Microsoft Defender for Cloud Apps

Being able to search for a particular application and simply just unsanction an application, knowing that it will block the IPs and hostnames associated with the service so that I don't have to manage a blocklist for these.

What I like most about Defender for Cloud Apps is how it brings all the elements of cloud security together into one place to make sense of them all. The visibility it provides into our company's SaaS usage, Shadow IT and risky OAuth applications is incredibly useful and the suggested insights are usually actionable immediately. Another great element is the integrations with EntraID, conditional access, Defender XDR and DLP modules. The policies work seamlessly across the board rather than the increasingly common disjointed feeling of working with multiple products in isolation. Features like real-time session control, user activity monitoring and automated app governance paired with Defender for Endpoint filtering make our day-to-day security tasks much easier, highlighting issues in our IT ecosystem we may have otherwise missed.

Visibility into possible Shadow IT issues thanks to the discovery and risk assessment performed by the Cloud App product Real-time access and controls due to real-time logs of user behaviour allowed us to track possible malicious user behaviour SaaS Security Posture Management, allowed us to assess the configuration of our SaaS apps and fix some misconfigurations

On the side of App Governance, I do wish that they would allow for better tools to search for users. Every now and again, I will see a user that gave consent to an application and I will have to clear it out and disable the app, and it can be difficult to just simply search for a user alone. It will show the top 100 users, but I would like a better search method for these. Also, many times, the Disable App button simply doesn't load and I will always have to open in a new browser. I have scripts to revoke all permissions and remove users from an application, but there currently doesn't seem to be a way to call on the API to disable the app as well, which would help with automation. The one other thing that is just slightly annoying is that when you unsanction an application, it sends the IPs and domains to your Indicator list. My worry in the future is that since this list is capped at 15k indicators, it might fill up. Even more importantly, if moving to Global Secure Access (Zero Trust), the indicator list becomes your main org blocklist on devices, which makes this 15k limit even more limited. I would love to see these applications fall into their own indicator list, or open it up to have more than 15k in your indicator list. Lastly, the alerts/incidents that we get from Defender for Cloud apps on the Defender portal are often lacking information and requires you to dig around to find the app that is part of the incident. I wish there was a way that I was able to see what the analytic rule was set up like on the backend, since it seems that it is just not bringing in the entities in a way that displays all of the information that one might need.

What I dislike the most about Defender for Cloud Apps is that the experience can feel quite fragmented at times, especially when switching between portals to configure policies, review alerts or investigate activity. Some features live in Defender XDR, others in EntraID, and a few still remain in the classic portal, which can make tasks feel like they take longer than they need to. The UI can often feel slow or inconsistent when working with large datasets, particularly in activity logs or governance actions. Whilst the platform is certainly powerful, some of the policy types could be more intuitive and easier to customise.

The product is not always integrated with API Connectors for some vendors. The platform might increase the number of false positive detections. The SOC team is required to perform fine tuning of alerts to reduce false positive.