Ever walked into a café, looked at the menu, and realised your team’s been ordering “secret shots” behind your back? That’s what shadow IT feels like: dozens of unsanctioned SaaS apps sneaking into your environment without an invite.

Microsoft Defender for Cloud Apps (formerly MCAS) is the tool that helps identify, govern, and secure those unauthorised lattes—sorry, apps—before they spill risk across your environment. Let’s break down how to get from discovery to enforcement in less time than it’d take to finish an espresso.

What is Defender for Cloud Apps?

Defender for Cloud Apps (MDCA) is Microsoft’s Cloud Access Security Broker (CASB). In plain terms:

• It discovers SaaS applications in use (authorised and unauthorised)
• It assesses the risk of those apps
• It enforces access and session policies to keep data secure

Think of it as the bouncer at your cloud bar. Staff might try to sneak in through side doors (shadow IT), but MDCA checks who’s allowed in, and how they behave once they’re inside.

How it Works

At its core, Defender for Cloud Apps integrates with Entra ID and your network traffic sources (firewalls, proxies, etc.) to provide app discovery and control. Once connected, it can apply session controls and block risky behaviours in real-time.

Here’s a simple integration flow:

• Log collector: Ingests traffic data from firewalls/proxies for Shadow IT discovery
• App connectors: Integrate directly with sanctioned apps like Office 365, Salesforce
• Conditional Access App Control: Session-level enforcement handled via Entra ID policies
• Defender XDR integration: Brings cloud app alerts into your broader security ecosystem

Real-World Impact

Why it matters:

• Shadow IT visibility: Identify hundreds of unsanctioned apps your IT team never approved
• Session control: Stop sensitive data from walking out the door (e.g., block downloads, enforce read-only web sessions)
• OAuth app governance: Track and block dodgy third-party integrations into productivity suites
• Unified defence: Tie into Defender XDR for incident correlation

In production, this translates to less guesswork and more enforceable guardrails.

Implementation Examples

Here’s how to get Defender for Cloud Apps moving in your first 30 minutes.

Portal Steps

1. Download the Log Collector: In the Defender for Cloud Apps portal, go to Cloud Discovery > Settings > Log collectors. Click + Add log collector.

2. Give it a name and download the Docker image and configuration file.

3. Deploy the Docker Container: on a server (Linux or Windows with Docker), run the Log Collector using the provided command and config file.

   1	docker run -d -v /path/to/config:/config -p 514:514/udp mcr.microsoft.com/azure-cas/logcollector:latest

   Replace /path/to/config with the actual path to your config file.

4. Configure Your Firewall/Proxy: Forward logs to the Log Collector’s IP and port (usually UDP 514 for Syslog).

5. Verify Log Collection: In the Defender for Cloud Apps portal, check the status of your Log Collector under Cloud Discovery > Settings > Log collectors.

6. Review Continuous Reports: Go to Cloud Discovery > Continuous reports. Select your Log Collector to view discovered apps, users, and traffic.

Bicep Snippet Example

Here’s a simple Bicep snippet to create a Conditional Access policy wired to Defender for Cloud Apps:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

resource conditionalAccessPolicy 'Microsoft.Authorization/policyAssignments@2020-09-01' = {
  name: 'CA-Policy-O365-MCAS'
  location: 'global'
  properties: {
    displayName: 'Block downloads of sensitive files from unmanaged devices'
    policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/ConditionalAccessPolicy'
    parameters: {
      policyName: {
        value: 'O365-MCAS-SessionControl'
      }
      state: {
        value: 'enabled'
      }
      conditions: {
        users: {
          includeUsers: [
            'All'
          ]
        }
        applications: {
          includeApplications: [
            'Office365'
          ]
        }
        clientAppTypes: [
          'browser'
        ]
        platforms: {
          includePlatforms: [
            'all'
          ]
        }
      }
      grantControls: {
        operator: 'OR'
        builtInControls: [
          'mcasSession'
        ]
      }
      sessionControls: {
        cloudAppSecurity: {
          cloudAppSecurityType: 'monitorOnly' // or 'blockDownloads'
        }
      }
    }
  }
}

Gotchas & Edge Cases

• Log collector placement matters: If your traffic doesn’t flow through the collector, Shadow IT data will be incomplete.
• Not all apps support session control: Conditional Access App Control targets specific web apps (check the official list).
• Monitor mode first: Always start in “monitor only” mode before flipping to block—otherwise you risk employee revolts.
• OAuth consent sprawl: Pay attention to risky OAuth apps bypassing controls via user consent.

Best Practices

• Deploy log collectors in strategic choke points (central firewalls, VPN gateways)
• Always configure app connectors for sanctioned SaaS, not just rely on discovery logs
• Use Conditional Access policies with session controls for high-risk use cases (downloads, personal device access)
• Regularly review OAuth app usage for suspicious integrations into Microsoft 365
• Integrate alerts into Defender XDR or your SIEM for unified security monitoring

Learn More

• Microsoft Defender for Cloud Apps documentation
• App discovery in Defender for Cloud Apps
• Set up Conditional Access App Control
• OAuth app governance overview