Microsoft Defender for Cloud Apps

Being able to search for a particular application and simply just unsanction an application, knowing that it will block the IPs and hostnames associated with the service so that I don't have to manage a blocklist for these.

What I like most about Defender for Cloud Apps is how it brings all the elements of cloud security together into one place to make sense of them all. The visibility it provides into our company's SaaS usage, Shadow IT and risky OAuth applications is incredibly useful and the suggested insights are usually actionable immediately. Another great element is the integrations with EntraID, conditional access, Defender XDR and DLP modules. The policies work seamlessly across the board rather than the increasingly common disjointed feeling of working with multiple products in isolation. Features like real-time session control, user activity monitoring and automated app governance paired with Defender for Endpoint filtering make our day-to-day security tasks much easier, highlighting issues in our IT ecosystem we may have otherwise missed.

Conditional Access (CA) policy engine integration. This is a huge benefit as it helps to cover some gaps in CA (e.g. Some apps are not supported by CA, but supported by MDCA). It can also help to address separate needs for more granular controls which are not possible in CA.

On the side of App Governance, I do wish that they would allow for better tools to search for users. Every now and again, I will see a user that gave consent to an application and I will have to clear it out and disable the app, and it can be difficult to just simply search for a user alone. It will show the top 100 users, but I would like a better search method for these. Also, many times, the Disable App button simply doesn't load and I will always have to open in a new browser. I have scripts to revoke all permissions and remove users from an application, but there currently doesn't seem to be a way to call on the API to disable the app as well, which would help with automation. The one other thing that is just slightly annoying is that when you unsanction an application, it sends the IPs and domains to your Indicator list. My worry in the future is that since this list is capped at 15k indicators, it might fill up. Even more importantly, if moving to Global Secure Access (Zero Trust), the indicator list becomes your main org blocklist on devices, which makes this 15k limit even more limited. I would love to see these applications fall into their own indicator list, or open it up to have more than 15k in your indicator list. Lastly, the alerts/incidents that we get from Defender for Cloud apps on the Defender portal are often lacking information and requires you to dig around to find the app that is part of the incident. I wish there was a way that I was able to see what the analytic rule was set up like on the backend, since it seems that it is just not bringing in the entities in a way that displays all of the information that one might need.

What I dislike the most about Defender for Cloud Apps is that the experience can feel quite fragmented at times, especially when switching between portals to configure policies, review alerts or investigate activity. Some features live in Defender XDR, others in EntraID, and a few still remain in the classic portal, which can make tasks feel like they take longer than they need to. The UI can often feel slow or inconsistent when working with large datasets, particularly in activity logs or governance actions. Whilst the platform is certainly powerful, some of the policy types could be more intuitive and easier to customise.

1) Integration has a lot of room for improvement. Initially, MDCA was a 3rd party product that was acquired by Microsoft some years ago, and unfortunately, it seems that integration is still not fully done. Good example here - Entra ID groups cannot be used directly, but must be synced into MDCA. This makes policy configuration very difficult, because you cannot rely on user group membership as it can be out of sync. 2) MDCA uses connectors to get insights and be able to take actions in other SaaS applications. Problem here is that some very popular SaaS applications still don't have connectors. There is no clear road-map - what is planned, which connectors are on the way, which will be improved, which are not planned. It is difficult to make long-term plans. 3) Integration with Microsoft Purview solution could be improved. Purview is a main data protection solution from Microsoft, it uses sensitivity labels to provide data protection (including encryption) capabilities. Support for such labelling in MDCA policy is limited. For example, it is not possible to make some simple policies that can track actions users do against labelled content (those could be done in a different way, but it is expected to see more things like that in MDCA).