Microsoft Defender for Cloud Apps Reviews

For security purposes, we use Microsoft Defender for Cloud Apps for container scanning, specifically AKS scanning. We use it for vulnerability management and assessment. We use it for storage account scanning for malware and unauthorized access and IP address whitelisting for our VMs.

We use it for compliance to ensure that all our VMs and storage accounts follow the SOC 2 Type 2 attestation framework, ISO 27000 framework, and IST/CSF frameworks, PCI DSS, HIPAA, and similar compliance requirements. The compliance capabilities of Microsoft Defender for Cloud Apps are quite extensive. It can also scan for cloud discovery and SaaS-based applications.

The implementation was very straightforward and helped us significantly. We did not need any external experts to implement it. Within our DevOps team, my team can manage it and easily integrate new features.

We are on public cloud, and Microsoft Defender for Cloud Apps is quite capable. As long as everything is integrated and seamless with uniformity, it works flawlessly. Users get notifications when they are set up, and everything works really efficiently.

Cloud Discovery is particularly valuable. We utilize it extensively. We have policies set up to ensure that cloud apps and SaaS-based applications are monitored. This feature is particularly handy for security teams such as mine.

Licensing cost is a significant concern. With Defender Plan 1, Microsoft Defender for Cloud Apps comes with a pay-per-use model. Each feature has its own pricing when activated on VMs. For example, the vulnerability assessment has separate pricing, the base model including encryptions has separate pricing, and the compliance features have separate pricing. This applies to each VM and Azure resource individually.

It is not straightforward where you can take one license and apply it to everything. Each feature has its own pricing model which can be tedious, as the costs keep accumulating.

The only lacking feature currently is XDR (extended detection and response). Apart from that, I have only positive experiences with the whole Microsoft suite, except for the pricing structure.

I have been using this solution since 2020, and I personally have been using it since 2022.

The deployment was straightforward since it is on Azure. Microsoft Defender for Cloud Apps is a SaaS-based Microsoft application, so everything was seamless, and we did not need any external help.

We have not experienced any issues or incidents so far. We monitor the system daily and perform regular checks. It is a stable product.

The customer service is really good and straightforward.

Positive

Since I came with prior experience, the setup was quite simple for me.

The return on investment has been quite extensive.

At the time of implementation, when the size of our organization was small, it was a more affordable product. Since all our productivity applications were on O365, Microsoft Defender for Cloud Apps made sense for our organization.

Our choice was influenced by our use of public cloud, specifically Azure, so Microsoft Defender for Cloud Apps was a logical choice.

Implementation requires some knowledge base reading and research, but it is not overly difficult. It does not require a specialized person to set everything up because Microsoft's knowledge base is extensive. You can find all necessary information in Microsoft's KB documents.

The solution's goodwill is noteworthy because Microsoft invests one billion dollars annually in security. Daily improvements and changes can be observed in the portal itself, which is highly beneficial.

We can control costs through our cloud management by disabling unused resources. There are different strategies available for cost management.

The implementation typically takes about an hour.

I rate Microsoft Defender for Cloud Apps a 9 out of 10.

Microsoft Defender for Cloud Apps is used for enforcing policies like bulk file download and bulk file upload. It is being used on risky apps to examine what people are accessing, and it is used to block categorically certain things such as disallowed file shares, torrenting sites, and artificial intelligence services that the organization does not want people accessing or loading company information into those publicly available AI models.

The favorite feature of Microsoft Defender for Cloud Apps is the categorical blocking capability. This feature appears to be fed from Microsoft Security Intelligence feeds, which seem to be better than other solutions that would need to be subscribed to separately. The product recommends things that need to be blocked and allows for dynamic configuration, which cuts down on potential issues that might arise from going through lists and understanding what needs to be blocked.

The organization was also looking at Microsoft Defender for Cloud Apps to help apply labels to data so that it can be protected from internal operations and customers.

The fidelity of the signal in Microsoft Defender for Cloud Apps has been a challenge in some areas. There have been instances where the alerts generated have been false positives. A lot of work has to go into scoping and tuning the policies so that actual value can be achieved, especially when not doing outright blocks. When monitoring is the approach, it can be overwhelming for security teams to review all of the alerts and determine which ones require action. When a legitimate alert is found that requires action, the tools are available to take that direction, but it can take considerable time to determine if an alert is real or not, and that represents a problem.

There is uncertainty about how well Microsoft is keeping up with the changing landscape of threats, as new artificial intelligence services and software as a service applications appear every day.

Microsoft Defender for Cloud Apps has been used since it first came in as part of the EMS capability when the company was acquired. It was previously called MCAS, or Microsoft Cloud Access Security. This represents approximately eight to nine years of usage.

Because the organization has to go to many different places to get a full view of security of the environment and the technologies being rolled out, Microsoft Defender for Cloud Apps is effective for its pane of glass. However, to get the bigger picture, it remains a problem to be able to see across the different panes.

The initial setup was straightforward. Since the organization is cloud-born and the few managed workloads still in use are run in Azure, it was easy to connect Microsoft Defender for Cloud Apps and start seeing the signal immediately. The biggest effort involved rolling out all the desired policies and then scoping and tuning them appropriately so that the fidelity of signal could be relied upon if there was an issue.

The organization had looked at some other Cloud Access Security Brokers, but given the direction the organization and most of its customers were going, and the fact that Microsoft Defender for Cloud Apps was already cloud-based, other solutions that had agents on the endpoints in addition to Microsoft Defender for Endpoint did not seem appropriate. Those alternatives represented additional cost. Microsoft Defender for Cloud Apps is included in the E5 licensing. After evaluating the models and capabilities, the organization saw the long-term strategy that Microsoft had regarding integration of all the Defenders and the ability to look across all the different points of the kill chain, and determined that eventually Microsoft would win this battle.

Our usual use case for Microsoft Defender for Cloud Apps involves looking at data flows outside of the company and how it's classified, how it's labeled, and then making sure that confidential information is not sent to cloud solutions which we do not control. That's the way we use it.

The features of Microsoft Defender for Cloud Apps that I have found most valuable include the overall portal view, with bubble graphs which give us insight into what goes where in the categorization, nowadays with Generative AI but all kinds of categorization, collaboration, etc. That central view of the portal is very useful for us.

The impact of Microsoft Defender for Cloud Apps on our organization's ability to assess and manage app related risks has been significant because we have more visibility. Therefore, we can add more control, and we have already done so. This was not possible in the old solution, in the old CASB solution with Netskope. We now can see on the spot, and we do that almost weekly, what the end users are utilizing, which cloud providers or cloud apps they're using.

The visibility into OAuth apps provided by Microsoft Defender for Cloud Apps is very good. The visibility into risk and risk management of our organization's Generative AI apps is very nice, as you can choose the category Generative AI and then see exactly what traffic has been going to and from Generative AI in the cloud. This makes us very insightful on what is used within the company.

We have some policies on blocking specific Generative AI, and we use within our company one particular AI part, which is CoPilot of Microsoft. In this way, we can see what the end users are using other than CoPilot, and that makes us more in control.

The effectiveness of the integration of Microsoft Defender for Cloud Apps with Defender XDR and defending against SaaS attacks is very intuitive. It works immediately if we create a new policy or in Purview or in Microsoft Defender for Cloud Apps, or when we make an app unsanctioned by blocking it, then it is almost immediately, or at least within a couple of hours, effective on all the endpoints where the EDR is running. This gives us much better control over things than before.

An area of Microsoft Defender for Cloud Apps that needs to be improved or enhanced is the reporting function. In the beginning, there was a good reporting function which gave us a sort of monthly overview report. But that has gone away. Unfortunately, I loved that because I don't need to create a report myself, which we do now. We do that weekly, but it was very handy when it was available to us. Microsoft withdrew that capability. Nevertheless, overall, I am very satisfied with the solution.

We are using that now for six months.

My experience with the deployment of Microsoft Defender for Cloud Apps had no challenges because it actually is part of the Defender suite. If you have the E5 license of Microsoft, it's just a matter of turning it on and using it. Then thinking about the policies you need to define, but it's already in the solution. It's completely integrated in all the Defender solutions, including EDR, Defender, and that's the good thing of Microsoft solutions.

My impression on the stability and reliability of Microsoft Defender for Cloud Apps is that it is very stable. I have no complaints; it's never out. I have no problems with Microsoft Defender for Cloud Apps. It always works.

As for the scalability, I am satisfied with how Microsoft Defender for Cloud Apps scales up or down. I'm very satisfied with that.

We started using Microsoft Defender for Cloud Apps immediately on all the endpoints and all the end users. I think we're pretty stable with a couple of thousand end users, and that will remain. That is pretty stable. I'm foreseeing no increase in employees for the next couple of years, so it's a stable environment.

I would rate the technical support for Microsoft Defender for Cloud Apps an eight.

Positive

Prior to adopting Microsoft Defender for Cloud Apps, we were using another solution called Netskope to address similar needs.

We decided to switch from Netskope because of the integration; we were a full-blown Microsoft company. The integration within Netskope had some technical difficulties with the break out of Netskope, which were related to the network and agents. On the endpoints, we want to have as fewer agents as possible to minimize the number of agents. We had the EDR agents, which was Defender, and the Netskope agents together on the endpoint. Now we got rid of the Netskope agents. Going from two to one is always better than having several agents. It was about network limitations, definitions, and agents on the endpoint.

My impression on the pricing, setup costs, and licensing of Microsoft Defender for Cloud Apps is that it's fair. I don't know by heart the exact pricing, but it's part of the E5 license which we already have for years. It was just a matter of turning it on and going forward and configuring it. The CASB solution of Netskope was pretty costly. We actually got money back because we didn't use Netskope anymore.

We have at least saved the costs we had from the Netskope solution this year. That immediately gives us the return on investments. It was very costly, the Netskope solution.

My impression on the pricing, setup costs, and licensing of Microsoft Defender for Cloud Apps is that it's fair. I don't know by heart the exact pricing, but it's part of the E5 license which we already have for years. It was just a matter of turning it on and going forward and configuring it.

I'm the Cyber Analyst within the company and I'm using Microsoft Defender for Cloud Apps as an end user, but also changing the settings and policies within that environment. It works closely together with Purview of Microsoft, labeling, and setting all kinds of labels to files.

We decided to switch from Netskope because of the integration; we were a full-blown Microsoft company. The integration within Netskope had some technical difficulties with the break out of Netskope, which were related to the network and agents. On the endpoints, we want to have as fewer agents as possible to minimize the number of agents. We had the EDR agents, which was Defender, and the Netskope agents together on the endpoint. Now we got rid of the Netskope agents. Going from two to one is always better than having several agents. It was about network limitations, definitions, and agents on the endpoint.

I would rate Microsoft Defender for Cloud Apps an eight out of ten, leaving some space for improvement.

My use case for Microsoft Defender for Cloud Apps is mostly to check SharePoint-related activities, the OneDrive file access, and any Teams operations, including creation and access level-related use cases, as well as adding and deleting users from Teams groups.

The raw logs that come directly from Microsoft Defender for Cloud Apps contain all the data I need. I check from there, and the ability to track activities happening on cloud applications and the alerts provided is an interesting aspect.

Microsoft Defender for Cloud Apps provides benefits of tracking multiple actions happening across the Microsoft Defender for Cloud ecosystem. The benefits vary client to client depending on their configuration and desired level of security posture. It provides excellent suggestions and options for configuration; for example, it can track suspicious files getting uploaded to cloud resources on Azure based on their signatures, generating alerts for those files. Additionally, it can track login activities, which I find beneficial.

Microsoft could improve Microsoft Defender for Cloud Apps by adjusting the logs that are flowing, as they seem to be excessive. They are direct raw logs, so if the logs were coming in a bifurcated way with different columns to help create new use cases, that would be better instead of manually parsing the logs to extract the needed data.

Additionally, the graph displayed in the Defender portal mostly doesn't capture the full picture as we see in endpoint-related or identity-related alerts; we can see a complete graph of what is happening there, but Microsoft Defender for Cloud Apps still falls short in capturing that whole aspect in the graph.

Microsoft Defender for Cloud Apps would benefit if Microsoft allows users to fine-tune false positives, enabling us to dismiss alerts or make adjustments so that such things don't trigger multiple times in the future.

I have been working with Microsoft Defender for Cloud Apps for around two years.

I would rate the stability of Microsoft Defender for Cloud Apps as a six.

When it comes to scalability, Microsoft Defender for Cloud Apps is already covering most of the necessary aspects, so I would rate it an eight or nine.

I am unable to suggest alternatives to Microsoft Defender for Cloud Apps, as I have been part of Microsoft solutions since the beginning of my career for close to five years, which limits my ability to provide alternative suggestions.

The visibility into all apps provided by Microsoft Defender for Cloud Apps is basic. I am not working with the risk management or generative AI features because AI doesn't get involved here. We have it for Microsoft Defender for Cloud, but not for Cloud Apps. We have the Purview option, which gives additional supporting evidence while investigating alerts, but I have not seen the AI capabilities in Cloud Apps recently.

I work with a company that provides Microsoft solutions to clients. If Microsoft were to offer the option to fine-tune alerts on the Azure platform, allowing for more precise adjustments to use cases, that would be a very good enhancement.

I rate Microsoft Defender for Cloud Apps an eight out of ten as it is already performing everything nicely.

The usual use cases that I work with for cloud apps using Microsoft Defender for Cloud Apps involve checking MFA for portal access and special applications. For database access, we verify different levels of access control.

We also consider network security, specifically how output requests are going out from the cloud.

The most valuable feature of Microsoft Defender for Cloud Apps is that we are primarily using only the Defender for Cloud on the Azure Cloud. We do not have any other CSPM tools.

We explored other clients for demos, but due to budget constraints, we are not looking for any CSPM tools. The default tool is Defender, though its feature usage depends on a case-by-case basis. Defender itself is not a simple tool as it has numerous features that require payment.

Microsoft Defender for Cloud Apps has benefited our organization by providing routine security assessments, as Defender is one part of our security solution, not the complete solution.

We have an Azure policy set up for the cloud, and based on that policy, we have Defender findings. Our operating group assesses whether a change control is needed and mitigates those risks, making use of Defender.

However, Defender is not the sole tool; we also have a firewall, Qualys solution, and CrowdStrike solution among other things.

The areas of Microsoft Defender for Cloud Apps that need improvement are related to IAM, as they do not provide much support for local users.

Defender typically connects to Entra ID, but we have local users on the cloud for database access, SSH, or RDS, and there is nothing produced by Defender regarding those local IAM users.

Defender largely integrates with Entra ID, leaving a gap for local IAM users.

We have been using Microsoft Defender for Cloud Apps for 3 years.

I did not experience the deployment of Microsoft Defender for Cloud Apps myself, as I'm part of security and we do not handle the deployment or remediation.

I would assess the stability and reliability of Microsoft Defender for Cloud Apps as stable, and we have not experienced much downtime or performance issues so far. While there might be localized issues, they typically resolve quickly.

Microsoft Defender for Cloud Apps scales effectively, but I do not know how the licensing and expansion of usage are managed.

If we need to add users, there is no issue, but for subscriptions, we must extend Defender's coverage to those new subscriptions.

We have support for Microsoft Defender for Cloud Apps through a TAM, or Microsoft support for Microsoft tools, and we do not have issues with that.

If we need something new to understand or have questions, we have support available.

Positive

We did not use another solution before adopting Microsoft Defender for Cloud Apps because we started using Defender as soon as we started using Azure.

Regarding the pricing setup cost and licensing of Microsoft Defender for Cloud Apps, we do not deal with pricing.

We have a FinOps team for that. We are part of security, so we don't look into FinOps; it is divided into operations, FinOps, SecOps, and other departments.

I do not have experience with other solutions because we exclusively use Microsoft Defender for Cloud Apps.

We use it to review the security posture of the cloud.

When considering Microsoft Defender for Cloud Apps separately, it is only for Microsoft Defender for Azure Cloud, and we do not have the same solution for all cloud architectures. For AWS, we use Security Hub. Defender is where we get all the security findings, and we have all the configurations enabled to get those findings.

The visibility into apps provided by Microsoft Defender for Cloud Apps is a service that you enable based on chosen features. It is a good tool with most needed features available. It is a pay-as-you-go service. For Azure, it works fine, but it is not a viable solution for AWS.

The visibility has impacted our organization's ability to assess and manage app-related risks, as we actively monitor the security score from Defender. We do not get a perfect score of 100%, but we receive around 75-80% depending upon the patching status of the applications.

We actively try to mitigate Defender incidents and findings to maintain the score closer to 80%.

The deployment of Microsoft Defender for Cloud Apps in our organization is exclusively on Azure cloud. It is a good tool that provides visibility into applications, showing how policy is being used and identifying resources with open ports.

On a scale of 1-10, I rate Microsoft Defender for Cloud Apps an 8.

Positive

We have been using Microsoft Defender for Cloud Apps primarily for discovery. We have locked down our consent apps, so users can no longer create apps in our environment without approval. We are looking to retroactively fix a lot of that and build out a governance program going forward.

Defender for Cloud Apps has given us good visibility regarding what we've allowed into our environment until now. It helps us to know our inventory, understand what our customers are using, and steer them toward safer practices.

We have also locked down our consent apps, so users can no longer consent on their own behalf to create apps in our environment. Primarily, we are using it for discovery at this point and are looking to retroactively fix past actions.

We are having trouble with our continuous reporting configuration and struggling with configuring the collector properly with our log parsing. We've also faced difficulties getting support for this issue. It's taken us months to figure this out after going through a couple of different support channels.

We have been using Defender for Cloud for about eight months. 

It's too early to tell. We haven't really had any issues with what we've seen so far. Like any other Microsoft product, the uptime is good.

For what I know about the log collector and how much data it can take in, it is super scalable and capable of handling high workloads.

I rate Microsoft support seven out of 10. Their customer service is pretty good, but it's frustrating to go through three or four channels before reaching the right person. Ultimately, problems get solved, but it takes a while.

Neutral

This is the first one of its kind. We did not use a solution before this.

We are talking with Infolock, who provides us assistance with Purview. We have relationships with Microsoft directly. Infolock is a good consultant; we talk with them weekly and they provide solid answers.

The biggest return on investment so far has been visibility, knowing what we have in our environment. That's the most important part for us.

I'm familiar with the licensing requirements to get our job done, but not from a pricing standpoint. That is not my job.

We didn't evaluate other solutions before making this choice. We are really doing the evaluation now on them.

I'll give Microsoft Defender for Cloud Apps an eight out of 10. It has a lot of potential and needs to stay around so I can continue my work.

For Microsoft Defender for Cloud Apps, I used it in cloud applications. It helped me identify if someone was attempting to access applications without the correct credentials. It provided me with information on where access attempts were made and what type of information was being sought.

The most valuable features of Microsoft Defender for Cloud Apps include live, up-to-date information, which provided real-time alerts, and the ability to delve into detailed metadata information. This capability was particularly useful for me in determining unauthorized access attempts. The anomaly detection features were also beneficial, as they learned how the system operated and provided useful information. However, further investigation was sometimes necessary for me to determine if alerts were false positives.

A significant improvement I would like to see is the integration into a single pane of glass, which would allow me to view everything in one place rather than having to switch between different areas.

I have been using Microsoft Defender for Cloud Apps for over three years.

The stability was generally very good for me. However, there were a few incidents where issues arose, affecting users globally until they were resolved.

In my experience, Microsoft Defender for Cloud Apps is good enough for small to medium businesses. The scalability may require additional resources for larger business operations.

My experience with customer service was hit or miss. There were instances where the engineers were knowledgeable and helpful, but at other times it felt like a ping pong game, with unnecessary transfers until the right person was found.

Neutral

The initial setup was not simple for me. Assistance from consultants was necessary to guide me through the setup process due to the complex nature of the solution.

Only one person was required, but they needed to have experience with the solution. My organization had assistance from a third-party consultant in the UK, but I do not remember the specific company.

As a small team, Microsoft Defender for Cloud Apps allowed us to manage systems with just one or two people. With a growing company, managing the solution may require more resources, like a managed SOC.

My organization is currently revisiting pricing, but previously, the cost was a bit expensive, yet comparable to other solutions with similar functionalities and features.

The evaluation my organization did included solutions providing similar functionalities.

The overall rating I would give for Microsoft Defender for Cloud Apps is eight out of ten. The support experience and features like the single pane of glass are areas that could see further improvement. If these enhancements were made, the rating could increase to nine.

My use of CloudApp in this scenario is to manage the usage of secure cloud applications. I assist the customer in deciding and integrating only secure cloud apps into their environment, using Defender for Cloud Apps discovery and alerting scenarios to identify which cloud apps should not be available. 

I particularly alert for new applications, implementing those alerting routes so that the customer is aware when new apps are added to the Cloud Discovery catalog, especially those using legacy authentication protocols.

The discovery function and the discovery catalog are really valuable. The ability to sanction unsanctioned apps using Secure Score benchmarking, included in Cloud, is also beneficial. These features enhance the organization by helping to manage and control cloud app usage effectively.

The insights could be improved, especially in reporting. While it is possible for me to see the usage from different cloud apps, determining if critical data has been uploaded or if it is just normal transport data is difficult. 

Previously, I could drill down into data uploaded by specific users or IP addresses from a cloud app, however, this is no longer available. For data loss prevention, it would be useful to be able to drill down into the kind of data being transferred over CloudApp. 

Additionally, the info boxes are sometimes misleading. Guided assistance would be helpful.

I have worked with this solution for four or five years.

I would rate it a ten because I have not experienced any stability issues so far with Defender for Cloud Apps. The solutions run very stably. 

Occasionally, some tenants experience a bit of latency, however, it is mostly a network issue, not related to the solution itself.

I would say it is in the middle since you need some deep knowledge to get those reports and everything running properly.

I am usually not doing this alone and am not really the one implementing those infrastructures. I did it in cooperation with my colleague.

I would recommend users of enterprise licenses to focus quickly on the solution because you can then control your web app usage from the beginning. Most environments have collected thousands of cloud apps in their catalog because they do not sanction any apps. Starting from scratch will help you control and mitigate the risk of attacks through low-security cloud apps. Overall product rating: nine out of ten.

We use Microsoft Defender for Cloud Apps for discovery, data exfiltration, and sensitive data exposure.

Some organizations with E5 or E3 licenses enable Microsoft Defender for Cloud Apps for their users, often with default settings. These organizations typically use OneDrive and SharePoint. With Defender for Cloud Apps, especially when integrated with Defender for Endpoint, they want to monitor which SaaS applications their users are accessing. The primary goal is to discover and track the types of SaaS apps their users use.

Microsoft makes setting up discovery and visibility into cloud app usage easy. I also appreciate its full integration with other Defender and XDR products, such as Defender for Identity, Defender for Office 365, and Defender for Endpoint. You can ingest data from all these endpoints. I especially like the feature that allows you to discover which SaaS applications users access.

Microsoft has been high on implementing Copilot. If it is already integrated for using Copilot for security, that would be great.

I have been using Microsoft Defender for Cloud Apps for three years.

It's pretty stable.

 It has been reliable. I haven't seen it fail. There can be some confusing configuration issues sometimes, but it's quite dependable overall.

It is used by small, large, and government entities.

Improved communication and follow-up would be helpful. Sometimes, we don’t hear back after creating a ticket for a day or two. Even when an engineer is assigned, responding can still take a while despite providing all the necessary logs and information upfront.

Neutral

The deployment process is quick, taking two to three days. The implementation and customization require more time. We need to adjust the setup to fit the client's needs, which involves fine-tuning notifications and alerts to avoid overwhelming them.

First, you need the appropriate licensing. Once you have that, go to security.microsoft.com and integrate with Defender for Endpoints to receive information. While you can ingest logs from different firewalls, such as Palo Alto or Cisco, we usually implement them with Defender for Endpoints. Once a laptop or desktop is set up in Defender for Endpoints, integrating Cloud Apps with the endpoints allows us to collect the data easily.

I rate the initial setup a nine out of ten, where one is difficult and ten is easy.

Taking a proactive approach to keeping your environment secure and informed is key. Microsoft Defender for Cloud Apps helps you monitor what applications your users use and ensures they aren't using any sanctioned by your organization. This proactive control is a significant return on investment.

It's relatively low-cost, especially since it's often bundled with Microsoft 365.

It is also tied to data management. Since it's integrated, it can notify us of potential data exfiltration, like when large amounts of data are leaving the system or the Microsoft Cloud. This feature helps protect intellectual property and sensitive information subject to regulations and compliance standards, such as SOX or NIST. It plays a key role in ensuring data compliance and security.

It's fully integrated with other Microsoft security features. You can even connect it to Microsoft Sentinel, their SIEM product. The integration makes everything work better together, with less deployment effort and a single portal for managing your applications, eliminating the need to switch between different platforms.

Overall, I rate the solution a nine-point out of ten.