Microsoft Defender for Cloud Apps Reviews

Positive

My use of CloudApp in this scenario is to manage the usage of secure cloud applications. I assist the customer in deciding and integrating only secure cloud apps into their environment, using Defender for Cloud Apps discovery and alerting scenarios to identify which cloud apps should not be available. 

I particularly alert for new applications, implementing those alerting routes so that the customer is aware when new apps are added to the Cloud Discovery catalog, especially those using legacy authentication protocols.

The discovery function and the discovery catalog are really valuable. The ability to sanction unsanctioned apps using Secure Score benchmarking, included in Cloud, is also beneficial. These features enhance the organization by helping to manage and control cloud app usage effectively.

The insights could be improved, especially in reporting. While it is possible for me to see the usage from different cloud apps, determining if critical data has been uploaded or if it is just normal transport data is difficult. 

Previously, I could drill down into data uploaded by specific users or IP addresses from a cloud app, however, this is no longer available. For data loss prevention, it would be useful to be able to drill down into the kind of data being transferred over CloudApp. 

Additionally, the info boxes are sometimes misleading. Guided assistance would be helpful.

I have worked with this solution for four or five years.

I would rate it a ten because I have not experienced any stability issues so far with Defender for Cloud Apps. The solutions run very stably. 

Occasionally, some tenants experience a bit of latency, however, it is mostly a network issue, not related to the solution itself.

I would say it is in the middle since you need some deep knowledge to get those reports and everything running properly.

I am usually not doing this alone and am not really the one implementing those infrastructures. I did it in cooperation with my colleague.

I would recommend users of enterprise licenses to focus quickly on the solution because you can then control your web app usage from the beginning. Most environments have collected thousands of cloud apps in their catalog because they do not sanction any apps. Starting from scratch will help you control and mitigate the risk of attacks through low-security cloud apps. Overall product rating: nine out of ten.

We use Microsoft Defender for Cloud Apps for discovery, data exfiltration, and sensitive data exposure.

Some organizations with E5 or E3 licenses enable Microsoft Defender for Cloud Apps for their users, often with default settings. These organizations typically use OneDrive and SharePoint. With Defender for Cloud Apps, especially when integrated with Defender for Endpoint, they want to monitor which SaaS applications their users are accessing. The primary goal is to discover and track the types of SaaS apps their users use.

Microsoft makes setting up discovery and visibility into cloud app usage easy. I also appreciate its full integration with other Defender and XDR products, such as Defender for Identity, Defender for Office 365, and Defender for Endpoint. You can ingest data from all these endpoints. I especially like the feature that allows you to discover which SaaS applications users access.

Microsoft has been high on implementing Copilot. If it is already integrated for using Copilot for security, that would be great.

I have been using Microsoft Defender for Cloud Apps for three years.

It's pretty stable.

 It has been reliable. I haven't seen it fail. There can be some confusing configuration issues sometimes, but it's quite dependable overall.

It is used by small, large, and government entities.

Improved communication and follow-up would be helpful. Sometimes, we don’t hear back after creating a ticket for a day or two. Even when an engineer is assigned, responding can still take a while despite providing all the necessary logs and information upfront.

Neutral

The deployment process is quick, taking two to three days. The implementation and customization require more time. We need to adjust the setup to fit the client's needs, which involves fine-tuning notifications and alerts to avoid overwhelming them.

First, you need the appropriate licensing. Once you have that, go to security.microsoft.com and integrate with Defender for Endpoints to receive information. While you can ingest logs from different firewalls, such as Palo Alto or Cisco, we usually implement them with Defender for Endpoints. Once a laptop or desktop is set up in Defender for Endpoints, integrating Cloud Apps with the endpoints allows us to collect the data easily.

I rate the initial setup a nine out of ten, where one is difficult and ten is easy.

Taking a proactive approach to keeping your environment secure and informed is key. Microsoft Defender for Cloud Apps helps you monitor what applications your users use and ensures they aren't using any sanctioned by your organization. This proactive control is a significant return on investment.

It's relatively low-cost, especially since it's often bundled with Microsoft 365.

It is also tied to data management. Since it's integrated, it can notify us of potential data exfiltration, like when large amounts of data are leaving the system or the Microsoft Cloud. This feature helps protect intellectual property and sensitive information subject to regulations and compliance standards, such as SOX or NIST. It plays a key role in ensuring data compliance and security.

It's fully integrated with other Microsoft security features. You can even connect it to Microsoft Sentinel, their SIEM product. The integration makes everything work better together, with less deployment effort and a single portal for managing your applications, eliminating the need to switch between different platforms.

Overall, I rate the solution a nine-point out of ten.

We were looking for protection for cloud applications, specifically for the SharePoint directory. One of the use cases is to monitor employees who are leaving the organization in the next month. We do this by placing them in a separate Active Directory container and monitoring their activity. 

For example, we would monitor if they download a large number of files from cloud applications, delete something, or engage in other abnormal activities. This is one use case for Microsoft Defender for Cloud Apps.

The solution is user-friendly and provides great visibility into threats. There are easy options available for specific workflow inspections. We can also get support by going through the Microsoft documentation, which is straightforward.

Microsoft Defender for Cloud Apps helps us prioritize threats across our enterprise. It covers us from a compliance perspective and protects our organization's data. Data protection is a very important aspect of any new organization, as we need to protect our data from both external attacks and insider threats. Microsoft Defender for Cloud Apps helps us monitor for abnormal activity by insiders, which is one of the most important access points for attackers today. Additionally, the different cloud apps that Defender for Cloud Apps supports provide us with much more visibility into potential threats and activities on the internet.

We have integrated Microsoft Defender for Cloud Apps alerts with Sentinel. The integration is straightforward. We can find the configuration details on Microsoft's official documentation website. If we are familiar with how Microsoft products work, we will be able to follow the instructions clearly.

Microsoft Defender for Cloud Apps and Sentinel work natively together to deliver coordinated detection and response across our environment.

Our integrated Microsoft solutions provide comprehensive threat protection, covering most of the tactics and techniques relevant to the MITRE ATT&CK framework.

Sentinel allows us to ingest data from our entire ecosystem. When implementing an SIEM solution, there are always prerequisites such as Active Directory logs, security logs, firewall logs, and DNS logs. These are important logs that need to be ingested into the environment. Sentinel has many third-party connectors available that make integrations straightforward. Microsoft provides the configuration details in the Sentinel platform. It is important to integrate all relevant log sources into the SIEM solution so that we can detect and be alerted to any type of threat factor, whether it is from an internal or external source.

Integrating third-party solutions into the platform requires a separate configuration, but Microsoft provides the necessary information. However, we need to have the appropriate permissions to execute these setups.

Sentinel provides a centralized dashboard that covers threat management and configuration. It gives us complete insight into what entities are accessing, as well as full details for investigation. We can see how the alerts and threats are relevant to suspicious activities, whether they are related to malicious IP addresses, suspicious ASHAs, or any other indicators of compromise. All of this relevant data can be seen in a single pane. Recently, Microsoft introduced a new investigation experience in a single pane. This means that we can now get a lot of details in a single pane, without having to go there and execute a query. There are a lot of new insights being developed in the Sentinel platform these days.

It has software intelligence. They recently introduced Microsoft Defender Threat Intelligence, which covers almost all IOCs. This protects organizational assets from threats and suspicious traffic associated with IOCs. If a match is found, alerts are generated. This is a very interesting feature. Another great feature is automation and logic apps. We can create a number of operations, such as posting in a team's channel if a severe incident occurs or sending an email notification. There are many operations available, so we can automate a lot of tasks.

Microsoft Defender for Cloud Apps helps us stay compliant. It has predefined mechanisms in place to prevent attacks. For example, if an external user tries to access our SharePoint folders or files, an attack will be blocked. This is why it is important to give appropriate access to guest users. Microsoft Defender for Cloud Apps has many features and benefits. It provides a number of policies that can be configured to meet the specific needs of our security team. These policies can be used to customize cloud applications so that only authorized users can access them and perform operations that benefit the organization. In terms of safety and security, Microsoft Defender for Cloud Apps is top-notch.

Using the solution's automation features, we can suppress false positive alerts. We can also close alerts, lower their severity from "high" to "low" or "informational," or close them immediately with the appropriate commands. This will depend on the configuration automation rule and the perspective from which we are testing.

Microsoft Defender for Cloud Apps provides a single console. We are also provided with Microsoft templates to enable workbooks instantly. Alternatively, we can build our own customized workbooks to provide better insights and improve our SOC efficiency and overall performance.

Consolidating all of our security data into one dashboard has saved our security operations team a significant amount of time. From an analyst's perspective, it is now much easier to correlate events, investigate alerts, and visualize specific entities. For example, an analyst can quickly see all of the alerts associated with a particular IP address, or they can view all of the activity for a specific entity over the past 24 hours or 7 days. This level of detail and insight would not be possible if our data were siloed in multiple dashboards.

The single dashboard saves our operations approximately 20 hours per week by eliminating the need to access multiple consoles and tabs.

Microsoft Defender for Cloud Apps threat intelligence can help us prepare for potential threats before they happen. However, it depends on how we develop the policies for the database to block or ignore things in our environment.

The most valuable feature is the alerting system.

Microsoft Defender for Cloud Apps covers all relevant cloud applications, such as OneDrive, shared drives, and specific directories. If we want to monitor a specific SharePoint directory, specific folder permissions, or specific VIP groups, all inherent features are available.

The technical support team has room for improvement. Their response time is slow.

I have been using Microsoft Defender for Cloud Apps for two and a half years.

Microsoft Defender for Cloud Apps' stability is good because it is cloud-based. We don't face any disruptions.

I would rate the scalability of Microsoft Defender for Cloud Apps a nine out of ten.

The technical support team takes a long time to respond to our tickets.

Positive

Microsoft offers bundle discounts and a pay-as-you-go option. We can also get an additional discount of 30 to 40 percent if we commit to a certain number of GB per day.

I would rate Microsoft Defender for Cloud Apps a nine out of ten.

Compared to other stand-alone SIEM and SOAR solutions, Sentinel is superior. It covers on-premises applications as well as cloud applications. Therefore, it is efficient, fast, reliable, and user-friendly. We do not experience any lag in performance, regardless of the number of queries we run. If we prepare 30 to 40 lines of query to search for data from the past 30 or 90 days, it will return the results in a reasonable time.

Microsoft Defender for Cloud Apps offers a longer retention period of up to 90 days for compliance purposes, compared to other solutions that only offer 30 days. The logs are also available for one year. This means that if an auditor needs to see data from the past six months, such as what critical operations were performed or which sensitive applications were accessed, we can easily access the logs and provide the evidence. This is beneficial from a compliance perspective. In addition, Defender for Cloud Apps is user-friendly and offers automation capabilities, as does Sentinel. This automation can help customers get more value from the solutions by quickly processing alerts and reducing MTTR. The price of Defender for Cloud Apps and Sentinel is also competitive.

No maintenance is required from our end.

I recommend a single vendor security suite over a best-of-breed strategy because of the better support and cost benefits.

Microsoft Defender for Cloud Apps is user-friendly and it is easy to configure the security policies based on the organization's industry standards and framework. 

We use Defender for governance, discovery, and application awareness. It's also useful for detecting shadow IT and anomalous user behavior. 

Defender helps us control which applications are being used and gain more security insight into remote and hybrid users based on user identity and login location. You can also integrate Defender for Cloud Apps with Defender for Endpoint to extend its capabilities.  

Defender saves us time. I can't quantify that because I never track it, but it has helped me quickly discover issues and get a sense of the users' applications, locations, etc. Defender saves money because I've eliminated some tools and tasks that I previously completed manually. I can do some tasks in one hour that used to take me three. 

Defender integrates with MDE, and there's no agent, so everything happening on the endpoint is reported back to Defender. Defender for Cloud Apps is tightly integrated with Defender for Identity.

The solution provides excellent visibility into threats. I rate Defender for Cloud Apps an eight and a half out of ten for visibility. 

I use all of Microsoft's security products, and they work together natively to deliver coordinated detection and response. Each solution is outstanding by itself, and I can coordinate between them by pumping the alerts and incidents into my SIEM. 

Bidirectional sync is crucial because I'm a consultant, and I have yet to find a customer who uses only one cloud. 

We use Defender with Microsoft Sentinel, which ingests data from our entire ecosystem. This functionality is essential because I can investigate threats and respond from one place. I can respond directly from Sentinel about 50-60 percent of the time using its SOAR capabilities. 

Sentinel's built-in UEBA and threat intelligence are excellent and getting better every day. In terms of cost and ease of use, Sentinel is the best cloud SIEM and better than 90 percent of on-premise solutions. Even Google products can't compete. 

Defender for Cloud Apps could come with more configured policies out of the box. Also, integration could be easier. Integration is moderately difficult because Microsoft hasn't developed a solution that unifies device onboarding and management. You have to use Intune to manage devices and Defender for Endpoint to enforce policies. They need to fix their integration, but I believe they will straighten it out by the end of the year.

Defender has become more stable over the last year.

I've never faced any limits on scalability. 

I rate Defender's support a seven out of ten for responsiveness, but a ten out of ten for their knowledge of the product. Once you finally get someone, they're an expert. 

Positive

We switched to an all-Microsoft shop because they're integrated.

Deploying Defender is easy. You subscribe to it and enable it within your cloud tenant. I got it deployed in one day. Defender requires no maintenance because it's a SaaS product.

Defender is cheaper than the product we replaced.

Defender is built into the E5 license, so it's simple. 

I rate Microsoft Defender for Cloud Apps a nine out of ten. Give it a shot. It's easy to deploy and doing a PoC is easy, and you'll get good insights into where to direct your efforts as far as doing your mind produces.

I'm a firm believer in getting all of my security solutions from one vendor. A best-of-breed strategy introduces an entirely different security risk from integrating products that were not designed to work together. They don't produce cross-actionable intelligence insights with the products. You also need to have an expert in all of the vendors you use, and you will be in a difficult position when that person leaves until you can find a replacement.

We utilize Microsoft Defender for Cloud Apps in conjunction with Defender for Endpoint. This enables the Cloud App to effectively block unauthorized websites for users. Additionally, it allows us to prevent users from accessing malicious sites, and we can restrict user access based on their device compliance status.

Microsoft Defender for Cloud Apps offers visibility into the usage of enterprise applications and the connections established from both authorized and unauthorized locations and devices.

Microsoft Defender for Cloud Apps, in conjunction with Defender for Endpoint, helps prioritize threats throughout our enterprise by reviewing them, identifying devices with vulnerabilities, and providing us with criticality assessments and recommendations on resolving the issues.

We utilize the complete Microsoft Defender suite, which includes Defender for Endpoint as well as Defender 365. The integration is seamless; we only need to onboard Defender for Endpoint, and it functions exceptionally well.

The integrated solutions work natively together to provide coordinated detection and response across our environment. If Defender detects a malicious email, it will notify me of the detection, block the email, and apply the same actions to all the emails that match the same criteria.

I appreciate the comprehensiveness of the threat protection offered by Microsoft security products due to their functionality and ability to integrate, which other products may not offer.

Microsoft Defender for Cloud Apps has helped improve our visibility and response time.

It helps automate the discovery of high-value alerts. The solution can identify malicious threats and subsequently block the threats while disabling the compromised account automatically.

Microsoft Defender for Cloud Apps has helped us save time through the visibility it provides.

Microsoft Defender for Cloud Apps has significantly reduced our time to detect and respond by several hours through its integration with the rest of the Microsoft Defender suite, thereby reducing our troubleshooting time.

The most valuable feature is its policy implementation. Even public websites are directed to the Microsoft Net proxy, where we can establish policies to determine whether to block, authorize, or manage devices.

Currently, we are only able to utilize the policies for blocking threats. I would prefer to have filtering options incorporated within the policies, enabling the solution to perform tasks beyond mere blocking or allowing.

I have been using Microsoft Defender for Cloud Apps for one year.

Microsoft Defender for Cloud Apps has been stable thus far.

Microsoft Defender for Cloud Apps is scalable. We are not limited by Microsoft in terms of the number of users or devices.

The initial setup is not straightforward due to the numerous meetings beforehand, and the Microsoft documentation can be overwhelming. However, once we familiarized ourselves with the interface, it started making more sense. 

The deployment process took over three months. Initially, we tested the solution to become familiar with it before deploying it to a small number of users. Once we were confident that everything was working correctly, we proceeded to deploy it to all users. Two system engineers were required for the deployment.

The implementation was completed in-house.

We have seen a return on investment with Microsoft Defender for Cloud Apps.

We utilize the Microsoft E5 licensing, which encompasses the entire Microsoft suite; however, it is costly. Furthermore, there are supplementary expenses associated with add-on modules.

I rate Microsoft Defender for Cloud Apps an eight out of ten.

Microsoft Defender for Cloud Apps promptly generates an alert upon detecting a threat. However, I do not believe it has the capability to proactively defend against potential threats.

It is deployed in one environment with 50-plus users.

No maintenance is required from our end.

I recommend that anyone evaluating Microsoft Defender for Cloud Apps should read through all of the documentation first.

We use the product mainly to manage the accounts for Single-Sign-On purposes.

Microsoft Entra ID has improved privilege access management for our organization. We can manage who has access to which account.

The product helps us with privileged identity management to control who has access to what and for how long.

There could be more granular roles that are out of the box included in the product. I guess it would help people who aren't as savvy. Right now, I have to create many custom models for different use cases. It would be great if roles were more geared towards specific use cases to cover multiple aspects. In a case where a role is for a security admin, it could grant roles that are needed and not too many unnecessary roles. For example, it gives the security admin some access to the compliance portal, but the executive may not need that access. So it could be more granular.

We have been using Microsoft Entra ID for three to four years.

The product's stability is pretty good. We never really encountered outages. They are very rare.

We have approximately 1000 Microsoft Entra ID users in our organization. The product has great scalability. That's why we moved to the cloud. We need more roles. It will help us a lot as it grows. Microsoft is already adding more roles within the PIM environment, but the more they add, the more users will go to the cloud.

Microsoft's support services are good. They responded quickly whenever I had questions and sent emails or reached out for anything.

Neutral

We have used Azure AD groups initially. Then, we continued grouping within the security groups and only had a designated cloud once we moved to PIM.

The initial setup could have been done better in our organization. That was one of the reasons I was hired. I had to reset and architect the whole process. It was relatively straightforward.

The product is deployed on a hybrid cloud, including Azure, GCP, and AWS clouds. It is used across a few departments, mainly within their IT realm, marketing, and other departments. But for the most part, it's just those two groups currently using it.

I implemented the product myself.

The product's pricing seems fair.

I rate Microsoft Entra ID an eight out of ten.

Set up your environment correctly first. Take your time to figure out how you want to use it, such as PIM and other use cases. Ensure you set it up properly and then create custom roles when needed. Don't overaccess people; that'd be the main advice. It keeps being upgraded by Microsoft. There are constantly new features getting added. If there's some feature you don't see now, it could be there later. We initially wanted a few features that were added later on. Thus, there's always room for growth.

The product provides a single pane of glass for managing user access for the most part. It helps manage the roles better in one area. It becomes easier to use that way. I don't know if we necessarily use verified IDs. But we typically use HRID just to enforce MFA and other processes.

Initially, the product saved a lot of time because we could create dynamic roles for people with the right access. However, as we move more to the cloud, creating more custom roles saves less time. It still has pros in terms of granular roles.

It easily saves two or three daily tasks per person or user we're onboarding. Let's say it's a good amount of time, especially with the dynamic groups. Each PIM role gets activated as well. I would say it saves 20 to 30 minutes per user account activation.

We primarily use Defender for Cloud Apps to authenticate users of our cloud applications. Defender validates the identity and allows the user to access the application. 

Defender helps us automate routine tasks. We can use templates to deploy various security solutions. It also consolidates our dashboards, so we can view everything from one console. 

Defender saves us time when responding to critical incidents. Typically, it takes about two or three days to find the root cause, but we can do this in four or five hours with Microsoft security solutions. Our detection time remains unchanged, but the response time is much faster. 

Defender's integration with our Identity solutions is critical in our current setup. It also integrates with Microsoft Sentinel to provide threat visibility. However, there's a delay of about 10 to 15 minutes from when Sentinel detects an incident, and it appears in Defender. We're trying to fix that. 

Defender allows us to prioritize threats across our enterprise, which is crucial. It's easy to integrate Defender with other Microsoft solutions. For example, we use Defender with Sentinel and set conditional access policies in Azure Active Directory. We're currently participating in Microsoft training to learn how to utilize these solutions better.

Defender could integrate better with multi-cloud and hybrid environments. It requires some additional configuration to ingest data from non-Azure environments and integrate it with Sentinel.

We have used Defender for Cloud Apps for a year.

Defender is stable.

Defender is scalable.

I rate Microsoft support eight out of 10. 

Positive

Defender is a cloud-based solution, but our deployment was complex because we have a massive environment. It took us about a month to fully deploy it, including testing and evaluation. I had a five-person team, including engineers, administrators, and management. There is no maintenance after deployment because it runs on Azure infrastructure.

We haven't saved money, but we save time because the integration with Microsoft products is seamless. 

Defender is costly. Still, we get a lot of features, and it's easier to integrate with our other solutions, so it's worth what we pay for it.

I rate Microsoft Defender for Cloud Apps nine out of 10. As a security architect, I would generally recommend a multi-vendor solution with a zero-trust model. However, if you are mostly using Microsoft products, it might make sense to use the Microsoft security suite because of the native integration.