1. Cloud Discovery & Shadow IT

  • Discovery Logs: Ingest traffic logs from network firewalls, proxies, or Defender for Endpoint to identify which cloud apps are being used across the organization.
  • Risk Score: Each discovered app is assigned a score (1–10) based on over 90 risk factors (e.g., regulatory compliance like GDPR/HIPAA, data encryption at rest, and legal terms).
  • Sanctioning vs. Unsanctioning:
    • Sanctioned: Apps approved for corporate use; often integrated via API for deeper visibility.
    • Unsanctioned: Apps explicitly blocked. Integration with Defender for Endpoint allows for automatic blocking of these URLs on managed devices.

2. Conditional Access App Control (Session Controls)

  • The Reverse Proxy: Redirects user traffic through Defender for Cloud Apps in real-time when accessing web applications. This is triggered via a Conditional Access policy with the “Use Conditional Access App Control” session setting.
  • Real-Time Actions:
    • Block Download: Allow users to view sensitive data in the browser but prevent them from downloading it to an unmanaged device.
    • Protect on Download: Automatically apply a Purview sensitivity label (encryption) to a file as it is downloaded from a cloud app.
    • Monitor Activity: Log every action taken within a third-party app (e.g., Salesforce, AWS, or Slack) for audit purposes.

3. App Governance & OAuth Permissions

  • OAuth App Inventory: Tracks which third-party applications have been granted permissions to access M365 data (e.g., “Read your mail” or “Access your files”).
  • Permission Triage: Identify “high-privilege” apps that have not been used in 90 days or apps from unverified publishers.
  • App Governance Add-on: Provides advanced machine learning to detect anomalous app behavior, such as an app suddenly downloading a massive volume of data or sending thousands of emails.

4. Information Protection & DLP Integration

  • API Connectors: Connect Defender for Cloud Apps directly to third-party clouds (Google Workspace, Box, Dropbox) to scan for sensitive data at rest.
  • File Policies: Create policies to automatically apply sensitivity labels or remove public sharing links if a file containing PII is detected in a non-Microsoft cloud environment.
  • Unified Labels: Defender for Cloud Apps natively reads Microsoft Purview sensitivity labels, ensuring a consistent data protection policy regardless of where the file is stored.

5. Threat Detection & Anomaly Policies

  • Impossible Travel: Detects when a user signs in from two geographically distant locations in a timeframe that is physically impossible.
  • Ransomware Detection: Identifies patterns of high-volume file deletions or encryptions within cloud storage.
  • Activity Policies: Custom alerts for specific administrative actions, such as “Multiple failed login attempts to a sanctioned app” or “Creation of a new global admin in a third-party cloud.”

6. Essential PowerShell Cmdlets (Microsoft Graph & API)

  • Note: Most CASB management is performed via the portal or the Cloud App Security API. Management via the Microsoft Graph PowerShell SDK is the modern standard for automation.

  • Connection: Connect-MgGraph -Scopes "CloudAppSecurity.ReadWrite.All"

  • Discovery & Alerts:

    • Get-MgSecurityAlert (Filter for vendorSymbols containing “CAS” or “MCAS”)

  • OAuth App Management:

    • Get-MgServicePrincipal (To review apps with directory-level permissions)

  • Advanced Hunting (KQL):

    • Most cross-service investigations are done via Kusto Query Language in the Defender portal: CloudAppEvents | where ActionType == "FileDownloaded" | where IsExternalUser == true