Back to Blog

Microsoft Defender for Cloud Apps

Image of Nathan O'Bryan MCSM
Nathan O'Bryan MCSM
Microsoft Defender for Cloud Apps listing image

Formerly known as “Cloud App Security”, Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that is part of the Microsoft 365 Defender suite of products. Defender for Cloud Apps (DCA) is built to help IT departments control the data that their organizations have hosted in multiple cloud services including but not limited to Office 365.

In this blog post, I’m going to look at DCA and what it does. I’ll explore how to use it, and what it can do to help make your organization more secure.


Ugh!! I hate this part. I am by no means a Microsoft 365 licensing specialist, and I don’t want to be. So, this section is going to be short and very high level.

DCA is one of the higher tier EM+S security solutions available in Microsoft 365. The easiest way to get access to DCA is with a Microsoft 365 E5 license. Those licenses are pricey (close to $60/month list price), so it’s unlikely many organizations are going to be buying a bunch of those licenses.

DCA is also available as part of the EM+S E5 license, which go for about $17/month. While that is a much more palatable price, you need to remember that it is going to be in addition to your standard Office 365 licenses.

I don’t see any licensing for just DCA, but again I’m no authority on licensing. However you slice it, DCA is a high-end and expensive product to get into. I do think it brings great value, and it can be of great benefit to many organizations, but the price tag is going to be keep it out of reach for a lot of organizations.

“Shadow IT”

When you start reviewing the documentation for DCA, one of the first things that really stands out is that Microsoft is clearly positioning this product to help in the fight against “Shadow IT”.

“Shadow IT” is users buying their own software or services for use at work, with company-owned data. This can be a major problem for many organizations as it can easily become a way for employees to remove company-owned intellectual property from the control of the company. Typically, this would include something like a user storing company documents in their own DropBox account so that they have access to those documents after ending their employment with the organization. Clearly this is an issue for many organizations. Of course the difference between “Shadow IT” and “Self-service Licenses” seems to be mostly a matter of to whom the check is being written.

What is a “CASB”?

DCA works as a Cloud Access Security Broker (CASB). This means that it’s designed to sit in between your users and the data they store in multiple cloud applications. This means that DCA can help you figure out where your users are storing your organization's data, and how that data is being accessed and used.

In short, a CASB serves three main functions: Log collection, API-connector, and Reverse Proxy.

So, a CASB in general, and DCA specifically, are meant to help organizations manage their data across a variety of cloud applications from different vendors. Simply put, DCA sits between your organization’s users and the variety of (known or unknown) cloud applications that hold your organization’s data.

How does DCA protect my data?

Our job, as IT professionals, is not to prevent our user bases from using the applications they like, but to help them use those applications securely. That’s where Defender for Cloud Apps comes in.

DCA’s main functions are:

  • Cloud Discovery – DCA helps IT departments discover what cloud applications are being used across the enterprise. DCA has a database of over 16,000 applications that is used to assign a “security & compliance” score to applications that have been discovered in your environment.
  • Data protection – With integrations into Azure Information Protection, Defender for Endpoint and Conditional Access, DCA can gain insights into how your organization’s data is being accessed and used.
  • Threat Protection – By analyzing user behavior, DCA can detect changes in usage patterns that may indicate a data breach, compromised accounts, or ransomware attacks.
  • Compliance assessments – When DCA becomes aware of an application being used in your environment, a compliance score for that application is maintained. This allows IT departments to make decisions on their overall compliance stance, and what applications should or should not be used.

Getting started with DCA

A huge benefit of DCA for organizations that are using Microsoft/Office 365 is the ease with which an organization can start using it. There really is very little required to get DCA up and running. The DCA portal can be found at Ensure you have the proper licensing and navigate there to check it out.

The DCA portal has three major sections: Discover, Investigate, and Control. There is also a dashboard and an alerts section.

If you have an existing reverse proxy setup, the first thing to do is to create a discovery report from the dashboard.


This wizard will reach into the logs for many of the most popular firewalls and proxies to give you visibility into what cloud applications are being used in your environment. You just tell DCA what type of device it is connecting to and give it credentials. It will then download the logs and parse them so you can see what cloud apps are being used in your organization.

Next, I recommend you look at the templates under the Control tab. Microsoft has preconfigured many templates built to cover common risk scenarios. Templates like “New popular app”, or “Mass download by a single user” can automatically warn you of potentially dangerous behavior in your organization. These templates are very easy to implement, and a great place to get started.

Wrap up

Cloud App Security has been renamed and branded into the Microsoft Defender EM+S stack. It always was part of that security stack, but Microsoft loves to change the names of things.

DCA is a cloud tool that helps organizations identify and control users’ access to cloud applications and ensure that data stored in those applications is secure. DCA can help you identify what cloud apps are in use in your organization, and help you better protect the data stored in them.



With email being one of the most mission-critical tools for organizations today, how do you ensure vital business communication stays up and running? How do you demonstrate to senior management that additional resources are needed to meet growing demand or that service levels are being met?

Developed by Exchange architects with direct product input from Exchange MVPs, ENow's Mailscape makes your job easier by putting everything you need into a single, concise OneLook dashboard, instead of forcing you to use fragmented and complicated tools for monitoring and reporting. Easy to deploy and intuitive to use, get started with Mailscape in minutes rather than days.

ACCESS YOUR FREE 14-DAY TRIAL and combine all key elements for your Exchange monitoring and reporting to keep your messaging infrastructure up and running like a pro!


  • Consolidated dashboard view of messaging environments health
  • Automatically verify external Mail flow, OWA, ActiveSync, Outlook Anywhere
  • Mail flow queue monitoring
  • DAG configuration and failover monitoring
  • Microsoft Security Patch verification
  • 200+ built-in, customizable reports, including: Mailbox size, Mail Traffic, Quota, Storage, Distribution Lists, Public Folders, Database size, OWA, Outlook version, permissions, SLA and mobile device reports

Access Free 14-Day Trial

Exchange Y2K22 Bug banner image

Date Bug in Exchange Causes Headaches

Image of Jaap Wesselius
Jaap Wesselius

Happy New Year! With the recent change to the new year, a nasty bug similar to the Y2K bug (Y2K22?)...

Read more
Security Updates for Microsoft Exchange

November 2022 Security Updates for Exchange

Image of Jaap Wesselius
Jaap Wesselius

This week Microsoft released new security updates for the following Exchange versions:

  • Exchange...
Read more