Microsoft Defender for Cloud Apps best practices
Microsoft Defender for Cloud Apps can protect your organization, but it important to follow the best practices listed in this unit.
Discover and assess cloud apps
You can integrate Microsoft Defender for Cloud Apps with Microsoft Defender for Cloud to be able to use Cloud Discovery outside of your corporate network. This approach will enable you to identify risky users and devices and track their actions.
Consider enabling App Discovery to identify risky apps.
Also monitor the permissions that users are giving to OAuth apps.
Apply cloud governance policies
Apply Sanctioned or Unsanctioned tags to apps and monitor unsanctioned apps.
Sanctioned apps are apps that are approved for use. Unsanctioned apps are not approved. If an app is unsanctioned it does not block its use, but you can suggest alternative apps to users and monitor the use of unsanctioned apps.
Limit exposure of shared data and enforce collaboration policies
Connect Office 365 to Microsoft Defender for Cloud Apps to give visibility to users' actions in Office 365, SharePoint, OneDrive, Teams, Power BI, Exchange, and Dynamics.
Connect third-party apps to Microsoft Defender for Cloud Apps to improve insights into users' activities in third-party apps,
View file exposure reports to understand how users are sharing files with cloud apps.
Create policies to prevent users from sharing files with their personal accounts.
Discover, classify, label, and protect regulated and sensitive data stored in the cloud
Connect Azure Information Protection to Microsoft Defender for Cloud Apps to automatically apply classification labels to files and apply encryption, where necessary.
Create file policies to detect confidential data or unauthorized sharing.
Connect Software as a Service (SaaS) apps to Microsoft Defender for Cloud Apps to be able to investigate the data stored by these apps.
Enforce DLP and compliance policies for data stored in the cloud
Create a file policy to prevent users from sharing confidential information.
Block and protect download of sensitive data to unmanaged or risky devices
Use Conditional App Access Control to block downloads of sensitive data to unmanaged devices.
Secure collaboration with external users by enforcing real-time session controls
Use Conditional App Access Control to monitor internal users' interactions with external users. Internal users can be notified that they are being monitored and specific activities can be limited.
Detect cloud threats, compromised accounts, malicious insiders, and ransomware
Use anomaly detection policies to apply user and entity behavioral analytics (UEBA) and machine learning to detect unusual activity across your cloud environment.
Create an activity policy to detect activity from unexpected locations.
Create an OAuth app policy to be notified if an OAuth app meets specific criteria, such as requiring high permissions.
Use the audit trail of activities for forensic investigations
Investigate alerts and view the audit trail of the alert to view activities from the same user, same IP address, same location, or of the same type.
Secure IaaS services and custom apps
Connect Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP) to Microsoft Defender for Cloud Apps to monitor administrative or sign in activities for these services.
Use the security configuration recommendations of Azure, AWS, and GCP to ensure that you meet the best practices of those services.
Onboard custom apps to Microsoft Defender for Cloud Apps to gain extra insights into actions performed with or by these apps.