Govern discovered apps using Microsoft Defender for Endpoint

Note

We've renamed Microsoft Cloud App Security. It's now called Microsoft Defender for Cloud Apps. In the coming weeks, we'll update the screenshots and instructions here and in related pages. For more information about the change, see this announcement. To learn more about the recent renaming of Microsoft security services, see the Microsoft Ignite Security blog.

The Microsoft Defender for Cloud Apps integration with Microsoft Defender for Endpoint provides a seamless Shadow IT visibility and control solution. Our integration enables Defender for Cloud Apps administrators to block access of end users to cloud apps, by natively integrating Defender for Cloud Apps app governance controls with Microsoft Defender for Endpoint's network protection. Alternatively, administrators can take a gentler approach of warning users when they access risky cloud apps.

Prerequisites

Block access to unsanctioned cloud apps

Defender for Cloud Apps uses the built-in Unsanctioned app tag to mark cloud apps as prohibited for use, available in both the Cloud Discovery and Cloud app catalog pages. By enabling the integration with Defender for Endpoint, you can seamlessly block access to unsanctioned apps with a single click in the Defender for Cloud Apps portal.

How blocking works

Apps marked as Unsanctioned in Defender for Cloud Apps are automatically synced to Defender for Endpoint, usually within a few minutes. More specifically, the domains used by these unsanctioned apps are propagated to endpoint devices to be blocked by Microsoft Defender Antivirus within the Network Protection SLA.

How to enable cloud app blocking with Defender for Endpoint

Use the following steps to enable access control for cloud apps:

  1. In Defender for Cloud Apps, under the settings cog, select Settings, under Cloud Discovery select Microsoft Defender for Endpoint, and then select Block unsanctioned apps.

    Screenshot showing how to enable blocking with Defender for Endpoint

  2. In Microsoft 365 Defender, go to Settings > Endpoints > Advanced features, and then select Custom network indicators. For information about network indicators, see Create indicators for IPs and URLs/domains.

    This allows you to leverage Microsoft Defender Antivirus network protection capabilities to block access to a predefined set of URLs using Defender for Cloud Apps, either by manually assigning app tags to specific apps or automatically using an app discovery policy.

    Screenshot showing how to enable custom network indicators in Defender for Endpoint

Educate users when accessing risky apps

Note

Prerequisite: Opt in to the public preview feature in Microsoft Defender for Endpoint. For more information, see Microsoft Defender for Endpoint preview features.

Admins have the option to warn users when they access risky apps. Rather than blocking users, they're prompted with a message providing a custom redirect link to a company page listing apps approved for use. The prompt provides options for users to bypass the warning and continue to the app. Admins are also able to monitor the number of users that bypass the warning message.

How does it work

Defender for Cloud Apps uses the built-in Monitored app tag to mark cloud apps as risky for use. The tag is available on both the Cloud Discovery and Cloud App Catalog pages. By enabling the integration with Defender for Endpoint, you can seamlessly warn users on access to monitored apps with a single click in the Defender for Cloud Apps portal.

Apps marked as Monitored are automatically synced to Defender for Endpoint's custom URL indicators, usually within a few minutes. More specifically, the domains used by monitored apps are propagated to endpoint devices to provide a warning message by Microsoft Defender Antivirus within the Network Protection SLA.

Setting up the custom redirect URL for the warn message

Use the following steps to configure a custom URL pointing to a company web page where you can educate employees on why they've been warned and provide a list of alternative approved apps that adhere to your organization's risk acceptance or are already managed by the organization.

  1. In Defender for Cloud Apps, under the settings cog, select Settings, and under Cloud Discovery select Microsoft Defender for Endpoint.

  2. In the Notification URL box, enter your URL.

    Screenshot showing how to configure notification URL

Setting up user bypass duration

Since users can bypass the warning message, you can use the following steps to configure the duration of the bypass apply. Once the duration has elapsed, users are prompted with the warning message the next time they access the monitored app.

  1. In Defender for Cloud Apps, under the settings cog, select Settings, and under Cloud Discovery select Microsoft Defender for Endpoint.

  2. In the Bypass duration box, enter the duration (hours) of the user bypass.

    Screenshot showing how to configure bypass duration

Monitor applied app controls

Once controls are applied, you can monitor app usage patterns by the applied controls (access, block, bypass) using the following steps.

  1. In Defender for Cloud Apps, under Discovery > Discovered apps, use the filters to find the relevant monitored app.

  2. Select the app's name to view applied app controls on the app's overview page.

    Screenshot showing how to monitor applied controls

Next steps

If you run into any problems, we're here to help. To get assistance or support for your product issue, please open a support ticket.