It’s storm season here in Texas, so I figured it would talk a bit about Cloud Apps (see what I did there?) I work with a lot of customers, and I feel that one of the most under-utilized features is the integration between Defender for Cloud Apps and Defender for Endpoint. With an E5 license, users are licensed for both Cloud Apps and Defender for Endpoint. Defender for Cloud Apps ingests device telemetry from Defender for Endpoint, identify risky cloud services, and tag them as Unsanctioned. We all know Shadow IT keeps many security teams up at night. Fortunately, Microsoft 365 E5 already ships with two heavyweight solutions Defender for Cloud Apps (MDCA) and Defender for Endpoint (MDE) that, when integrated, shine a bright light on risky cloud usage and stop it at the network level.
License & Prerequisites
Because nothing moves without a license key.
| Requirement | Details |
| Licensing | Microsoft 365 E5 (or equivalent MDCA + MDE licenses). |
| Endpoint onboarding | Devices must already report into Microsoft Defender for Endpoint. |
| Defender AV configuration | Real-time protection, cloud-delivered protection, and critically Network Protection in block mode. A full list can be found here. Audit mode is fine for a pilot, but it’s like hiring a bouncer who only writes poetry about the troublemakers. |
Flip the Integration Switches
Enabling the integration is a straightforward process performed in the Microsoft 365 Defender portal. The integration will allow Defender for Cloud Apps to ingest endpoint cloud usage logs and also enforce blocking of unsanctioned apps on those endpoints. Follow these steps to turn on the integration and app blocking:
1. Microsoft 365 Defender portal – Settings > Endpoints > General > Advanced Features
- Enable Microsoft Defender for Cloud Apps (It may take up to two hours after enabling the initial data to appear in the Cloud Apps portal)
- Enable Custom network indicators
2. Click Save Preferences. (It’s hidden towards the bottom. It’s easy to overlook)
3. Settings > Cloud Apps > Cloud Discovery > Microsoft Defender for Endpoint
- Toggle Enforce app access to On.
4. Verify policy propagation: Once the above settings are enabled, any cloud applications you tag as Unsanctioned (more on this here in a second) in Defender for Cloud Apps will sync to Defender for Endpoint automatically. The integration works by taking the domains associated with an unsanctioned cloud app and adding them to Defender for Endpoint’s custom indicators list as blocked URLs/domains.
5. Ensure that Microsoft Defender Antivirus’s Network Protection is active in block mode on your endpoints (through Intune policy or Group Policy) so that the custom indicator blocks will actually be enforced.
Unsanctioning an Application
Where “No” actually means “Network packets denied.”
For my demo I will use an application named iLovePDF. No reason really other than I like the name.
1. Navigate to Cloud Apps > Cloud App Catalog.
2. Search for the app you wish to block (iLovePDF)
3. Open the app profile, choose Unsanction
If we drill down into this application, we can see a ton of beneficial information including the risk score for the application. We’ll cover this in a lot more detail in a later blog post, but for now we’re simply going to “Unsanction” the application.
Consequently, MDCA creates URL/IP indicators and hands them to MDE. Within minutes, endpoints will treat that service like it’s emitting pop-ups from 2005.
What Happens at the Endpoint
- User experience – A browser block page (or Windows toast) states the site is prohibited and nudges the user toward corporate-approved options.
URL:
Application Launch:
The notification can be customized by administrators. Defender for Cloud Apps allows you to define a custom “block page” URL (e.g. a SharePoint page or help desk article) that users can click for more information when they encounter a blocked app. Expect a ticket or two nobody loves losing their favorite novelty GIF site.
- Administrator Experience – MDE raises an alert each time a device even attempts to reach an unsanctioned domain. Analysts keep everything on a single pane of glass rather than a hall of mirrors.
It’s worth noting that even in cases where a block cannot be enforced, the system will still inform administrators. For example, if an endpoint is not yet configured correctly or the policy hasn’t propagated in time, a user might momentarily access an unsanctioned app. Defender for Endpoint will detect that and send an alert indicating an unsanctioned app was accessed without being blocked. This gives admins visibility into policy gaps you might see an alert and realize a certain device isn’t honoring the block, prompting you to check if that machine’s network protection is enabled or if it’s not yet received the latest policy.
Wrapping Up
By connecting MDCA and MDE you:
- Discover unsanctioned cloud usage in near real time.
- Enforce risk-based blocking without extra agents or firewall twists.
- Centralize alerts and investigations under Microsoft 365 Defender.
Accordingly, you’ve taken a sizeable step toward corralling shadow IT cape optional, but recommended for dramatic effect in team meetings.
In Part 2 of this blog, we will cover how to automate the unsanction process as well as additional troubleshooting.
