Browse all topics
All guidesGlossary
Microsoft Defender (Security)

Microsoft Defender for Cloud Apps explained

Defender for Cloud Apps is Microsoft's CASB — discovering, monitoring, and controlling SaaS app usage.

Microsoft Defender for Cloud Apps (MDA) — formerly Microsoft Cloud App Security — is Microsoft's Cloud Access Security Broker (CASB). It discovers what SaaS apps your users are using, monitors what they're doing in those apps, and provides controls to limit risk.

The three jobs of MDA

MDA fits the classic CASB model:

1. Discovery (Shadow IT)

By analysing traffic logs from firewalls and proxies — or signals from Defender for Endpoint on managed devices — MDA identifies which cloud apps are being used. It rates each app on dozens of risk factors (compliance certifications, hosting region, security features, data ownership). The result is a cloud discovery dashboard that tells you which apps you didn't know about and how risky they are.

2. SaaS Security Posture Management (SSPM)

For sanctioned apps, MDA evaluates the security configuration: are MFA settings correct, are admin permissions reasonable, are integrations safe. App connectors plug MDA into Microsoft 365, Salesforce, ServiceNow, Box, Google Workspace, Dropbox, AWS, GCP, and many more. SSPM is becoming the centre of MDA's value — it tells you where misconfiguration creates risk.

3. Real-time controls (Conditional Access App Control)

For apps integrated with Entra ID for SSO, MDA can proxy session traffic via Conditional Access App Control: route the user's session through MDA after sign-in, then enforce session controls — block download, prevent copy/paste, require step-up auth on sensitive actions, monitor and log.

File scanning and DLP

MDA also scans content in connected SaaS apps and applies Purview Information Protection labels and DLP policies. If a confidential document lands in Box or Dropbox, MDA detects it and can quarantine, remove sharing, or alert.

Integration with Defender XDR

MDA's alerts flow into Defender XDR, correlating SaaS-side anomalies (impossible travel, suspicious download volume, OAuth app risk) with endpoint, identity, and email signals.

Licensing

MDA is included in Microsoft 365 E5, Microsoft 365 E5 Security, and Enterprise Mobility + Security E5. Some discovery features are available in lower tiers via Defender for Endpoint's Cloud Discovery.

What good looks like

A typical mature deployment:

  • Cloud Discovery integrated with the corporate proxy / firewall and MDE.
  • App connectors for every sanctioned SaaS app.
  • SSPM recommendations on the patching backlog.
  • Conditional Access App Control for high-risk apps on unmanaged devices.
  • OAuth app governance restricting which third-party apps users can consent to.

For organisations with significant SaaS sprawl, MDA is the only Microsoft product that gives a coherent view across the lot.