In a modern workplace where the average enterprise is using over 1,500 different cloud apps, and more than 80 gigabytes of data is being uploaded monthly to risky apps from business endpoint devices, the ability of IT and compliance administrators to manage and monitor shadow IT becomes an (almost) impossible mission. It is not only about the ability to assess the potential risk that cloud apps pose to the company, but also about the tools IT has (or doesn’t have) to control and manage access to these apps.


Complex network security solutions, time-consuming workflows for creating custom blocking rules, and a lot of manual work that needs to be done, make a simple process such as taking a list of cloud apps to be blocked and pushing these to web filtering rules a significant undertaking! When administrators have to manage too many personas and components in this process, it will dramatically slow them down when it comes to applying cloud app access policies in their organization.

In the last two years, Microsoft Defender Advanced Threat Protection (ATP) and Microsoft Cloud App Security have worked to build a full shadow IT discovery solution that analyzes organization’s traffic data against the Cloud App Security cloud app catalog. Apps are carefully curated to be included in this catalog and ranked and scored based on more than 90 risk factors to provide your organization with ongoing visibility into cloud app usage, existing shadow IT, and the risk shadow IT poses into your organization.


reporting of existing shadow IT, and to allow organizations to proactively take action on the high risk posed by use of these unsanctioned applications – thereby removing any further risk and usage across your business. This new feature, now in public preview, leverages Microsoft Defender ATP network protection in block mode ensuring the protections are in place wherever the device travels – in distributed offices, at airports, or at the local coffee shop. 

By tagging apps in Cloud App Security as unsanctioned based on the comprehensive usage and risk assessment of each app that we provide, those risky app domains are then pushed to Microsoft Defender ATP as custom network indicators in near real-time.

This is a single-click control that can significantly improve security posture and save time.



Figure 1: Configure a cloud app as unsanctioned in one click


The process can also be completed manually, by reviewing discovered apps in your tenant and marking them as unsanctioned, or automatically by creating a cloud app control policy to block cloud apps that meet predefined conditions. For instance, in the Cloud App Security portal, you can now create a policy to automatically block access to non-compliant cloud storage apps, for example apps that do not comply with HIPAA and SOC 2 AND that are not Microsoft OneDrive for Business or Dropbox. Alternatively, you might want to block end users from accessing specific social networks in case there was a high volume of data upload identified. This can also be done manually or by creating a simple policy to handle blocking those network connections automatically.

The corresponding URL/Domains Indicators will appear in the “Microsoft Defender ATP Indicators” setting page under URLs/Domains tab.



Figure 2: URL and Domain Indicators


When the user next attempts to access the unsanctioned app, they will be blocked by Windows Defender SmartScreen, and will not able to access the requested cloud resource.



Figure 3: Example user experience when attempting to access an unsanctioned app


Every instance of an endpoint trying to access a blocked cloud app will result in an informational alert in Microsoft Defender Security Center allowing you to drill down into the full machine timeline to see whether the endpoint was trying to access additional risky resources and to eliminate any concern of malicious behavior or data exfiltration attempts.

Microsoft Defender ATP and Cloud App Security together deliver this simple, powerful and unique outcome to ensure your modern workplace allows high end user productivity without neglecting your security principles, and to also allow you as an administrator to be more productive by setting automated policy-based flows to protect against user access to risky cloud resources. This enables you to put your limited resources on managing your security strategy, while we take care of operating and configurating your environment.

The Microsoft Defender ATP and Cloud App Security product teams would love to get your feedback on your overall experience with this feature, use this form to fill in your feedback.


Get Started in 3 quick steps

After you have verified that you have all the integration prerequisites listed in this article, follow the steps below to start blocking access to unsanctioned apps with Cloud App Security and Microsoft Defender ATP –


Step 1

In Microsoft Defender Security Center under Settings > Advanced features, enable Microsoft Cloud App Security integration:



Step 2

In Microsoft Defender Security Center under Settings > Advanced features, enable Custom network indicators:



Step 3

In the Microsoft Cloud App Security portal under Settings > Microsoft Defender ATP integration, mark the checkbox to enable blocking of endpoint access to cloud apps marked as unsanctioned in Cloud App Security:




More info and feedback


Please let @Efrat Kliger and @Danny Kadyshevitch know any questions you have!


Thank you

@Danny Kadyshevitch on behalf of Microsoft Defender ATP and Cloud App Security teams.


Occasional Contributor
Does this feature make solutions like Zscaler useless?

@MatAitAzzouzene that is correct, Microsoft Defender ATP can be now used to block access to these domains and URLs which were blocked with Zscaler until today.

Regular Visitor

Isn’t there a step missing.

windows defender atp client also needs to have network protection enabled on block mode. Or has this requirement changed. 




i would like to see functionality to be able to block types of sites like gambling etc. 

any ideas when the redirect url feature that was shown at ignite is coming out. So we can redirect users to a more friendly screen. 

Frequent Visitor

Can this feature be used to block access to other corporate o365 tenants, using tenant ID restrictions?

@Dale Hayter network protection is listed as part of the integration prerequisites, to which there's a link provided under the "Get started" section.

Re the redirect URL - we will be able to provide a committed timeline for that shortly.

@Tony-1085 we are still looking into having the O365 tenant restrictions feature supported, stay tuned for more updates to come down the line.

Senior Member

@Danny Kadyshevitch 

Thanks for putting this together. There were a few things that I noticed in testing that don't quite look primetime. With Network Protection enabled I was able to block and MCAS unsanctioned app and another Custom indicator domain. The experience that I saw across browser is where the problems are.

  • Edge - The smart screen filter came up for both sites. Which was probably the most optimal experience.
  • Chrome - The MCAS Unsanctioned App gave a ERR_TUNNEL_CONNECTION_FAILED. The custom indicator domain returned a 403 error.
  • Firefox - The MCAS Unsanctioned App gave a blank white screen. The custom indicator domain never left the landing screen.

For all 3 browsers I never received the toast message at the bottom of the screen.

What about Edge Chromium support?

Regular Visitor

@Marius Sandbu , Edge Chromium comes up with the red screen. No toast notification for me in the stable build.

Senior Member

Also what is the current state of this in a macOS version of MDATP?


@Bill Brennan cross-platform support is important to our customers and this product roadmap. As of today, this feature is not yet supported on macOS.


Regarding browsers:

Edge and Chromium Edge are going to have the best user experience due to SmartScreen integration.

3rd party browsers and other client applications leverage Network Protection to enforce the policy. As of today, Network Protection block notifications are done through the Windows Toast user interface. Feedback is clear on improving this end user experience.


Please check your Focus Assist settings if you aren't receiving notifications for Chrome/Firefox. You should not see a toast notification for Edge or Chromium Edge blocks. You can also view the notification history in Action Center.

Frequent Contributor

Hi Danny, Step 3 is slightly inaccurate:



In the Microsoft Cloud App Security portal under Settings > Microsoft Defender ATP integration, mark the checkbox


Should read:

Use the following steps to enable access control for cloud apps:

  1. In Cloud App Security, go to Settings > Cloud app control, and then select Block unsanctioned apps. (should now be) Cloud app control with Microsoft Defender Advanced Threat Protection.



@David Caddick we made some wording changes that might have not propagated to all environments yet.

Please let me know if you're still seeing these texts in your Cloud App Security tenant in the next 24 hours.

Frequent Contributor

**bleep** - how can we hope to keep up ;)

Thanks - seeing this now

New Contributor

I can confirm that I didn't receive toast notifications either, on build 1909. Nothing in notification history either. Same experience as @Bill Brennan - with Firefox showing a Secure Connection Failed error (SSL_ERROR_NO_CYPHER_OVERLAP).


Focus Assist is disabled, is there something else we're missing here?

Senior Member

For what it is worth, last week the Defender ATP Web Content Filtering went into Public Preview. I haven't kicked the tires on it yet, but it certainly appears that the solution is getting closer to be able to replace a lot of other systems...


@glappin In your Virus and Threat Protection settings -> Notification settings  -> Do you have the box check for "Files or activities are blocked?"

Senior Member

@NickWelton… I have all of the notifications checked off, including that one. I just never receive any notifications.

New Contributor

@NickWelton- Same as Bill, all notifications are on. No notifications received.

I got a toast notification the first time I blocked the URL. All subsequent blocks as I was testing with the same URL returned no notification.