Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community
Microsoft Defender for Cloud Apps’ Shadow IT Discovery Capabilities Now Support MacOS
Published Jun 10 2024 12:31 PM 4,867 Views

The rapid growth of SaaS apps makes it challenging to gain visibility across the apps used in an organization’s environment. SaaS apps are often used without the awareness of IT departments, a phenomenon known as Shadow IT. Moreover, the swift adoption of generative AI apps introduces an additional layer of security complexity and risks. Organizations need effective app security solutions more than ever to ensure that employees only access approved and safe apps.


A key aspect of combating Shadow IT is ensuring comprehensive visibility into all the apps used in an organization’s environment, which includes the identification of all SaaS apps used by employees, regardless of the operating system. This broad scope of app discovery is essential in providing a holistic view of your SaaS landscape to help security teams discover and control Shadow IT effectively.


Gain full visibility into your SaaS apps with Microsoft Defender for Cloud Apps
Microsoft Defender for Cloud Apps offers powerful discovery capabilities to help you gain visibility into all SaaS apps, including AI apps, in your organization, assess their risk, and leverage sophisticated analytics to enhance the overall SaaS security. Previously, cloud discovery discovered SaaS apps in Windows devices through the network logs via defender for endpoint integration. To continuously improve our product experience and deliver a broader scope of app discovery, today we are thrilled to announce the public preview of our new comprehensive discovery capabilities within Microsoft Defender for Cloud Apps to help customers:

  • Discover Shadow IT SaaS apps on macOS devices in addition to windows
  • Detect and remediate risky/unusual behaviors on SaaS apps on macOS devices


This discovery capabilities on macOS work seamlessly with the native Microsoft Defender for Endpoint. This enhancement not only bolsters the discovery process but also improves the overall discovery comprehensiveness for security administrators, facilitating effective management of SaaS security risks.

For customers who do not use the native Microsoft Defender for Endpoint integration with Defender for Cloud Apps, we have ensured comprehensive discovery coverage by introducing the highly requested enhancements to our log collector. Specifically, we have added two new capabilities to the Defender for Cloud Apps log collector, enabling it to operate on popular container runtimes such as Podman and AKS. With these capabilities, customers can leverage the log collector to thoroughly discover shadow IT apps on other popular distros like RedHat and AKS.


Discovery on macOS via Microsoft Defender for Endpoint

Customers need to enable the network protection component in Defender for Endpoint in order to discover shadow IT on macOS. Here is a quick guide on how to enable network protection.


Once you have the network protection enabled, to access the discovery of shadow IT SaaS apps, navigate to the Cloud discovery tab in the Microsoft Defender portal. Once there, you’ll find Defender - managed endpoints listed under the stream as shown in Figure 1. Selecting this stream presents you with a comprehensive view of discovered applications, resources, IP addresses, users, and devices information for both Windows and macOS devices within your tenant. This unified view facilitates a more complete understanding of Shadow IT across different operating systems.

Figure 1: The navigation path in the Microsoft Defender portal, under the Defender - managed endpoints stream.Figure 1: The navigation path in the Microsoft Defender portal, under the Defender - managed endpoints stream.


Podman support for the Defender for Cloud Apps log collector

The log collector, a container image that traditionally operates on Docker runtime, now extends its support to Podman, the container runtime and orchestrator endorsed by Red Hat Enterprise Linux (RHEL) 8 and subsequent versions. This expansion ensures that the Defender for Cloud Apps log collector is compatible with Podman’s runtime, accommodating customers who use RHEL versions 8 or higher.


The Defender for Cloud Apps log collector is extremely useful for organizations not using the integration with Defender for Endpoint, or a direct integration with a built-in network device isn’t available. It helps to integrate logs from various network appliances, such as firewalls, to generate a discovery report that is pivotal for administrators to pinpoint Shadow IT apps and gather usage telemetry.


Log collector in Azure Kubernetes (AKS)

The log collector feature in AKS enhances Defender for Cloud Apps by enabling the collection of logs from network devices that lack built-in integration. This feature is particularly beneficial for customers who prioritize disaster recovery and resilience for their services hosted on AKS.


With the introduction of log collector support for AKS, Defender for Cloud Apps has expanded its capabilities to include support for Syslog-tls receiver types. Once the log collector deploys log collector on AKS, Customers can configure log sources on AKS and get insights into Shadow IT on AKS workloads.


Our latest enhancements to the shadow IT discovery capabilities in Defender for Cloud Apps empower security administrators with comprehensive app discovery across both Windows and macOS and offer better compatibility and flexibility in deployment. Furthermore, Defender for Cloud Apps is a core component of Microsoft Defender XDR, and these new advancements contribute to delivering a more streamlined and easier to deployable XDR platform that enables security teams to more efficiently protect organizations from today’s advanced cyberthreats.


Getting started

Version history
Last update:
‎Jul 02 2024 11:04 AM
Updated by: