Microsoft Defender for Cloud Apps topics

MCAS logcollector docker image : 0 logs received

Lenshir — Wed, 10 Dec 2025 17:19:11 GMT

I followed that documentation : Configure automatic log upload using on-premises Docker on Linux - Microsoft Defender for Cloud Apps | Microsoft Learn

My Collector is displaying a connected status in the console :

But as you can see, no data was received, and if I do a collector_status -P on my docker :

I checked all possible logs files, nothing helped me

So if someone can help about that..

Thank you !

Problem Automatic Log Upload - Defender for Cloud Apps

GuidoImpe — Fri, 05 Sep 2025 08:26:10 GMT

Hello Community,

I have a strange problem with the activity in the Title.

I have create Data Sources from Fortinet

And a Log collector

With the correct documentation that is linked Configure automatic log upload using Docker in Azure - Microsoft Defender for Cloud Apps | Microsoft Learn

So i have a Fortinet Firewall that send by SYSLOG log to the VM Ubuntu in Azure, i have deploy docker, Ubuntu receive log from firewall, i see traffic is correct.

But from Cloud Apps connector remains into "Connected" state.

Regards,

Guido

Restricting access to non SSO apps

Derr1ck — Wed, 13 Aug 2025 13:09:59 GMT

I have multiple non SSO apps that my users need to access. I am looking to permit access but limit what actions users can take when visiting these apps/sites such as: blocking file uploads, blocking data download, restricting logins, etc to limit shadow IT.

Is there a way to do this within MDCA? Session control policies, activity policies and access policies require the apps be onboarded or SSO configured which is not feasible for the numerous apps in scope. If not MDCA, what other services have you used to accomplish this?

General Risk Factor - Logon URL - Null

RavTin — Tue, 24 Jun 2025 18:42:32 GMT

I'm trying to create a policy that maps "Logon URL" field in the app details and if its empty/blank, it approves/sanction the application. My only challenge is that I'm not able to set an identifier that reads blank field. I tried ASCII null character but it doesn't work. Wondering if this use case is even possible.

Playbooks with MDCA

AhmedSHMK — Wed, 11 Jun 2025 08:43:55 GMT

I am attempting to integrate MDCA alerts with freshdesk as per the e.g. https://learn.microsoft.com/en-us/defender-cloud-apps/flow-integration

I have E5 without teams licenses.

I created the flow, Once from playbooks in MDCA portal and once in power automate directly and went to create a policy to test it out but the option "Sent to power automate" from the policy is always greyed out.

Alerts are not automatically detected in the flow unless the action in the policy is set to send to power automate which again is greyed as option in the policies.

Also playbooks tab in the MDCA portal does not show the flows I created before, It shows empty, Seems link is broken between MDCA and PowerAutomate.

Any reason for this, Any Idea about this? Thanks in advance.

Problem with MDCA Session Control and Google Workspace

Ramon_Pastor_Garcia — Wed, 23 Apr 2025 16:27:00 GMT

We have implemented MDCA Session Control with Google Workspace in a Customer. Almost all Google apps work and they are protected by Session Control, but we have found problems with Gemini, Analytics and Google Search. These apps don´t open under session control and it seems some kind of problems with SSO. Do anyone knows any fix for the problem?

Filter out BYOD devices from blocking unsanctioned apps

PavIT5 — Mon, 21 Apr 2025 02:42:51 GMT

Hi there,

I've encountered an issue. When I tag a cloud app as unsanctioned, it gets blocked as expected. However, we use BYOD mobile devices that are Entra registered along with app protection policies, and the unsanctioned apps are being blocked outside the managed apps. For example, an unsanctioned app gets blocked in unmanaged safari browser on BYOD iOS device. I can't find information on how to limit the enforcement scope to only managed apps on BYODs or how to limit the enforcement scope to company-managed devices. Please help.

Using Microsoft Defender for Cloud Apps to block apps on managed devices.

CrestonV — Thu, 16 Jan 2025 15:29:21 GMT

Greetings,

I have been tasked to work with Microsoft Defender for cloud apps and to block the usage of the Firefox browser on all endpoints within my estate apart from a few users who require it.

I have tried to unsanctioned app feature. This only displays a warning prompt but users can still proceed with using and interacting with the application.

We have already configured web content filtering and works fine. I already looked up other articles relating to downloading a block script but that applies to other security appliances such as firewalls which we don't want to get into.

Is there a convenient way to block certain apps usage by solely using Microsoft Defender for Cloud Apps or is this platform only used for monitoring purposes and cannot really block the app by unsanctioning it?

Cloud Discovery policy - Governance action - Scoped profile missing

MatheoBt — Wed, 11 Dec 2024 14:23:07 GMT

Hi everyone,

I wanted to create a Cloud Discovery policy that automatically tags as unsanctioned some applications but only for a scoped profiles.

When tagging cloud applications manually, it's possible to scope it to a profile:

However, this option doesn't exist in the governance actions section:

Are there any other way to create policies that can tag but only for a device group/scoped profile?

Cheers,

MCAS Log collector supported for Ubuntu 22.04 LTS and Ubuntu 24.04 LTS

benjamino-21 — Tue, 26 Nov 2024 15:57:51 GMT

Hi all,

is collector supported for these 2 versions? In official documentation does not appear.

Thank you!

Block Sensitive Data Upload to External SharePoint Online Tenants

Sochito — Wed, 06 Nov 2024 16:12:13 GMT

We need to block the ability of Users, who are serving the notice period, to upload any Confidential labelled documents to external SharePoint Online Tenants. What is the best way to do this please?

Teams cloud app policy template not showing

MichelA__ — Fri, 01 Nov 2024 14:33:29 GMT

Below should be available since last year, but i dont see them in my list.

Access level change (Teams): Alerts when a team's access level is changed from private to public.
External user added (Teams): Alerts when an external user is added to a team.
Mass deletion (Teams): Alerts when a user deletes a large number of teams

We have the Microsoft 365 E5-security license. Do we need another license for that ?

MCAS Log on Event

JeffR_CNY — Fri, 25 Oct 2024 13:14:31 GMT

Last night I had a Sentinel alert for logon from IP address associated with password spray. Alert was triggered from threat indicator matching IP address. OK no big deal, wasn't a password spray. In tracking this down I see the user is external in MCAS. I find no files shared with the user, no teams message activity, no email to the user.... nothing. My question is, what could the logon event be from?

MCAS requirements for Log Collector

benjamino-21 — Fri, 25 Oct 2024 06:38:53 GMT

Hi all,

this is my first question in the Microsoft Community. I have been reviewing the requisites for MCAS log collector and I wanted to understand why does the machine hosting the log collector needs at least 250 GB disk, as this appliance sends every 40KB to MCAS and stores up to 20 backup files.

Thanks in advance,

Benjamin

Admin Quarantine Location on Defender for Cloud Apps keeps going blank

AbhinavK1660 — Fri, 04 Oct 2024 18:13:34 GMT

Hi,

I am facing an issue where when I select a file location for admin quarantine on Defender for Cloud Apps, that file path just vanishes away the next day and it comes up as a blank location. I tried changing the SharePoint site multiple times but it still goes blank after a day. Has anybody encountered this lately ?

Conditional access policy not recognised

HidMov — Wed, 02 Oct 2024 10:10:38 GMT

Hello everyone,

We're evaulating Cloud Apps session/conditional access/session policies but have hit a weird snag.

We have created a conditional access policy in EntraID with session control of Use Conditional Access App Control. This was initially set to Monitor Only (Preview)

I then signed in with the test user and logged into the various 365 services, and confirmed these apps were onboarded into the Conditional Access App Control apps page.

So far so good. However when I've attempted to create either a Access or Session Policy in the Cloud Apps Policy Management section, there is an error saying that there are no conditional access policies set up.

I changed the conditional access policies in Entra ID to "Custom Policy" and waited a few hours, but still getting the error. I have created additional conditional access policies in EntraID from scratch and waited over night, but it still seems that EntraID and the Cloud Apps parts aren't talking with each other.

When I create a policy, I get a warning that there isn't a corresponding CA policy. The Access/Session policy is reated, but has [Entra ID Policy Missing] in the title.

I'm not sure where I'm going wrong with this. I've followed various guides and checked various forums but aside from the obvious I'm at a loss. Has anyone else come up against this before, or should I raise a ticket with MS to look at the back end?

Thanks in advance,

Mark

New Blog | Introducing the new File Integrity Monitoring with Defender for Endpoint integration

DavidFernandes — Fri, 27 Sep 2024 18:29:30 GMT

By Gal Fenigshtein

As part of the Log Analytics agent deprecation, Defender for Servers has introduced a new simplification strategy aiming at significantly simplifying the onboarding process and requirements needed to protect servers in the cloud, while enhancing existing capabilities and adding new ones.

According to this strategy, all Defender for Servers capabilities are provided over Defender for Endpoint or cloud-native capabilities and agentless scanning for VMs, without relying on either Log Analytics Agent (MMA) or Azure Monitor Agent (AMA).

This hybrid approach combines the strengths of agent-based and agentless protection, offers multi-layered security for servers. While the agent provides in-depth security and real-time detection and response, agentless and cloud-native capabilities deliver enhanced coverage, full visibility within hours, with no performance impact on machines. Security findings from both, agent-based and agentless approaches, are seamlessly integrated in Defender for Cloud, tailored to protect servers in multicloud environments.

Read the full post here: Introducing the new File Integrity Monitoring with Defender for Endpoint integration

block Unsanction app in cloud

Palash_Shukla — Tue, 24 Sep 2024 17:05:10 GMT

Similar queries as previously mentioned from one of the User;

I'm just getting started with Microsoft Defender for Cloud Apps but have already worked a bit with it when it was still named Cloud App Security. Right now, I'm looking into the Cloud Discovery features. While trying out the Unsanctioned feature for some apps, I ran into the problem that they only get blocked if the user is using Microsoft Edge. If the user uses Chrome or Firefox, the app doesn't get blocked. I integrated MDCA with Microsoft Defender for Endpoint. What am I missing?

Does anyonce from Microsoft; kindly jump into and give guidance

thanks

palash

Cloud Discovery Dashboard not updating

Sochito — Fri, 13 Sep 2024 15:20:27 GMT

We successfully integrated the MDCA with Zscaler on 10th Sep 10 AM. From that Time until 11th Sep 9:08 PM, data was getting updated in the console but after that it is showing Updated on Sep 11, 2024, 9:08 PM.

Under Governance log - last parse Cloud discovery log shows success at 11/9/2024, 21:07:51. There is nothing in pending or failed state.

Automatic log upload (under settings) shows 362 uploaded logs, last data received 11 Sep 2024, Modified date 13 Sep 2024.

Please suggest why Dashboard is not updating.

Access Policies not blocking existing Office app connections

Cameron_Stephens — Thu, 12 Sep 2024 06:29:44 GMT

I'm testing blocking the Office apps on unmanaged devices so users cannot use them to download sensitive data. While I have had success with preventing users from licensing their Office apps or setting up OneDrive syncing, unfortunately it isn't blocking apps that are already setup. So licensed Office apps can still browse to Sharepoint, and open a file, email is still delivered in Outlook and file changes in OneDrive still sync in both directions. I want to stop all existing connections in their tracks with this policy.

The Access policy is setup with the following:

Device not equal to Hybrid Entra Joined...
User account equal to mine
App equals Microsoft 365
Client app equals Mobile and desktop
Device equals PC
Block and display a customised message

I have a separate Session policy that is blocking cut,copy,print,& download activities in a web browser.

Can anyone explain why it isnt working as I would expect?

Thanks for any help.