Microsoft Defender for Cloud Apps in Microsoft Defender XDR
Note
Want to experience Microsoft Defender XDR? Learn more about how you can evaluate and pilot Microsoft Defender XDR.
Applies to:
Microsoft Defender for Cloud Apps is now part of Microsoft Defender XDR. The Microsoft Defender portal allows security admins to perform their security tasks in one location. This simplifies workflows, and adds the functionality of the other Microsoft Defender XDR services. Microsoft Defender XDR will be the home for monitoring and managing security across your Microsoft identities, data, devices, apps, and infrastructure.
SOC analysts will be able to triage, investigate and hunt across all Microsoft Defender XDR workloads, including cloud apps.
Defender for Cloud Apps alerts will continue to appear in Microsoft Defender XDR's incidents queue and alerts queue, but now with relevant content inside the alert pages available in the Microsoft Defender portal, in a unified format with the proper adaptations to each alerts type. For more information, see Investigate incidents in Microsoft Defender XDR.
Take a look in Microsoft Defender XDR at https://security.microsoft.com.
Learn more about the benefits: Overview of Microsoft Defender XDR.
Quick reference
The images and the tables below list the changes in navigation between Microsoft Defender for Cloud Apps and Microsoft Defender XDR.
Discover
| Defender for Cloud Apps | Microsoft Defender XDR |
|---|---|
| Cloud Discover dashboard | Cloud apps -> Cloud discovery |
| Discovered Apps | tab on Cloud Discovery page |
| Discovered resources | tab on Cloud Discovery page |
| IP addresses | tab on Cloud Discovery page |
| Users | tab on Cloud Discovery page |
| Devices | tab on Cloud Discovery page |
| Cloud app catalog | Cloud apps -> Cloud app catalog |
| Create Cloud Discovery snapshot report | On the Cloud Discovery page, under Actions |
Investigate
| Defender for Cloud Apps | Microsoft Defender XDR |
|---|---|
| Activity log | Cloud apps -> Activity log |
| Files | Cloud apps -> Files |
| Users and accounts | Assets -> Identities |
| Security configuration | available in Microsoft Defender for Cloud |
| Identity security posture | Microsoft Defender for Identity's identity security posture assessments |
| OAuth apps | Cloud apps -> OAuth apps |
| Connected apps | Settings -> Cloud apps -> Connected apps |
Control
| Defender for Cloud Apps | Microsoft Defender XDR |
|---|---|
| Policies | Cloud apps -> Policy management. Note: Microsoft Entra ID Protection policies will be removed gradually from the Cloud apps policies list. To configure alerts from these policies, see Configure Microsoft Entra IP alert service |
| Templates | Cloud apps -> Policy templates |
Settings
| Defender for Cloud Apps | Microsoft Defender XDR |
|---|---|
| Settings | Settings -> Cloud apps |
| Settings/Governance log | Cloud apps -> Governance log |
| Security extensions -> Playbooks | Settings -> Cloud apps |
| Security extensions -> SIEM agents | Settings -> Cloud apps |
| Security extensions -> External DLP | Settings -> Cloud apps |
| Security extensions -> API tokens | Settings -> Cloud apps |
| Manage admin access -> Admin roles | Permissions-> Cloud apps-> Roles |
| Manage admin access -> Activity privacy permissions | Permissions-> Cloud apps-> Activity privacy permissions |
| Exported reports | Reports -> Cloud apps -> Exported reports |
| Scoped deployment and privacy | Settings -> Cloud Apps -> Scoped deployment and privacy |
| Connected Apps / App connectors | Settings -> Cloud Apps -> Connected apps -> App Connectors |
| Conditional Access App Control | Settings -> Cloud apps -> Connected apps -> Conditional Access App Control apps |
| IP address ranges | Settings -> Cloud apps |
| User groups | Settings -> Cloud apps |
The capabilities on the following pages are fully integrated into Microsoft Defender XDR, and therefore don't have their own standalone experience in Microsoft Defender XDR:
- Settings > Microsoft Entra ID Protection
- Settings > App Governance
- Settings > Microsoft Defender for Identity
Limitations
- The new Defender for Cloud Apps experience in the Microsoft Defender portal is currently available for all users detailed in Manage admin access, except for:
- App/Instance admin, User group admin, Cloud Discovery global admin, and Cloud Discovery report admin, as defined in Built-in admin roles in Defender for Cloud Apps.
What's changed
Learn about the changes that have come with the integration of Defender for Cloud Apps and Microsoft Defender XDR.
Global search
Global search in Microsoft Defender XDR (using the search bar at the top of the page) now includes an additional searchable entity: it allows you to search for connected apps in Defender for Cloud Apps.
Assets and identities
As part of the creation of a dedicated Assets section that spans the entire Microsoft Defender XDR experience, the Users and Accounts section of Defender for Cloud Apps is rebranded as the Identities section. No changes to functionality are expected.
Redirection from the classic Microsoft Defender for Cloud Apps portal to Microsoft Defender XDR
Customers still using the classic Microsoft Defender for Cloud Apps portal are now all automatically redirected to Microsoft 365. Admins can still update the redirect setting as needed to continue using the classic Defender for Cloud Apps portal.
Note
If something isn't working for you or if there's anything you're unable to complete through Microsoft Defender XDR, we want to hear about it. If you've encountered any issues with redirection, we encourage you to let us know by using the Give feedback submission form.
To revert to the former Microsoft Defender for Cloud Apps portal:
Sign in to Microsoft Defender XDR as a Global administrator, Security administrator, or Cloud App Security administrator in Azure Active directory, or a local global admin in Microsoft Defender for Cloud Apps.
Navigate to Settings > Cloud Apps > System > Redirection to Microsoft 365 Defender or go directly to the Redirection setting.
Toggle the Automatic redirection setting to Off.
Once toggled off, accounts are no longer routed to security.microsoft.com. Active user sessions are not terminated, and the updates are applied only after the user ends their current session or opens a new tab.
The update might take effect almost immediately in some accounts, but may take longer to propagate to every account in your organization. This setting can be turned back on again at any time.
Preview features in Defender for Cloud Apps
Turn on the preview experience setting to be among the first to try upcoming features.
Note
This feature is now available in public preview.
Sign into Microsoft Defender XDR as a Global administrator, Security administrator, or Security Operator.
Select Settings > Cloud apps > Preview features > Enable preview features.
Select Save to save your changes.
You'll know you have preview features turned on when you see that the Enable preview features check box is selected. For example:
For more information, see Microsoft Defender for Cloud Apps preview features.
Related videos
Learn how to protect your cloud apps in Microsoft Defender XDR:
Protecting cloud apps in Microsoft 365 Defender:
Defender for Cloud Apps in Microsoft 365 Defender for customers migrating from the classic portal
Related information
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.
Feedback
Submit and view feedback for