As businesses increasingly embrace cloud-based applications and services, the need to secure these environments becomes paramount. Integrating Microsoft Defender for Cloud Apps with Microsoft Defender for Endpoint offers a comprehensive solution to safeguard your data and defend against potential threats. This integration provides seamless visibility and control over shadow IT, ensuring that your organization can operate securely and efficiently.

Why you should integrate Microsoft Defender for Cloud Apps with Microsoft Defender for Endpoint?

Defender for Cloud Apps uses a built-in Unsanctioned app tag to identify cloud applications that are prohibited for use. This tagging is available in both the Cloud Discovery and Cloud App Catalog pages. By enabling integration with Defender for Endpoint, administrators can block access to these unsanctioned apps with just a single click.

Apps marked as Unsanctioned in Defender for Cloud Apps are automatically synchronized with Defender for Endpoint. This ensures that the domains associated with these apps are propagated to endpoint devices, allowing Microsoft Defender Antivirus to block them under the Network Protection Service Level Agreement (SLA).

Prerequisites

• Microsoft Defender for Cloud Apps license

• One of the following:

  • Microsoft Defender for Endpoint with Plan 2

  • Microsoft Defender for Business with a premium or standalone license

• Microsoft Defender Antivirus:

  • Real-time protection enabled

  • Cloud-delivered protection enabled

  • Network protection enabled and configured to block mode

• One of the following supported operating systems:

  • Windows: Windows versions 10 18.09 (RS5) OS Build 1776.3, 11, and higher

  • Android: minimum version 8.0

  • iOS: minimum version 14.0

  • macOS: minimum version 11

• Administrator access to make changes in Defender for Cloud Apps.

Configure Integration and Manage Discovered Apps

Step 1: Integrate Microsoft Defender for Endpoint with Defender for Cloud Apps

1. In the Microsoft Defender portal, navigate to Settings > Endpoints > General > Advanced features.

2. Toggle the Microsoft Defender for Cloud Apps to On.

3. Select Save preferences.

Step 2: Enable Cloud App Blocking

In the Microsoft Defender Portal, select Settings. Then choose Cloud Apps. Under Cloud Discovery, select Microsoft Defender for Endpoint, and then select Enforce app access.

In Microsoft Defender Portal, go to Settings > Endpoints > Advanced features, and then select Custom network indicators.

This allows you to leverage Microsoft Defender Antivirus network protection capabilities to block access to a predefined set of URLs using Defender for Cloud Apps.

(Optional) Step 3: Configure scoped profiles to block usage for specific device groups

1. In the Microsoft Defender Portal, select Settings. Then choose Cloud Apps. Then under Cloud discovery, select Apps tags and go to the Scoped profiles tab.

2. Select Add profile. The profile sets the entities scoped for blocking/unblocking apps.

3. Provide a descriptive profile name and description.

4. Choose whether the profile should be an Include or Exclude profile.

   • Include: only the included set of entities will be affected by the access enforcement. For example, the profile myContoso has Include for device groups A and B. Blocking app Y with the profile myContoso will block app access only for groups A and B.

   • Exclude: The excluded set of entities won't be affected by the access enforcement. For example, the profile myContoso has Exclude for device groups A and B. Blocking app Y with the profile myContoso will block app access for the entire organization except for groups A and B.

5. Select the relevant device groups for the profile. Device groups listed are pulled from Microsoft Defender for Endpoint. How to create device group see Create a device group

6. Select Save.

Step 4: Block apps

Once traffic information is collected, we can view the discovered device data in the Cloud Discovery dashboard. In the Microsoft Defender portal, under Cloud Apps, select Cloud discovery. In this dashboard you should see it now populated with data pertaining to discovered apps, resources, devices, users etc. To block apps:

1. Go to the Discovered apps tab.

2. Select the app that should be blocked.

3. Tag the app as Unsanctioned.

• To block all the devices in your organization, in the Tag as unsanctioned? dialog, select Save.

• To block specific device groups in your organizations, select Select a profile to include or exclude groups from being blocked. Then choose the profile for which the app will be blocked, and select Save.

  App now appears as Unsanctioned.

When users attempt to access an app that has been marked as unsanctioned, they will be redirected to the block page.

Integrating Microsoft Defender for Cloud Apps with Microsoft Defender for Endpoint is not just about enhancing security; it’s about establishing a proactive stance against potential threats in your cloud environment. By effectively managing discovered applications and blocking unsanctioned ones, you can significantly reduce your organization's risk profile.

Don’t wait for a security breach to act. Schedule a meeting with our experts and discover how we can assist you in protecting your business from evolving cyber threats while optimizing your security infrastructure.