Connect apps to get visibility and control - Microsoft Defender for Cloud Apps (original) (raw)
App connectors use the APIs of app providers to enable greater visibility and control by Microsoft Defender for Cloud Apps over the apps you connect to.
Microsoft Defender for Cloud Apps uses the APIs provided by the cloud provider. All communication between Defender for Cloud Apps and connected apps is encrypted using HTTPS. Each service has its own framework and API limitations such as throttling, API limits, dynamic time-shifting API windows, and others. Microsoft Defender for Cloud Apps works with the services to optimize the usage of the APIs and to provide the best performance. Taking into account different limitations that services impose on the APIs, the Microsoft Defender for Cloud Apps engines use the allowed capacity. Some operations, such as scanning all files in the tenant, require numerous APIs so they're spread over a longer period. Expect some policies to run for several hours or several days.
Multi-instance support
Defender for Cloud Apps supports multiple instances of the same connected app. For example, if you have more than one instance of Salesforce (one for sales, one for marketing) you can connect both to Defender for Cloud Apps. You can manage the different instances from the same console to create granular policies and deeper investigation. This support applies only to API connected apps, not to Cloud Discovered apps, or Proxy connected apps.
Note
Multi-instance isn't supported for Microsoft 365 and Azure.
How it works
Defender for Cloud Apps is deployed with system admin privileges to allow full access to all objects in your environment.
The App Connector flow is as follows:
- Defender for Cloud Apps scans and saves authentication permissions.
- Defender for Cloud Apps requests the user list. The first time it makes the request, it might take some time until the scan completes. After the user scan finishes, Defender for Cloud Apps moves on to activities and files. As soon as the scan starts, some activities are available in Defender for Cloud Apps.
- After completion of the user request, Defender for Cloud Apps periodically scans users, groups, activities, and files. All activities are available after the first full scan.
This connection might take some time depending on the size of the tenant, the number of users, and the size and number of files that need to be scanned.
Depending on the app to which you're connecting, API connection enables the following items:
- Account information - Visibility into users, accounts, profile information, status (suspended, active, disabled) groups, and privileges.
- Audit trail - Visibility into user activities, admin activities, sign-in activities.
- Account governance - Ability to suspend users, revoke passwords, and more.
- App permissions - Visibility into issued tokens and their permissions.
- App permission governance - Ability to remove tokens.
- Data scan - Scanning of unstructured data using two processes -periodically (every 12 hours) and in real-time scan (triggered each time a change is detected).
- Data governance - Ability to quarantine files, including files in trash, and overwrite files.
The following tables list, per cloud app, which abilities are supported with App connectors:
Note
Since not all app connectors support all abilities, some rows might be empty.
Users and activities
| App | List accounts | List groups | List privileges | Log on activity | User activity | Administrative activity |
|---|---|---|---|---|---|---|
| Asana | ✔ | ✔ | ✔ | |||
| Atlassian | ✔ | ✔ | ✔ | ✔ | ||
| AWS | ✔ | ✔ | Not applicable | ✔ | ||
| Azure | ✔ | ✔ | ✔ | ✔ | ||
| Box | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| Citrix ShareFile | ||||||
| DocuSign | Supported with DocuSign Monitor | Supported with DocuSign Monitor | Supported with DocuSign Monitor | Supported with DocuSign Monitor | ||
| Dropbox | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| Egnyte | ✔ | ✔ | ✔ | ✔ | ✔ | |
| GitHub | ✔ | ✔ | ✔ | ✔ | ||
| GCP | Subject Google Workspace connection | Subject Google Workspace connection | Subject Google Workspace connection | Subject Google Workspace connection | ✔ | ✔ |
| Google Workspace | ✔ | ✔ | ✔ | ✔ | ✔ - requires Google Business or Enterprise | ✔ |
| Microsoft 365 | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| Miro | ✔ | ✔ | ✔ | |||
| Mural | ✔ | ✔ | ✔ | |||
| NetDocuments | ✔ | ✔ | ✔ | ✔ | ||
| Okta | ✔ | Not supported by provider | ✔ | ✔ | ✔ | |
| OneLogin | ✔ | ✔ | ✔ | ✔ | ✔ | |
| ServiceNow | ✔ | ✔ | ✔ | ✔ | Partial | Partial |
| Salesforce | Supported with Salesforce Shield | Supported with Salesforce Shield | Supported with Salesforce Shield | Supported with Salesforce Shield | Supported with Salesforce Shield | Supported with Salesforce Shield |
| Slack | ✔ | ✔ | ✔ | ✔ | ✔ | |
| Smartsheet | ✔ | ✔ | ✔ | ✔ | ||
| Webex | ✔ | ✔ | ✔ | Not supported by provider | ||
| Workday | ✔ | Not supported by provider | Not supported by provider | ✔ | ✔ | Not supported by provider |
| Workplace by Meta | ✔ | ✔ | ✔ | ✔ | ✔ | |
| Zendesk | ✔ | ✔ | ✔ | ✔ | ✔ | |
| Zoom |
User, app governance, and security configuration visibility
| App | User governance | View app permissions | Revoke app permissions | SaaS Security Posture Management (SSPM) |
|---|---|---|---|---|
| Asana | ||||
| Atlassian | ✔ | |||
| AWS | Not applicable | Not applicable | ||
| Azure | Not supported by provider | |||
| Box | ✔ | Not supported by provider | ||
| Citrix ShareFile | ✔ | |||
| DocuSign | ✔ | |||
| Dropbox | ✔ | |||
| Egnyte | ||||
| GitHub | ✔ | ✔ | ||
| GCP | Subject Google Workspace connection | Not applicable | Not applicable | |
| Google Workspace | ✔ | ✔ | ✔ | ✔ |
| Microsoft 365 | ✔ | ✔ | ✔ | ✔ |
| Miro | ||||
| Mural | ||||
| NetDocuments | Preview | |||
| Okta | Not applicable | Not applicable | ✔ | |
| OneLogin | ||||
| ServiceNow | ✔ | |||
| Salesforce | ✔ | ✔ | ✔ | |
| Slack | ||||
| Smartsheet | ||||
| Webex | Not applicable | Not applicable | ||
| Workday | Not supported by provider | Not applicable | Not applicable | |
| Workplace by Meta | Preview | |||
| Zendesk | ✔ | |||
| Zoom | Preview |
Information protection
| App | DLP - Periodic backlog scan | DLP - Near real-time scan | Sharing control | File governance | Apply sensitivity labels from Microsoft Purview Information Protection |
|---|---|---|---|---|---|
| Asana | |||||
| Atlassian | |||||
| AWS | ✔ - S3 Bucket discovery only | ✔ | ✔ | Not applicable | |
| Azure | |||||
| Box | ✔ | ✔ | ✔ | ✔ | ✔ |
| Citrix ShareFile | |||||
| DocuSign | |||||
| Dropbox | ✔ | ✔ | ✔ | ✔ | |
| Egnyte | |||||
| GitHub | |||||
| GCP | Not applicable | Not applicable | Not applicable | Not applicable | Not applicable |
| Google Workspace | ✔ | ✔ - requires Google Business Enterprise | ✔ | ✔ | ✔ |
| Okta | Not applicable | Not applicable | Not applicable | Not applicable | Not applicable |
| Miro | |||||
| Mural | |||||
| NetDocuments | |||||
| Okta | Not applicable | Not applicable | Not applicable | Not applicable | Not applicable |
| OneLogin | |||||
| ServiceNow | ✔ | ✔ | Not applicable | ||
| Salesforce | ✔ | ✔ | ✔ | ||
| Slack | |||||
| Smartsheet | |||||
| Webex | ✔ | ✔ | ✔ | ✔ | Not applicable |
| Workday | Not supported by provider | Not supported by provider | Not supported by provider | Not supported by provider | Not applicable |
| Workplace by Meta | |||||
| Zendesk | Preview | ||||
| Zoom |
Prerequisites
- When working with the Microsoft 365 connector, you'll need a license for each service where you want to view security recommendations. For example, to view recommendations for Microsoft Forms, you'll need a license that supports Forms.
- For some apps, you might need to allow list IP addresses to enable Defender for Cloud Apps to collect logs and provide access for the Defender for Cloud Apps console. For more information, see Network requirements.
Enable app connectors
To enable an app connector for the first time, configure an API connection for the specific cloud app you want to connect. See the individual connector guides for each app for detailed instructions.
- Sign in to the Microsoft Defender portal.
- Go to Cloud Apps > Connected apps.
- Select Connect an app or Add a new connector.
- Choose the cloud app you want to connect.
- Follow the instructions in the corresponding app-specific API connector guide. These instructions include the required permissions and authentication steps.
Each cloud app has its own enablement process based on the APIs it supports.
ExpressRoute
Defender for Cloud Apps is deployed in Azure and fully integrated with ExpressRoute. All interactions with the Defender for Cloud Apps apps and traffic sent to Defender for Cloud Apps, including upload of discovery logs, is routed via ExpressRoute for improved latency, performance, and security. For more information about Microsoft Peering, see ExpressRoute circuits and routing domains.
Disable app connectors
Note
- Before disabling an app connector, make sure you have the connection details available as you'll need them if you want to re-enable the connector.
- These steps can't be used to disable conditional access app control apps and security configuration apps.
To disable connected apps:
- Go to Connected apps.
- Select Disable App connector.
- Select Disable App connector instance to confirm the action.
Once disabled, the connector instance stops consuming data from the connector.
Re-enable app connectors
To re-enable connected apps:
- Go to Connected apps.
- Select Edit settings. This action starts the process to add a connector.
- Add the connector using the steps in the relevant API connector guide. For example, if you're re-enabling GitHub, use the steps in Connect GitHub Enterprise Cloud to Microsoft Defender for Cloud Apps.
Troubleshoot missing activities
If expected activities don't appear after you connect an app, see Troubleshoot missing activities after connecting an app.