Microsoft Defender for Cloud Apps

Being able to search for a particular application and simply just unsanction an application, knowing that it will block the IPs and hostnames associated with the service so that I don't have to manage a blocklist for these.

All the features and abilities to control Shadow IT, Inventories and security controls are fantastic.

What i like most about Microsoft Defender for Cloud Apps is that it doesn't miss a bit. It offers robust shadow IT discovery, which help uncover unsanctioned apps before they become unseen risks and offer realtime monitoring that give me full visibility into everything happening across our cloud environment. The built in data loss protection features help in identifying sensitive information and protecting proprietary product formulations and customer data from unauthorized access and exfiltration. Defender for Cloud isnot just your ordinary tool, but it provides us with a multilayered solution that combines CASB, DLP, SSPM, threat detection and app control into one platform, which is ideal for keeping our SaaS environment secure and compliant. I also appreciate that it integrates seamlessly with our other Microsoft security products and manufacturing infrastructure, allowing us to consolidate alerts from cloud apps and signals from emails, endpoints and identities into a comprehensive view of security threats. Lastly the automated threat detection and remediation function is impeccable. It uses machine learning to detect anomalies across our systems and automatically revokes access, require authentication or trigger alerts for our IT team .

On the side of App Governance, I do wish that they would allow for better tools to search for users. Every now and again, I will see a user that gave consent to an application and I will have to clear it out and disable the app, and it can be difficult to just simply search for a user alone. It will show the top 100 users, but I would like a better search method for these. Also, many times, the Disable App button simply doesn't load and I will always have to open in a new browser. I have scripts to revoke all permissions and remove users from an application, but there currently doesn't seem to be a way to call on the API to disable the app as well, which would help with automation. The one other thing that is just slightly annoying is that when you unsanction an application, it sends the IPs and domains to your Indicator list. My worry in the future is that since this list is capped at 15k indicators, it might fill up. Even more importantly, if moving to Global Secure Access (Zero Trust), the indicator list becomes your main org blocklist on devices, which makes this 15k limit even more limited. I would love to see these applications fall into their own indicator list, or open it up to have more than 15k in your indicator list. Lastly, the alerts/incidents that we get from Defender for Cloud apps on the Defender portal are often lacking information and requires you to dig around to find the app that is part of the incident. I wish there was a way that I was able to see what the analytic rule was set up like on the backend, since it seems that it is just not bringing in the entities in a way that displays all of the information that one might need.

Portal is not always 100% accurate - would appreciate more support in the configuration and best practice guidance tailored to my organisation

Microsoft Defender for Cloud Apps is complex to integrate since it doesn't plugin effortlessly to specialized manufacturing tools. There is also a steep learning curve on the onset due to its wide range of powerful features that requires time to fully understand and configure to fit the unique needs of manufacturing operations.