Microsoft Cloud App Security and Windows Defender ATP - better together

Published Sep 27 2018 05:30 AM 40.2K Views

Based on our findings, enterprises today have an average of 1,100 cloud applications in their organization, with IT unaware of 61% of the cloud services that users access.


Sourcing from a cloud app catalog of more than 16,000 applications, Discovery in Microsoft Cloud App Security (MCAS), Microsoft Cloud Access Security Broker (CASB) solution identifies the cloud apps that are being used in your organization, provides risk assessments, ongoing analytics and lifecycle management capabilities to control the use.


Microsoft Cloud App Security now uniquely integrates with Windows Defender Advanced Threat Protection (ATP) to enhance the Discovery of Shadow IT in your organization and extend it beyond your corporate network. Our CASB can now leverage the traffic information collected by the Windows Defender ATP, no matter which network users are accessing cloud apps from. This seamless integration does not require any additional deployment and gives admins a more complete view of cloud app- and services usage in their organization.


Integration Highlights

  • Discovery of cloud apps beyond the corporate network from any Windows 10 machine
  • Single-click enablement
  • Machine-based Discovery
  • Deep dive investigation in Windows Defender ATP




How it works

Windows Defender ATP is an integrated part of Windows 10 Enterprise E5. To leverage the existing sensors and send traffic information to Microsoft Cloud App Security, you need to enable this integration via a simple toggle in the Windows Defender Security Center. Windows Defender ATP will then continuously log resource usage from all Windows 10 machines that are onboarded to the service, and report it back to Microsoft Cloud App Security, with signals shared via the Microsoft Intelligent Security Graph.

To get started, admins can go to the Advanced settings page in the Windows Defender Security Center. All you need to do, is activate a single button to enable the connection - and MCAS will start pulling the information immediately.


Image 1: Activate Microsoft Cloud App Security in the Windows Defender Security CenterImage 1: Activate Microsoft Cloud App Security in the Windows Defender Security Center


Microsoft Cloud App Security will then leverage the traffic information from Windows Defender ATP’s log store to surface all relevant details in the Discovery Dashboard and provide relevant insights for discovered apps, users, IP addresses and a new, machine-centric view.

Admins now have visibility into the cloud apps that are being accessed, no matter which network the devices are logged into. Furthermore, admins will be able to see how many and which devices are accessing each one of the apps that are discovered.

 Image 2: The data source are W10 endpoints and the new tab allows for machine-centric view of cloud app DiscoveryImage 2: The data source are W10 endpoints and the new tab allows for machine-centric view of cloud app Discovery


Given the native integration of these products, admins can easily pivot between the two portals. In Image 3 the admin is investigating the usage details of a cloud storage app. To investigate an individual machine with particularly high traffic for this app in more detail, admins can leverage the Windows Defender ATP deep-link within MCAS to navigate directly to the machine investigation in Windows Defender ATP and continue there. 


Image 3: Machine-centric deep dive into the usage for an individual cloud app and portal integration with WDATPImage 3: Machine-centric deep dive into the usage for an individual cloud app and portal integration with WDATP


Enabling this seamless Cloud App Discovery experience in Microsoft Cloud App Security is the first step in creating a sophisticated lifecycle management approach to help ensure that your organization securely accesses cloud apps and services. Leverage the breadth of capabilities to identify which apps are being used in your organization, assess their potential risk and enable continuous monitoring to take immediate action when new cloud apps are discovered.

In the near future we will be adding more capabilities to this powerful and unique CASB integration, that will allow admins to manage and block unsanctioned applications


More info and feedback

Learn how to get started with Microsoft Cloud App Security with our detailed technical documentation. Don’t have Microsoft Cloud App Security? Start a free trial today!

New to Windows Defender Advanced Threat Protection? Learn more.

As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.



Occasional Contributor

@Kim Kischel That's a nice addition to the Discovery capabilities. Good to give admins the ability to leverage the intelligence you have and share it for enhanced security.

Occasional Contributor

@Kim Kischel With the integration to MCAS being via the Intelligent Security Graph, and with MCAS being fed that information with personally identifiable information (machine + person / user), how are you protecting the personal information when the Intelligent Security Graph information is used for purposes other than discovery in MCAS (e.g., the "6.5 trillion signals" number)? All of those signals, with personal information associated, would give a pretty complete picture of someone's behaviour if compromised.


@Kim Kischel; We enabled this, but so far we are only getting telemetry in CAS from Win 10 machines that have upgraded to 1809, is this normal?


@Dustin Adam Yes, that’s expected. The requirement for the integration is RS5 at the moment. We’ll have our documentation updated soon that will outline this type of detail.


@Michael Sampson the graph is just our means of connecting the two services. For specific details on the graph and please reference the website

Hello Kim, 

First, this is an awesome feature.  I have a question w.r.t. data processing. How long will it take on average until the data is visible in CAS? In Windows Defender ATP the data shows up pretty fast within the console, however I assume that in CAS the data needs to be assessed etc. So let's assume a user accesses drop box or GitHub, after how many minutes/hours/days should the data become visible in the CAS App Discovery console? I have ran a few tests myself, but I don't seem to find a pattern. 




@Alex Verboon It takes up to 2 hours for data to arrive into MCAS. For large tenants with large amount of data it will take much less. You can also find those details in our technical documentation.


Additionally, our Cloud Discovery dashboard shows aggregated data across overall apps, categories etc., the data in it is analyzed every 4-6 hours.

Occasional Visitor

@Kim Kischel

Hi Kim, everything is adding up all in the right direction with this integration.Can one expect more preventive controls on the endpoints from a DLP perspective.

I.e. rule based policy from MCAS to (monitor/block) exfiltration of data via web based/storage cloud app, based on unified lable or dynamically detected by MDATP? O365 DLP is taking good care of that within O365 apps, but through web proxy with HTTPS with a malicious insider - any mitigation for this scenario ?

Fully aware that MSDATP is EDR in its core, just hoping that this integration with MCAS can be unleached, i see a possibility.




Version history
Last update:
‎May 11 2021 02:08 PM
Updated by: