Microsoft Defender for Cloud Apps

Being able to search for a particular application and simply just unsanction an application, knowing that it will block the IPs and hostnames associated with the service so that I don't have to manage a blocklist for these.

All the features and abilities to control Shadow IT, Inventories and security controls are fantastic.

Conditional Access (CA) policy engine integration. This is a huge benefit as it helps to cover some gaps in CA (e.g. Some apps are not supported by CA, but supported by MDCA). It can also help to address separate needs for more granular controls which are not possible in CA.

On the side of App Governance, I do wish that they would allow for better tools to search for users. Every now and again, I will see a user that gave consent to an application and I will have to clear it out and disable the app, and it can be difficult to just simply search for a user alone. It will show the top 100 users, but I would like a better search method for these. Also, many times, the Disable App button simply doesn't load and I will always have to open in a new browser. I have scripts to revoke all permissions and remove users from an application, but there currently doesn't seem to be a way to call on the API to disable the app as well, which would help with automation. The one other thing that is just slightly annoying is that when you unsanction an application, it sends the IPs and domains to your Indicator list. My worry in the future is that since this list is capped at 15k indicators, it might fill up. Even more importantly, if moving to Global Secure Access (Zero Trust), the indicator list becomes your main org blocklist on devices, which makes this 15k limit even more limited. I would love to see these applications fall into their own indicator list, or open it up to have more than 15k in your indicator list. Lastly, the alerts/incidents that we get from Defender for Cloud apps on the Defender portal are often lacking information and requires you to dig around to find the app that is part of the incident. I wish there was a way that I was able to see what the analytic rule was set up like on the backend, since it seems that it is just not bringing in the entities in a way that displays all of the information that one might need.

Portal is not always 100% accurate - would appreciate more support in the configuration and best practice guidance tailored to my organisation

1) Integration has a lot of room for improvement. Initially, MDCA was a 3rd party product that was acquired by Microsoft some years ago, and unfortunately, it seems that integration is still not fully done. Good example here - Entra ID groups cannot be used directly, but must be synced into MDCA. This makes policy configuration very difficult, because you cannot rely on user group membership as it can be out of sync. 2) MDCA uses connectors to get insights and be able to take actions in other SaaS applications. Problem here is that some very popular SaaS applications still don't have connectors. There is no clear road-map - what is planned, which connectors are on the way, which will be improved, which are not planned. It is difficult to make long-term plans. 3) Integration with Microsoft Purview solution could be improved. Purview is a main data protection solution from Microsoft, it uses sensitivity labels to provide data protection (including encryption) capabilities. Support for such labelling in MDCA policy is limited. For example, it is not possible to make some simple policies that can track actions users do against labelled content (those could be done in a different way, but it is expected to see more things like that in MDCA).