Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Does Microsoft publish the full list of calls made to connected app APIs?

Copper Contributor

The MDCA App connector functionality uses the API from SaaS providers to give more visibility on activity in the application.

 

One of our clients is concerned about the level of access to their Workday environment, the exact API calls that are being made to Workday and therefore the potential data being brought in the portal.

 

Does Microsoft publish details of the calls being made to connected applications? Is there a way to access this information from the Defender portal?

2 Replies

Edit. Answered wrong post.

@GaryB_Reply No, Microsoft does not publish the full list of API calls made by the Microsoft Defender for Cloud Apps connector to connected applications like Workday.

 

The connectors use standard APIs provided by the connected SaaS applications to pull relevant activity audit logs and metadata to give visibility into potential security risks and suspicious behaviors. But the specifics of the API calls can vary across applications and may evolve over time as the connectors enhance functionality.

 

Microsoft focuses on only accessing the necessary data needed to power the Defender for Cloud Apps security detections, while respecting the privacy controls and data protection requirements of each connected application.

 

If you have concerns over the level of access or data types the Workday connector uses, I would recommend engaging directly with the Defender for Cloud Apps product team. They should be able to provide more details on the API permissions required for the connector to function properly and describe the data pipeline architecture, even if the exact API specification is not published publicly. This can help validate that the solution aligns with your organization's data policies.

 

The key is establishing trust and transparency with the product team on the data handling details, even when the full API technical specifics remain proprietary.