Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
App connectors use the APIs of app providers to enable greater visibility and control by Microsoft Defender for Cloud Apps over the apps you connect to.
Microsoft Defender for Cloud Apps uses the APIs provided by the cloud provider. All communication between Defender for Cloud Apps and connected apps is encrypted using HTTPS. Each service has its own framework and API limitations such as throttling, API limits, dynamic time-shifting API windows, and others. Microsoft Defender for Cloud Apps works with the services to optimize the usage of the APIs and to provide the best performance. Taking into account different limitations that services impose on the APIs, the Microsoft Defender for Cloud Apps engines use the allowed capacity. Some operations, such as scanning all files in the tenant, require numerous APIs so they're spread over a longer period. Expect some policies to run for several hours or several days.
Important
Starting September 1, 2024, Microsoft deprecated the Files page from Microsoft Defender for Cloud Apps. For more information, see File policies in Microsoft Defender for Cloud Apps.
Multi-instance support
Defender for Cloud Apps supports multiple instances of the same connected app. For example, if you have more than one instance of Salesforce (one for sales, one for marketing) you can connect both to Defender for Cloud Apps. You can manage the different instances from the same console to create granular policies and deeper investigation. This support applies only to API connected apps, not to Cloud Discovered apps, or Proxy connected apps.
Note
Multi-instance isn't supported for Microsoft 365 and Azure.
How it works
Defender for Cloud Apps is deployed with system admin privileges to allow full access to all objects in your environment.
The App Connector flow is as follows:
- Defender for Cloud Apps scans and saves authentication permissions.
- Defender for Cloud Apps requests the user list. The first time it makes the request, it might take some time until the scan completes. After the user scan finishes, Defender for Cloud Apps moves on to activities and files. As soon as the scan starts, some activities are available in Defender for Cloud Apps.
- After completion of the user request, Defender for Cloud Apps periodically scans users, groups, activities, and files. All activities are available after the first full scan.
This connection might take some time depending on the size of the tenant, the number of users, and the size and number of files that need to be scanned.
Depending on the app to which you're connecting, API connection enables the following items:
- Account information - Visibility into users, accounts, profile information, status (suspended, active, disabled) groups, and privileges.
- Audit trail - Visibility into user activities, admin activities, sign-in activities.
- Account governance - Ability to suspend users, revoke passwords, and more.
- App permissions - Visibility into issued tokens and their permissions.
- App permission governance - Ability to remove tokens.
- Data scan - Scanning of unstructured data using two processes -periodically (every 12 hours) and in real-time scan (triggered each time a change is detected).
- Data governance - Ability to quarantine files, including files in trash, and overwrite files.
The following tables list, per cloud app, which abilities are supported with App connectors:
Note
Since not all app connectors support all abilities, some rows might be empty.
Users and activities
| App | List accounts | List groups | List privileges | Log on activity | User activity | Administrative activity |
|---|---|---|---|---|---|---|
| Asana | ✔ | ✔ | ✔ | |||
| Atlassian | ✔ | ✔ | ✔ | ✔ | ||
| AWS | ✔ | ✔ | Not applicable | ✔ | ||
| Azure | ✔ | ✔ | ✔ | ✔ | ||
| Box | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| Citrix ShareFile | ||||||
| DocuSign | Supported with DocuSign Monitor | Supported with DocuSign Monitor | Supported with DocuSign Monitor | Supported with DocuSign Monitor | ||
| Dropbox | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| Egnyte | ✔ | ✔ | ✔ | ✔ | ✔ | |
| GitHub | ✔ | ✔ | ✔ | ✔ | ||
| GCP | Subject Google Workspace connection | Subject Google Workspace connection | Subject Google Workspace connection | Subject Google Workspace connection | ✔ | ✔ |
| Google Workspace | ✔ | ✔ | ✔ | ✔ | ✔ - requires Google Business or Enterprise | ✔ |
| Microsoft 365 | ✔ | ✔ | ✔ | ✔ | ✔ | ✔ |
| Miro | ✔ | ✔ | ✔ | |||
| Mural | ✔ | ✔ | ✔ | |||
| NetDocuments | ✔ | ✔ | ✔ | ✔ | ||
| Okta | ✔ | Not supported by provider | ✔ | ✔ | ✔ | |
| OneLogin | ✔ | ✔ | ✔ | ✔ | ✔ | |
| ServiceNow | ✔ | ✔ | ✔ | ✔ | Partial | Partial |
| Salesforce | Supported with Salesforce Shield | Supported with Salesforce Shield | Supported with Salesforce Shield | Supported with Salesforce Shield | Supported with Salesforce Shield | Supported with Salesforce Shield |
| Slack | ✔ | ✔ | ✔ | ✔ | ✔ | |
| Smartsheet | ✔ | ✔ | ✔ | ✔ | ||
| Webex | ✔ | ✔ | ✔ | Not supported by provider | ||
| Workday | ✔ | Not supported by provider | Not supported by provider | ✔ | ✔ | Not supported by provider |
| Workplace by Meta | ✔ | ✔ | ✔ | ✔ | ✔ | |
| Zendesk | ✔ | ✔ | ✔ | ✔ | ✔ | |
| Zoom |
User, app governance, and security configuration visibility
| App | User governance | View app permissions | Revoke app permissions | SaaS Security Posture Management (SSPM) |
|---|---|---|---|---|
| Asana | ||||
| Atlassian | ✔ | |||
| AWS | Not applicable | Not applicable | ||
| Azure | Not supported by provider | |||
| Box | ✔ | Not supported by provider | ||
| Citrix ShareFile | ✔ | |||
| DocuSign | ✔ | |||
| Dropbox | ✔ | |||
| Egnyte | ||||
| GitHub | ✔ | ✔ | ||
| GCP | Subject Google Workspace connection | Not applicable | Not applicable | |
| Google Workspace | ✔ | ✔ | ✔ | ✔ |
| Microsoft 365 | ✔ | ✔ | ✔ | ✔ |
| Miro | ||||
| Mural | ||||
| NetDocuments | Preview | |||
| Okta | Not applicable | Not applicable | ✔ | |
| OneLogin | ||||
| ServiceNow | ✔ | |||
| Salesforce | ✔ | ✔ | ✔ | |
| Slack | ||||
| Smartsheet | ||||
| Webex | Not applicable | Not applicable | ||
| Workday | Not supported by provider | Not applicable | Not applicable | |
| Workplace by Meta | Preview | |||
| Zendesk | ✔ | |||
| Zoom | Preview |
Information protection
| App | DLP - Periodic backlog scan | DLP - Near real-time scan | Sharing control | File governance | Apply sensitivity labels from Microsoft Purview Information Protection |
|---|---|---|---|---|---|
| Asana | |||||
| Atlassian | |||||
| AWS | ✔ - S3 Bucket discovery only | ✔ | ✔ | Not applicable | |
| Azure | |||||
| Box | ✔ | ✔ | ✔ | ✔ | ✔ |
| Citrix ShareFile | |||||
| DocuSign | |||||
| Dropbox | ✔ | ✔ | ✔ | ✔ | |
| Egnyte | |||||
| GitHub | |||||
| GCP | Not applicable | Not applicable | Not applicable | Not applicable | Not applicable |
| Google Workspace | ✔ | ✔ - requires Google Business Enterprise | ✔ | ✔ | ✔ |
| Okta | Not applicable | Not applicable | Not applicable | Not applicable | Not applicable |
| Miro | |||||
| Mural | |||||
| NetDocuments | |||||
| Okta | Not applicable | Not applicable | Not applicable | Not applicable | Not applicable |
| OneLogin | |||||
| ServiceNow | ✔ | ✔ | Not applicable | ||
| Salesforce | ✔ | ✔ | ✔ | ||
| Slack | |||||
| Smartsheet | |||||
| Webex | ✔ | ✔ | ✔ | ✔ | Not applicable |
| Workday | Not supported by provider | Not supported by provider | Not supported by provider | Not supported by provider | Not applicable |
| Workplace by Meta | |||||
| Zendesk | Preview | ||||
| Zoom |
Prerequisites
When working with the Microsoft 365 connector, you'll need a license for each service where you want to view security recommendations. For example, to view recommendations for Microsoft Forms, you'll need a license that supports Forms.
For some apps, you might need to allow list IP addresses to enable Defender for Cloud Apps to collect logs and provide access for the Defender for Cloud Apps console. For more information, see Network requirements.
Note
To get updates when URLs and IP addresses change, subscribe to the RSS as explained in: Microsoft 365 URLs and IP address ranges.
Enable app connectors
To enable an app connector for the first time, configure an API connection for the specific cloud app you want to connect. See the individual connector guides for each app for detailed instructions.
- Sign in to the Microsoft Defender portal.
- Go to Cloud Apps > Connected apps.
- Select Connect an app or Add a new connector.
- Choose the cloud app you want to connect.
- Follow the instructions in the corresponding app-specific API connector guide. These instructions include the required permissions and authentication steps.
Each cloud app has its own enablement process based on the APIs it supports.
ExpressRoute
Defender for Cloud Apps is deployed in Azure and fully integrated with ExpressRoute. All interactions with the Defender for Cloud Apps apps and traffic sent to Defender for Cloud Apps, including upload of discovery logs, is routed via ExpressRoute for improved latency, performance, and security. For more information about Microsoft Peering, see ExpressRoute circuits and routing domains.
Disable app connectors
Note
- Before disabling an app connector, make sure you have the connection details available as you'll need them if you want to re-enable the connector.
- These steps can't be used to disable conditional access app control apps and security configuration apps.
To disable connected apps:
- Go to Connected apps.
- Select Disable App connector.
- Select Disable App connector instance to confirm the action.
Once disabled, the connector instance stops consuming data from the connector.
Re-enable app connectors
To re-enable connected apps:
- Go to Connected apps.
- Select Edit settings. This action starts the process to add a connector.
- Add the connector using the steps in the relevant API connector guide. For example, if you're re-enabling GitHub, use the steps in Connect GitHub Enterprise Cloud to Microsoft Defender for Cloud Apps.
Troubleshoot missing activities after you connect an app
If expected activities don't show after you connect an app, use the following checks to determine where the data should be available and whether additional configuration is required.
1. Confirm the connector is healthy
Verify that the app connector is connected successfully and that there are no configuration warnings or permission issues.
2. Check ingestion delay expectations
Some connectors have expected latency before activities appear. Validate whether the connector has a documented ingestion delay before treating missing activity as an issue.
3. Confirm that the connector supports activity ingestion
Check whether the connector supports activity collection under the Users and activities section.
4. Review connector-specific activity options For connectors that support selectable activity types, confirm that the required options are enabled. For example, if you're investigating sign-in activity, verify that the connector is configured to collect the relevant sign-in data.
5. Verify scoped deployment settings
If scoped deployment is enabled, confirm that the account performing the activity is included in the current scoped deployment rules. Activities generated by excluded users, groups, or apps aren't ingested. Also verify whether account identifiers are being matched correctly across connected applications, especially when different identifier formats are used.
6. Validate the expected logging surface
Depending on the activity type, check whether the event appears in the appropriate source listed in the following table.
| Event | Source |
|---|---|
| Defender for Cloud Apps policy administration changes | Microsoft Defender for Cloud Apps Activity log |
| Microsoft Entra sign-in events | Microsoft Entra sign-in logs |
| Identity-related investigation data | Advanced Hunting identity tables |
7. Apply filters before concluding that data is missing
Use filters such as:
- Time range
- User or administrator
- Activity type
- App or workload
8. Check for known scope limitations
Some activities might not be fully represented in every logging surface. If an event is missing from one source, confirm whether that activity is documented as available in another source.
Important
Missing activity doesn't always indicate connector failure. First confirm whether the activity is expected in Defender for Cloud Apps, Microsoft Entra logs, Microsoft 365 audit logs, or Advanced Hunting.
Investigate further
Investigate further when:
- The connector shows a healthy state but no expected data appears in any supported logging surface.
- Required activity options are turned on, but the event is still absent after a reasonable validation period.
- The same activity type is consistently unavailable across multiple checks.