Two CAS's? -- confused about discovery through agents on windows clients vs firewall log


There seems to be two Cloud Access Discovery products that have two different "discovery" methods.

One seems to be released in late 2015 and seems to get data collection by deploying agents to windows clients. A newer discovery tool seems to collect data by processing Proxy/Firewall logs.


Are they really two different products?


I would like to have cloud app discovery using agents for roaming clients and locations that don't have a firewall/proxy that works with the log parsing. Of course firewall log parsing has Zero impact on client performance vs. agent based which would have some impact CPU/Disk/Memory and network on the clients as well as agent management (deploy/update/remove). So being able to use both would be preferable.


The current docs are confusing:

Example - this MSDN link links to this article which seems to imply that agent based discovery is current (
But this same section of documents provides no information on how to perform setup - instead linking to a portal despite the description of: "Check out the improvements to Cloud App Discovery in Azure Active Directory (Azure AD), which are enhanced by integration with Microsoft Cloud App Security."


Clicking on that "check out" link takes you to a portal page for the service - not a description or information page. So now you land on *  and there is nothing there for agent based data collection.


So for grins I go to and go to Marketplace -> "Security + Identity" and add "Azure AD Cloud app discovery"

After 2 hours of provisioning where the pinned tile just indicates its still loading I manually navigate to the Azure Cloud App discovery blade where the unhelpful message:

"Discover your cloud apps using the new and enhanced Cloud App Discovery before March 5th, 2018 to avoid disruption of service." floats at the top. 

This blade has, once I click "quickstart", information on downloading agents and agent based data collection -- but has that worrisome message at the top.


If I click on that message it takes me to ""   ... so a bad/not helpful link.


Now I am left to wonder if the message "Discover your cloud apps using the new and enhanced Cloud App Discovery before March 5th, 2018 to avoid disruption of service" mean that the agent based Cloud app discovery is being phased out 3/5/2018? Is that why the quickstart doesn't display by default? Clicking on the 3/5/2018 message should take me where?



Q1: What is the status of Azure AD Cloud app discovery using Windows agents?

Q2: What is the status of Azure AD Cloud app discovery using firewall log analysis?

Q3: Which of these products is licensed with Microsoft 365 Enterprise E5?

Q4: Can I use agent-based discovery and filewall log parsing based discovery at the same time?

Q5: If there is a transition/phase out of the agent only data collection system - will agent based discovery be available in the new system - or some other way for roaming users to have their cloud apps "discovered"

Q6: Is there someone who owns the doc's for this product - if so would you like more detailed feedback?






8 Replies
best response confirmed by Neil Goldstein (Contributor)

Hi Neil,


Thanks for writing in. Sorry about the confusion around the guidance on how to move to the new and enhanced experience for Azure Active Directory Cloud App Discovery. The link from the Azure portal banner has been corrected to point to - which has the right guidance on how to get started with the new and enhanced experience. 


Regarding the agent-based discovery(current) experience - it will stay live until March 5th, 2018, after which the UI will be disabled. Shortly after, the agents and data will be deleted as well and hence our recommendation for Azure AD Cloud App Discovery is that customers move to the new and enhanced experience and set up the necessary snapshot reports before March 5th to avoid disruption of service. After March 5th, when customers access Cloud App Discovery, they will automatically be directed to and the new experience will be the default.


Communication regarding this was sent out to currently active customers in early December and the portal notification was intended to help serve as a reminder of upcoming deadlines. Hope this clarifies. 


That is what I was worried about when I saw that 3/5/2018 message.



So I can see why, the new service with log/proxy log consumption is "better" for 80% of enterprise use (no agent to maintain, no performance impact on windows computers, gets data about all network devices not just those that have the agent), but ....


Q) What is the solution to monitor roaming corporate devices that rarely if ever return to the corporate environment? 







This page explains the difference very well and should help you on your way.


Best regards





Unfortunately that link doesn't deal with my question/concern:.


As the prior MS respondant (Suni I think) on 3/5/2018 the agent based discovery service will be phased out.


My follow up to Suni was specifically if there are plans to re-introduce a cloud-app-discovery service that would work for users who are 100% roaming - never behind a corporate firewall. The new cloud app discovery doesn't have a way to collect information for roaming users because there is no "LOG" to be parsed.


With they "old" cloud app security I could deploy an agent to roaming user laptops. That won't work after 3/5/2018.


So what will be the story for detecting shadowIT for roaming users such as sale person laptops? 



Hi Neil


I believe they are currently working on a solution that will cover your needs.  Normally you will have the option of using an agent on the roaming device or enforcing the usage of an Azure proxy service. 


If you need to accomplish this today you can check for 3rd party solutions, such as Z-scaler.   But I'm fairly sure something is heading our way from Microsoft as well soon.  ;)


Have a look at this session where they demo Z-scaler integration.



I am glad there is some plan in place for Cloud Security to collect data from a few devices not just from logs such as the corporate firewall or proxy.



It's work in progress but we're all excited and waiting with high expectations.    ;)

They should work with the Windows Defender ATP team and use that data, when available (M365-E5 license), for windows devices not behind a firewall.