unable to complete through Microsoft Defender XDR, we want to hear about it. If you've encountered any issues with redirection, we encourage you to let us know by using the Give feedback submission form.

To revert to the former Microsoft Defender for Cloud Apps portal:

  1. Sign in to Microsoft Defender XDR as a Global administrator, Security administrator, or Cloud App Security administrator in Azure Active directory, or a local global admin in Microsoft Defender for Cloud Apps.

  2. Make sure that you don't have Preview features turned on for your tenant. For more information, see Preview features in Microsoft Defender for Cloud Apps.

  3. Navigate to Settings > Cloud Apps > System > Redirection to Microsoft Defender XDR or go directly to the Redirection setting.

  4. Toggle the Automatic redirection setting to Off.

Once toggled off, accounts are no longer routed to security.microsoft.com. Active user sessions are not terminated, and the updates are applied only after the user ends their current session or opens a new tab.

The update might take effect almost immediately in some accounts, but may take longer to propagate to every account in your organization. This setting can be turned back on again at any time.

Learn how to protect your cloud apps in Microsoft Defender XDR:

Protecting cloud apps in Microsoft Defender XDR:


Defender for Cloud Apps in Microsoft Defender XDR for customers migrating from the classic portal

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.