Connect Office 365 to Microsoft Defender for Cloud Apps

Note

  • We've renamed Microsoft Cloud App Security. It's now called Microsoft Defender for Cloud Apps. In the coming weeks, we'll update the screenshots and instructions here and in related pages. For more information about the change, see this announcement. To learn more about the recent renaming of Microsoft security services, see the Microsoft Ignite Security blog.

  • Microsoft Defender for Cloud Apps is now part of Microsoft 365 Defender. The Microsoft 365 Defender portal allows security admins to perform their security tasks in one location. This will simplify workflows, and add the functionality of the other Microsoft 365 Defender services. Microsoft 365 Defender will be the home for monitoring and managing security across your Microsoft identities, data, devices, apps, and infrastructure. For more information about these changes, see Microsoft Defender for Cloud Apps in Microsoft 365 Defender.

This article provides instructions for connecting Microsoft Defender for Cloud Apps to your existing Office 365 account using the app connector API. This connection gives you visibility into and control over Office 365 use. For information about how Defender for Cloud Apps protects Office 365, see Protect Office 365.

Defender for Cloud Apps supports the legacy Office 365 Dedicated Platform as well as the latest offerings of Office 365 services (commonly referred as the vNext release family of Office 365).

Note

In some cases, a vNext service release differs slightly at the administrative and management levels from the standard Office 365 offering.

Defender for Cloud Apps integrates directly with Office 365's audit logs and receives all audited events from all supported services. For a list of supported services, see Microsoft 365 services that support auditing.

How to connect Office 365 to Defender for Cloud Apps

Note

  • You must have at least one assigned Office 365 license to connect Office 365 to Defender for Cloud Apps.
  • To enable monitoring of Office 365 activities in Defender for Cloud Apps, you are required to enable auditing in the Microsoft Purview compliance portal.
  • Exchange administrator audit logging, which is enabled by default in Office 365, logs an event in the Office 365 audit log when an administrator (or a user who has been assigned administrative privileges) makes a change in your Exchange Online organization. Changes made using the Exchange admin center or by running a cmdlet in Windows PowerShell are logged in the Exchange admin audit log. For more detailed information about admin audit logging in Exchange, see Administrator audit logging.
  • Exchange Mailbox audit logging must be turned on for each user mailbox before user activity in Exchange Online is logged, see Exchange Mailbox activities.
  • If Office apps are enabled, groups that are part of Office 365 are also imported to Defender for Cloud Apps from the specific Office apps, for example, if SharePoint is enabled, Office 365 groups are imported as SharePoint groups as well.
  • You must enable auditing in Power BI to get the logs from there. Once auditing is enabled, Defender for Cloud Apps starts getting the logs (with a delay of 24-72 hours).
  • You must enable auditing in Dynamics 365 to get the logs from there. Once auditing is enabled, Defender for Cloud Apps starts getting the logs (with a delay of 24-72 hours).
  • If your Azure Active Directory is set to automatically sync with the users in your Active Directory on-premises environment the settings in the on-premises environment override the Azure AD settings and use of the Suspend user governance action is reverted.
  • For Azure AD sign-in activities, Defender for Cloud Apps only surfaces interactive sign-in activities and sign-in activities from legacy protocols such as ActiveSync. Noninteractive sign-in activities may be viewed in the Azure AD audit log.
  • Multi-geo deployments are only supported for OneDrive
  • In SharePoint and OneDrive, Defender for Cloud Apps supports user quarantine only for files in Shared Documents libraries (SharePoint Online) and files in the Documents library (OneDrive for Business).
  • Events from Exchange, Power BI, and Teams will only appear after activities from those services are detected in the portal.
  1. In the Connected apps page, under App connectors, select +Connect an app and then select Office 365.

    connect O365 menu option.

  2. In the Office 365 pop-up, click Connect Office 365.

    connect O365 pop-up.

  3. In the Office 365 components page, select the options you require, and then click Connect.

    Note

    • For best protection, we recommend selecting all Office 365 components.
    • The Office 365 files component, requires the Office 365 activities component and Defender for Cloud Apps file monitoring (Settings > Files > Enable file monitoring).

    connect O365 components.

  4. After Office 365 is displayed as successfully connected, click Close.

Note

After connecting Office 365, you will see data from a week back including any third-party applications connected to Office 365 that are pulling APIs. For third-party apps that weren't pulling APIs prior to connection, you see events from the moment you connect Office 365 because Defender for Cloud Apps turns on any APIs that had been off by default.

If you have any problems connecting the app, see Troubleshooting App Connectors.

Next steps

If you run into any problems, we're here to help. To get assistance or support for your product issue, please open a support ticket.