Pilot and deploy Microsoft Defender for Cloud Apps
Applies to:
- Microsoft Defender XDR
This article provides a workflow for piloting and deploying Microsoft Defender for Cloud Apps in your organization. You can use these recommendations to onboard Microsoft Defender for Cloud Apps as an individual cybersecurity tool or as part of an end-to-end solution with Microsoft Defender XDR.
This article assumes you have a production Microsoft 365 tenant and are piloting and deploying Microsoft Defender for Cloud Apps in this environment. This practice will maintain any settings and customizations you configure during your pilot for your full deployment.
Defender for Office 365 contributes to a Zero Trust architecture by helping to prevent or reduce business damage from a breach. For more information, see the Prevent or reduce business damage from a breach business scenario in the Microsoft Zero Trust adoption framework.
End-to-end deployment for Microsoft Defender XDR
This is article 5 of 6 in a series to help you deploy the components of Microsoft Defender XDR, including investigating and responding to incidents.
The articles in this series correspond to the following phases of end-to-end deployment:
Phase | Link |
---|---|
A. Start the pilot | Start the pilot |
B. Pilot and deploy Microsoft Defender XDR components | - Pilot and deploy Defender for Identity - Pilot and deploy Defender for Office 365 - Pilot and deploy Defender for Endpoint - Pilot and deploy Microsoft Defender for Cloud Apps (this article) |
C. Investigate and respond to threats | Practice incident investigation and response |
Pilot and deploy workflow for Defender for Cloud Apps
The following diagram illustrates a common process to deploy a product or service in an IT environment.
You start by evaluating the product or service and how it will work within your organization. Then, you pilot the product or service with a suitably small subset of your production infrastructure for testing, learning, and customization. Then, gradually increase the scope of the deployment until your entire infrastructure or organization is covered.
Here is the workflow for piloting and deploying Defender for Cloud Apps in your production environment.
Follow these steps:
- Connect to the Defender for Cloud Apps portal
- Integrate with Microsoft Defender for Endpoint
- Deploy the log collector on your firewalls and other proxies
- Create a pilot group
- Discover and manage cloud apps
- Configure Conditional Access App Control
- Apply session policies to cloud apps
- Try out additional capabilities
Here are the recommended steps for each deployment stage.
Deployment stage | Description |
---|---|
Evaluate | Perform product evaluation for Defender for Cloud Apps. |
Pilot | Perform Steps 1-4 and then 5-8 for a suitable subset of cloud apps in your production environment. |
Full deployment | Perform Steps 5-8 for your remaining cloud apps, adjusting the scoping for pilot user groups or adding user groups to expand beyond the pilot and include all of your user accounts. |
Protecting your organization from hackers
Defender for Cloud Apps provides powerful protection on its own. However, when combined with the other capabilities of Microsoft Defender XDR, Defender for Cloud Apps provides data into the shared signals which together help stop attacks.
Here's an example of a cyber-attack and how the components of Microsoft Defender XDR help detect and mitigate it.
Defender for Cloud Apps detects anomalous behavior like impossible-travel, credential access, and unusual download, file share, or mail forwarding activity and displays these behaviors in the Defender for Cloud Apps portal. Defender for Cloud Apps also helps prevent lateral movement by hackers and exfiltration of sensitive data.
Microsoft Defender XDR correlates the signals from all the Microsoft Defender components to provide the full attack story.
Defender for Cloud Apps role as a CASB
A cloud access security broker (CASB) acts as a gatekeeper to broker access in real time between your enterprise users and cloud resources they use, wherever your users are located and regardless of the device they are using. Defender for Cloud Apps is a CASB for your organization's cloud apps. Defender for Cloud Apps natively integrates with Microsoft security capabilities, including Microsoft Defender XDR.
Without Defender for Cloud Apps, cloud apps that are used by your organization are unmanaged and unprotected.
In the illustration:
- The use of cloud apps by an organization is unmonitored and unprotected.
- This use falls outside the protections achieved within a managed organization.
To discover cloud apps used in your environment, you can implement one or both of the following methods:
- Get up and running quickly with Cloud Discovery by integrating with Microsoft Defender for Endpoint. This native integration enables you to immediately start collecting data on cloud traffic across your Windows 10 and Windows 11 devices, on and off your network.
- To discover all cloud apps accessed by all devices connected to your network, deploy the Defender for Cloud Apps log collector on your firewalls and other proxies. This deployment helps collect data from your endpoints and sends it to Defender for Cloud Apps for analysis. Defender for Cloud Apps natively integrates with some third-party proxies for even more capabilities.
This article includes guidance for both methods.
Step 1. Connect to the Defender for Cloud Apps portal
To verify licensing and to connect to the Defender for Cloud Apps portal, see Quickstart: Get started with Microsoft Defender for Cloud Apps.
If you're not immediately able to connect to the portal, you might need to add the IP address to the allow list of your firewall. See Basic setup for Defender for Cloud Apps.
If you're still having trouble, review Network requirements.
Step 2: Integrate with Microsoft Defender for Endpoint
Microsoft Defender for Cloud Apps integrates with Microsoft Defender for Endpoint natively. The integration simplifies roll out of Cloud Discovery, extends Cloud Discovery capabilities beyond your corporate network and enables device-based investigation. This integration reveals cloud apps and services being accessed from IT-managed Windows 10 and Windows 11 devices.
If you've already set up Microsoft Defender for Endpoint, configuring integration with Defender for Cloud Apps is a toggle in Microsoft Defender XDR. After integration is turned on, you can return to the Defender for Cloud Apps portal and view rich data in the Cloud Discovery Dashboard.
To accomplish these tasks, see Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud Apps.
Step 3: Deploy the Defender for Cloud Apps log collector on your firewalls and other proxies
For coverage on all devices connected to your network, deploy the Defender for Cloud Apps log collector on your firewalls and other proxies to collect data from your endpoints and send it to Defender for Cloud Apps for analysis.
If you're using one of the following Secure Web Gateways (SWG), Defender for Cloud Apps provides seamless deployment and integration:
- Zscaler
- iboss
- Corrata
- Menlo Security
For more information on integrating with these network devices, see Set up Cloud Discovery.
Step 4. Create a pilot group — Scope your pilot deployment to certain user groups
Microsoft Defender for Cloud Apps enables you to scope your deployment. Scoping allows you to select certain user groups to be monitored for apps or excluded from monitoring. You can include or exclude user groups. To scope your pilot deployment, see Scoped Deployment.
Step 5. Discover and manage cloud apps
For Defender for Cloud Apps to provide the maximum amount of protection, you must discover all the cloud apps in your organization and manage how they are used.
Discover cloud apps
The first step to managing the use of cloud apps is to discover which cloud apps are used by your organization. This next diagram illustrates how cloud discovery works with Defender for Cloud Apps.
In this illustration, there are two methods that can be used to monitor network traffic and discover cloud apps that are being used by your organization.
Cloud App Discovery integrates with Microsoft Defender for Endpoint natively. Defender for Endpoint reports cloud apps and services being accessed from IT-managed Windows 10 and Windows 11 devices.
For coverage on all devices connected to a network, you install the Defender for Cloud Apps log collector on firewalls and other proxies to collect data from endpoints. The collector sends this data to Defender for Cloud Apps for analysis.
View the Cloud Discovery dashboard to see what apps are being used in your organization
The Cloud Discovery dashboard is designed to give you more insight into how cloud apps are being used in your organization. It provides an at-a-glance overview of what kinds of apps are being used, your open alerts, and the risk levels of apps in your organization.
To get started using the Cloud Discovery dashboard, see Working with discovered apps.
Manage cloud apps
After you discover cloud apps and analyze how these apps are used by your organization, you can begin managing cloud apps that you choose.
In this illustration:
- Some apps are sanctioned for use. Sanctioning is a simple way of beginning to manage apps.
- You can enable greater visibility and control by connecting apps with app connectors. App connectors use the APIs of app providers.
You can begin managing apps by sanctioning, unsanctioning, or outright blocking apps. To begin managing apps, see Govern discovered apps.
Step 6. Configure Conditional Access App Control
One of the most powerful protections you can configure is Conditional Access App Control. This protection requires integration with Microsoft Entra ID. It allows you to apply Conditional Access policies, including related policies (like requiring healthy devices), to cloud apps you've sanctioned.
You might already have SaaS apps added to your Microsoft Entra tenant to enforce multi-factor authentication and other conditional access policies. Microsoft Defender for Cloud Apps natively integrates with Microsoft Entra ID. All you must do is configure a policy in Microsoft Entra ID to use Conditional Access App Control in Defender for Cloud Apps. This routes network traffic for these managed SaaS apps through Defender for Cloud Apps as a proxy, which allows Defender for Cloud Apps to monitor this traffic and to apply session controls.
In this illustration:
- SaaS apps are integrated with the Microsoft Entra tenant. This integration allows Microsoft Entra ID to enforce conditional access policies, including multi-factor authentication.
- A policy is added to Microsoft Entra ID to direct traffic for SaaS apps to Defender for Cloud Apps. The policy specifies which SaaS apps to apply this policy to. After Microsoft Entra ID enforces any conditional access policies that apply to these SaaS apps, Microsoft Entra ID then directs (proxies) the session traffic through Defender for Cloud Apps.
- Defender for Cloud Apps monitors this traffic and applies any session control policies that have been configured by administrators.
You might have discovered and sanctioned cloud apps using Defender for Cloud Apps that have not been added to Microsoft Entra ID. You can take advantage of Conditional Access App Control by adding these cloud apps to your Microsoft Entra tenant and the scope of your conditional access rules.
The first step in using Microsoft Defender for Cloud Apps to manage SaaS apps is to discover these apps and then add them to your Microsoft Entra tenant. If you need help with discovery, see Discover and manage SaaS apps in your network. After you've discovered apps, add these apps to your Microsoft Entra tenant.
You can begin to manage these apps with the following tasks:
- In Microsoft Entra ID, create a new conditional access policy and configure it to "Use Conditional Access App Control." This configuration helps to redirect the request to Defender for Cloud Apps. You can create one policy and add all SaaS apps to this policy.
- Next, in Defender for Cloud Apps, create session policies. Create one policy for each control you want to apply.
For more information, including supported apps and clients, see Protect apps with Microsoft Defender for Cloud Apps Conditional Access App Control.
For example policies, see Recommended Microsoft Defender for Cloud Apps policies for SaaS apps. These policies build on a set of common identity and device access policies that are recommended as a starting point for all customers.
Step 7. Apply session policies to cloud apps
Microsoft Defender for Cloud Apps serves as a reverse proxy, providing proxy access to sanctioned cloud apps. This provision allows Defender for Cloud Apps to apply session policies that you configure.
In the illustration:
- Access to sanctioned cloud apps from users and devices in your organization is routed through Defender for Cloud Apps.
- This proxy access allows session policies to be applied.
- Cloud apps that you have not sanctioned or explicitly unsanctioned are not affected.
Session policies allow you to apply parameters to how cloud apps are used by your organization. For example, if your organization is using Salesforce, you can configure a session policy that allows only managed devices to access your organization's data at Salesforce. A simpler example could be configuring a policy to monitor traffic from unmanaged devices so you can analyze the risk of this traffic before applying stricter policies.
For more information, see Create session policies.
Step 8. Try out additional capabilities
Use these Defender for Cloud Apps tutorials to help you discover risk and protect your environment:
- Detect suspicious user activity
- Investigate risky users
- Investigate risky OAuth apps
- Discover and protect sensitive information
- Protect any app in your organization in real time
- Block downloads of sensitive information
- Protect your files with admin quarantine
- Require step-up authentication upon risky action
For more information on advanced hunting in Microsoft Defender for Cloud Apps data, see this video.
SIEM integration
You can integrate Defender for Cloud Apps with Microsoft Sentinel or a generic security information and event management (SIEM) service to enable centralized monitoring of alerts and activities from connected apps. With Microsoft Sentinel, you can more comprehensively analyze security events across your organization and build playbooks for effective and immediate response.
Microsoft Sentinel includes a Defender for Cloud Apps connector. This allows you to not only gain visibility into your cloud apps but to also get sophisticated analytics to identify and combat cyberthreats and to control how your data travels. For more information, see Microsoft Sentinel integration and Stream alerts and Cloud Discovery logs from Defender for Cloud Apps into Microsoft Sentinel.
For information about integration with third-party SIEM systems, see Generic SIEM integration.
Next step
Perform lifecycle management for Defender for Cloud Apps.
Next step for the end-to-end deployment of Microsoft Defender XDR
Continue your end-to-end deployment of Microsoft Defender XDR with Investigate and respond using Microsoft Defender XDR.
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.