Microsoft Defender for Cloud Apps Reviews

We use it for security and compliance. We use it for alert policies on activities happening on some of our on-premises and cloud applications. We also use it to restrict some users from downloading files from OneDrive or from some of the applications that we have. In addition, we integrate it with the Azure Active Directory Conditional Access policy.

It gives our clients a sense of confidence that in case there are activities on some of their applications, they will get an alert and the issue will be mitigated, based on the action that has been set. It gives them a sense of comfort that the product helps them secure some of their applications. It depends on the admin who is managing the product. If the admin is not knowledgeable, it might be an issue. But if the admin is knowledgeable, the organization can rest assured that it is covered when it comes to malicious activities on some of its applications.

I like the alert policies because they are quite robust. It has some built-in templates that we can easily pick up. One of them is the alert for mass downloads when a particular user is running a massive download on your SharePoint site. If a user is downloading multiple files in an unusual manner you get an alert.

Another built-in alert is what we call an "impossible traveler alert." If a user logs on from a US IP address at 10:00 AM and, less than 30 minutes later, the same user shows as being logged on from an IP address in the United Kingdom, there is no way you can travel from the US to the UK in 30 minutes. That alert will be triggered.

You can also input an action to be triggered for an alert. You block the user or just alert the admin or manager of that user.

It also comes with in-depth visibility, whereby it creates a pattern. If a user has been flagged multiple times, you can see that pattern. It shows you the IP addresses from which that user has been signing in recently. And it provides you with the kind of suspicious pattern that this particular user has been using over time. So it has very robust visibility.

It also gives you a graphic interface, which is something that I enjoy. If an alert is a very high risk, you see it in red, while if it's medium, you see it in yellow. A low risk doesn't come with any color. It gives me an appreciable pattern of user activities. It covers one month in case you want to deep dive to see the login pattern for your user.

Also, we currently use Defender for Identity, Defender for Endpoint, and Defender for Microsoft 365. All of them have been integrated into our plans. It was quite easy to integrate them. It's just the click of a button to activate it and then a matter of configuring your alert policies. Defender for Cloud Apps works together with Defender for Endpoint as well as with Azure Active Directory. With the latter, you can use the Conditional Access policy to integrate them so that they work together seamlessly.

The fact that these solutions work natively together gives us the advantage of having multiple security solutions doing different things. It's very important for them to work seamlessly together.

One challenge is integrating the cloud apps with third-party and on-premises systems. We have had some scenarios where some third-party systems were not compatible with them. Apart from that, it's quite easy to integrate.

Microsoft has also been able to bring all the security features to a particular portal, so you don't have to look around. But I've heard about some negative effects as a result, as the portal is now cumbersome. You have a whole lot of products there and it makes the whole portal jumbled. It's not bad for me because I just have to go to that particular portal and check whatever I have to check.

It doesn't actually decrease the time to respond. This has been an issue with Microsoft recently. Sometimes, there is a delay when it comes to getting an alert policy email. I can't stay on the portal all day looking through alerts that have been triggered. So we create a flow whereby, if an alert is triggered, an email should be sent. Sometimes it takes two or three hours for that email to be sent. The response time, sometimes, can be very slow.

I have been using Microsoft Defender for Cloud Apps for three to four years.

Performance-wise, the stability is good, but I wouldn't say very good because of the email alert delay issue I mentioned. But when you configure action and particular parameters, the option is carried out, more or less like an automaton.

It's scalable. Once you have acquired the license, you can easily deploy it and add more users to the policies you have configured.

We run a hybrid environment. We have four sites on the domain controller. It is deployed both for users on the cloud and on-premises in different locations. We have some located in the US and some in Europe. So we have the product across multiple locations.

Some of the policies we have configured cover 500 users and one of them covers over 500 users.

I've seen an improvement, over time, in the comprehensiveness of the protection our Microsoft products provide. They are improving on the products year over year. I remember quite well when Defender for Cloud Apps started, there were limited third-party applications that you could integrate with it. But now, there are multiple options for third-party applications that you can integrate with. There are also features that have been added to it. Microsoft is working to improve on it.

We did not have a previous solution.

Since it is embedded with some of the Microsoft 365 licenses, it is like an add-on, and you can create robust configurations with it. You're getting an additional value for the license you have. To me, that is a return on investment.

The pricing is fair. One good thing about Defender for Cloud Apps is that it comes with some of the Microsoft licenses: Microsoft 365 E3 and E5. It also comes with EMS, the Enterprise Mobility & Security.

My advice would be to do an assessment of whether you actually need this particular product. Some people confuse Defender for Cloud Apps with Defender for Microsoft 365, but they are two different products. You also need to confirm if it supports the applications you want to protect because there are some applications that have yet to be integrated with it. Apart from that, it's a good product for any security admin to use.

When it comes to helping prioritize threats, it depends on the angle you're looking at the results from. It can help 50 percent. When you look at the pattern of alerts over time, it can help you prioritize. But if you're looking at it in general, it is not going to give you that visibility into prioritizing.

Defender for Cloud Apps has a little bit of automation for routine tasks, but it doesn't really give an admin automated processes. And when it comes to taking proactive steps, it's more Defender for Endpoint that helps there. Defender for Cloud Apps doesn't help you to prevent an impending attack.

If you are looking to protect your environment, you need to spend more money. I wouldn't say that this solution helps to save money. But by protecting your financial documents from fraud or from an angry worker that is about to leave, it helps in saving money, but not in terms of cutting costs.

The maintenance is not significant because you don't need to update anything. All you have to do is go to your portal and check for and investigate any alerts. Maintenance is handled by Microsoft.

And in the "best of breed versus a single vendor" debate, you should just have a single vendor. In this case you know, "Okay, it's Microsoft," and it's best to just stick with what you know. It depends on what works for you though. For somebody who is comfortable using third-party products with Microsoft, maybe that will work for them. But for me, what is comfortable is using Microsoft products.

We use Microsoft Defender for Cloud Apps for endpoint management.

It is good for compliance and is effective from the standpoint of risk management.

The most effective features for data protection are data loss prevention (DLP) and data classification.

The product is very good so far, however, it would be better if it could include more up-to-date threat protection.

I have used it for almost two to three years.

The solution is stable, and I would rate it a nine out of ten.

The solution is scalable, but I would rate it between six to seven out of ten.

Microsoft technical support is very good, and I would rate it nine out of ten.

Positive

The setup process usually takes five to six hours. However, from installation to configuration, it took a lot of time in our case.

The maintenance is done by a different team, and we support that maintenance.

There is financial benefit from using the product, however, I don't have the numbers currently.

Honestly, it is expensive. I would rate the price as eight out of ten.

It is always better to contact the technical team for any feedback because they are the engineering team.

I'd rate the solution nine out of ten.

We have several use cases including file monitoring, unusual travel activities, user investigation, and activity. It pretty much covers every activity based on the cloud.

It helps prioritize insider threats. You can take the necessary actions once you get the logs. And when it comes to malware, if a file is uploaded that potentially has malware, the solution is also very useful. It gives you an alarm on the basis of the hash value of that file.

It is very useful for investigating file exfiltration threats. When it comes to data that is stored in the cloud, you really need to know what is stored there—the contents. You can create many protocols or rules in the tool to know the contents and who the owner is of a file. If we are investigating a threat or alert, it has a really good scope. You get really good details from it.

Overall, the solution has saved us time. For malware, it has an automated investigation feature integrated with Microsoft Defender for Endpoint. If there is suspicious behavior or a malicious file in your computer, it will give you a complete timeline showing how it behaved, how it was executed, and how the file has interacted with the other entities on your machine. You don't need to hunt for the logs. You can just look at the storyline of execution and that saves a lot of time.

It provides real-time detection, most of the time, for malware and other threats. Sometimes, the automated investigation takes some time, although not too long. It provides a smooth flow of investigation, giving you precise data. It saves time compared to manual investigation and the precision is good. On average, it will save one or two hours compared to a manual investigation, depending on the experience and proficiency of the analyst who would do the manual investigation.

In Microsoft Defender for Cloud Apps, there is an option to enable files. Once you enable that, it will give you all the files in your organization and where they are located in the cloud. If you are investigating a data breach and you want to get ahead of the investigation, the first thing you can do is a filename search: Where was it located? What was the file movement? What activity happened with the file? You get all the logs. That feature is very useful for investigation purposes.

It also shows user activity. If we are investigating a user for possible data breaches, we can enter the user's name and see the activities that the user has done. Based on that, you can take the necessary action. It gives you all the logs for that particular user. That feature is also very interesting and useful.

I use more than one Microsoft security product, including Defender for Endpoint as well as the Microsoft compliance portal, which is called Microsoft Purview now. It is integrated with Microsoft Data Loss Prevention. I also use Microsoft Defender for Identity. It is used to see if there is any suspicious traffic coming through your domain controller. In total, I use four Microsoft tools and all of these products are integrated. Internal integration of Microsoft products is quite simple. You just need to create one instance and that's it.

They are like the same product. Whatever information you'll get from one tool is the same information you are going to get from another tool. There will be no inconsistency in the data. They are getting logs from one place, not from different sources, so they are coordinated. If they did not work together, there would be a lot of confusion. If one tool is sent an alert and another sent an alert for the same file, that would be a complete ruckus. It has to be well coordinated.

These solutions are quite comprehensive. Most of the time, they provide alerts in a very detailed manner and it is very easy to investigate. While there is some scope for improvement, it is a very good tool for investigating the security threats we are getting. It's quite comprehensive and really good.

The visibility it provides is quite good. You get all the logs for investigation purposes. But there should be more clarity on what is happening with a file. Sometimes, we'll get false positive alarms. For example, when a SharePoint path has no file sharing, but there is an external user, it will trigger an alarm that the file has been shared with an external user. It happens because an external user has access to it but, in reality, he doesn't access it. But you need to check whether anyone has accessed the file and that takes some time. While giving the alert, if it could be more precise in terms of what happened with that file—why it is giving the alert—it would be more convenient for the investigation and save a lot of time.

The alerting mechanism should be more precise when giving you an alert about what activity has been done with the file, whether it was shared or whether it was in a path where an external user had access to it.

Also, Microsoft should provide more automation features. At this time, they are limited.

We have been using Microsoft Defender for Cloud Apps for about one and a half years.

There is no downtime. The tool is always available.

It's scalable. You need to purchase more licenses if you want to deploy more.

Microsoft technical support depends on the individual who responds. Some Microsoft SMEs have the knowledge and some don't, to be very frank. They'll just go according to a template but they don't have really good investigation skills.

Microsoft could offer much more proficiency in terms of support. They need more individuals with the ability to resolve issues. At the moment, I would rate it as average.

Neutral

I did not work with a previous solution for cloud apps. For antivirus, I worked with McAfee.

I didn't deploy it, but in my experience, it takes time to learn how the features work because most things are not covered in the Knowledge Base that Microsoft has provided. They don't mention what these things are and how they work in the background. It takes an appreciable amount of time to understand how these tools work.

Microsoft Defender for Cloud Apps is only deployed through the cloud. You need to integrate your Azure AD with Cloud Apps. Once you have done that, you don't require a separate deployment model.

In terms of Microsoft Defender for Endpoint, you need to onboard it to your devices through a script. To do that, you can use Intune, SCCM, or many other tools. Intune is native to Microsoft, but SCCM is a third-party tool. You can even deploy it manually.

There is some maintenance involved. The onboarding package can have communication issues and sometimes the antivirus services stop due to malfunction. There are many things that require maintenance. The number of people needed to handle the maintenance depends on the volume of devices you are maintaining.

The E5 license offers everything bundled. People are moving to Microsoft because you buy one license and it gives you everything. That's the reason many companies are attracted to these tools. That is much more beneficial than buying all the suites separately. It's quite economical.

If you are keen on keeping your enterprise safe from external users, so that your files are confidential and external users don't have access to them, you can create a rule in Microsoft Defender for Cloud Apps. If it detects an external user has been added to that file or is collaborating on it, an automated governance action can remove that access in near real-time. We are not using the automation feature at the moment because it can create unwanted results. The scope of the exclusion is very limited in the policy.

In terms of a single dashboard, you need a SIEM tool like Microsoft Sentinel to integrate everything into a single dashboard. But at the moment, without that suite, we need to look at our four tools separately.

Potential threats are mainly detected in terms of hash values, malicious IP addresses, and malicious domain names. If you are looking to protect your environment, you can enter these details into Microsoft Defender for Endpoint. Microsoft Defender for Endpoint enables you to add indicators of compromise and it will protect against those entities.

Regarding going with a best-of-breed strategy rather than a single vendor security suite, both have pros and cons. It's not a black-and-white area. If you are going with one vendor, it will collect the logs in a single way. Everyone who looks at them will say, "This is the issue." It won't give you a different point of view. But if you are using another security product, it will have another methodology to collect and integrate the logs and present the information to you. One security tool can miss something that another security tool will catch. Having more than one will give you diversity in terms of alerts and analysis. But on the negative side, when you have more than one solution, you need to purchase separate licenses and spend some more money.

It depends on the budget of your organization for the security team. If you have a big budget, of course, you can diversify. You will benefit more from having different tools as they will, obviously, decrease the chances of getting hit by malware. But it will cost you more. If you have a limited budget, then you should go with a single tool. If you take the financial considerations out of the discussion, Microsoft pretty much covers everything and you should go for a single solution.

Overall, Microsoft Defender for Cloud Apps is very convenient for investigation, in terms of security breaches, or if there is file exfiltration. It's a handy tool.

We have multiple virtual machines that we utilize in the cloud space with different applications on them. We utilize Microsoft Defender for Cloud Apps to monitor those individual application VMs as well as, along with Sentinel, our entire Azure ecostructure.

Microsoft Defender for Cloud Apps helps me, on the executive team, to have awareness and knowledge of what is going on in the environment. If a new administrator is created or one is trying to change their authentication types when they log in, or if new software gets put in there that should not have been there, we will get notifications on that.

Microsoft Defender for Cloud Apps helps automate routine tasks and the finding of high-value alerts. We depend a lot on automation. Some of the things I saw with the XDR window at this Microsoft Event are beautiful. I would like to see that. It ties in Defender, Sentinel, and all that into one pane of glass, which has been a problem at times. We see that as moving in the right direction.

It has helped us meet compliance requirements and has saved us costs. What we have now is an acceptable value.

Cloud Apps helps with detection, but I do not have metrics for how much time it has reduced.

It does a great job of monitoring and maintaining a security baseline. For us, that is a key element. The notifications are pretty good. These are the things that are very useful.

I would like more customization of notifications. Currently, you either get everything or you get limited information. I would like to have something in between where we can customize the data that is included in notifications. That is one thing. 

The comment field also needs improvement. If you want to generate a workflow within the organization for a notification that occurs, the comment field is not visible to the next person who logs in. They should make that a little more visible. They should make the history more available to the next person I assigned a task to.

I have been using Microsoft Defender for Cloud Apps for just over a year and a half.

It is very stable. I would rate it a ten out of ten for stability.

It is scalable. I would rate it a ten out of ten for scalability.

It is deployed across multiple locations and teams.

When we get a hold of the right people, it is great, but we are still trying to get a hold of the right people.

We were using another solution. It was not Azure. We switched in large part because that was a region-based company, and they ran into some issues, so we were left for a little while without a cloud environment. When I was comparing this with AWS, as an example, I picked Azure because of the general acceptance of the product in our market and in our space. I felt pretty comfortable going into it knowing that it would be there in five years or ten years as we grow.

I was involved in its deployment from an executive managerial position. It was complex. 

There were a lot of elements that were not obvious even to the point where the documentation was not keeping up with the production. So, we would hit a learning page, and the learning page would be about a prior product than the one we were looking at. It was not relevant to what was in production. My biggest recommendation for Microsoft would be that the learning pages need to be kept up-to-date and relevant to what is current in production.

We started with an integrator. We had challenges with that integrator, so we brought it in-house and finished it ourselves.

We have seen an ROI. We are a cloud service provider, so it is necessary.

Where we are right now, this is an acceptable pricing. I would like to see more transparency given to the end user. The end user given to us is via the cloud service provider. 

There are different programs and license models. Some include this, and some include that. It is all over the place. There can be a little more consistency or simplification in the pricing so that your parts list is not ten pages long, and you are not trying to determine, "If I have an E3, does this cover that?", or "Do I need to pay separately for the license?" Simplification would probably be better. 

To those evaluating the solution, I would advise knowing the goals they want to get to before they start. It can grow very quickly if you just build, but if you have a concept of where you want to end up and you stay within those constraints, then it is a great way to get there.

In terms of Microsoft Defender for Cloud Apps helping us to prioritize threats across the enterprise, we prioritize a little differently. I do not know if the solution helps with the prioritization of that, but prioritization is always important.

We get our threat intelligence from multiple sources. Microsoft Defender for Cloud Apps is one input on that, so it is hard to say whether its threat intelligence has helped prepare us for potential threats before they hit and take proactive steps.

I would rate Microsoft Defender for Cloud Apps a nine out of ten.

If there's any data that is taken out from their corporate applications, on their managed devices, and being taken out and stored somewhere else, on an application that is not managed, they don't have visibility on that.

Therefore, with Cloud App Security, the main use case is to identify information about applications that are way beyond their boundaries and to understand what people are accessing them as well as if those applications are safe or not. It's a Shadow IT discovery solution.

Apart from that, it's a solution used to protect corporate data from being taken out of those applications and being shared externally with people who are not meant to have those documents or data. It's a solution designed to prevent exfiltration and data filtration of corporate data from those applications to unknown people that may happen without proper visibility.

Basically, it's used for two purposes: providing control of the data that is in cloud applications, and shadow IT discovery. That's the major purpose of Cloud App Security.

This solution acts as an identity and posture management assessment solution also. When you have your on-prem AD integrated with Defender for Identity, it can understand your identity posture.

It can understand things like your Active Directory spread or the current state of your Active Directory on certain recommended practices. For example, if users in your organization are not using secure log-in methods. If their LDAP authentication is not secure, you'll get that information. That's identity and posture management. For your on-prem AD, if you have the solution deployed, which is Defender for Identity, it'll give you an understanding of your identity state, of your on-prem AD state, and give you recommendations accordingly, on what needs to be changed and managed, to make sure that you're secure.

Apart from that, it also integrates with third-party solutions and services. For example, in an organization with multiple cloud applications. Typically, you don't have visibility over user activities or logs. You don't have control over the data. If a user logs in from one location and then the user logs into that application from another location, you don't have the visibility as you don't have ML and AI capabilities inbuilt. With this solution, once it integrates with those applications, it has inbuilt default functionality of ML and automation. It is able to understand the user's behavior and identify inconsistencies in user accounts, for those applications, and can give you suggestions or raise alerts. 

The solution does not affect a user's workflow. It is not a user-specific solution. Users would not see the change in their usual behavior and their usual activities as such. The user does not really know what's happening in the background. The Cloud App Security is a solution for your whole organization, to make sure that you're monitoring the right activities - for example, those activities that are really uncommon - or specific activities that you want to monitor. The company has the ability to create Cloud App Security policies for sets of users, however, the users themselves do not see or feel the impact. 

An IT administrator manages the solution and it gives them a lot of information. They can see a lot of detail around how other users interact with data and applications across the company, and if anything unusual happens. 

The integration with macOS operating systems needs to be better. The Cloud App Security integrates with Windows Defender for Endpoint, which is able to monitor the traffic from Windows 10 operating systems. When it integrates with Defender for Endpoints, the macOS capability does not let you directly see the shadow IT discovery. You have to be in your network, to be able to see if any activity from a macOS operating system is happening. If you're working from home without a VPN connection nowadays, which is the usual case for a remote workplace, you can't really monitor or track the activities in the shadow IT that users are using offsite on macOS operating systems.

The Cloud App Security integration with external DLP solutions is not so seamless. There are solutions that you can integrate with Cloud App Security as an external DLP solution, however, it's not so seamless that you can have the integration with the endpoint. It's there, yet, it's not so seamless and integrable.

I've been using the solution for the past five years.

It's been stable for the past little while. The improvement has been immense, however, overall, it's a stable solution. It has not changed so much. Of course, the implementation of feature sets and improvements have happened, although they're almost similar. I would say it's a stable solution in general.

An average organization would almost utilize 100 to over 150 applications. They wouldn't really have an understanding of what activities are happening across those corporate applications. You can integrate N number of applications. There are approximately 16,000 plus applications that you can monitor and integrate with Cloud App Security. Then, based on those applications, you can understand the users' behavior.

The benefit you get is that you are able to monitor all your applications and control the data that goes out of those applications. You can also control any sort of activity, which you feel should not be happening on that application. The user can be prevented from doing certain activities. Cloud App Security helps you do that across as many apps as you want.

In terms of users. the default Cloud App Security is just a license-based solution. As long as you have users in your organization, you just buy licenses from Microsoft and assign those licenses to your user accounts. It's very scalable. 

There are a few parts to it. For example, shadow IT discovery, which is an added feature that allows you to be able to implement additional users in your organization. The Cloud App Security will also require additional infrastructure. Let's say if the data set that Cloud App Security is absorbing at a particular time span, if it increases, then you probably have to implement additional on-prem resources or cloud resources for it to be able to track all of the network data.

Depending on the data set that you're ingesting in Cloud App Security, you might have to increase your workload on-prem. Other than that, Cloud App Security itself is a very scalable solution.

When it comes to the size of organizations I've worked with, I should note I am personally a Microsoft consultant only. I work on Microsoft projects and with Microsoft's clients only. I've worked with organizations with 15,000 users and an organization that has approximately 6,000 users. I've worked with organizations that have 500 users. The size of the company varies.

Microsoft has different support tiers. If it's Pro support I would rate it at a seven or seven-and-a-half at a maximum. There are Premier support services and there are Professional supports, another type of support service. Premier support service is very good. I would rate that at an eight-and-a-half or nine. 

Pro support is if you buy a basic license for an organization. It's not so great and yet still good. For Pro support, you usually do not get routed to Microsoft people. Those are generally people who are third-party support service providers.

The problem is, specifically in India, it's also specific to locations, as sometimes if you're working in a different location, you get different support. As I mentioned, it's third-party support usually that you get with Cloud App Security or any Microsoft solution Pro support.

The level of knowledge you get is totally dependent on how the organization and how the third-party service provider is. Usually, there are time delays. Sometimes their initial response will happen, and then they will take time in responding back and/or aligning a resource. Sometimes that resource is not technically advanced or technically skilled and can't fully understand the problems at hand. In that case, they require escalating most of those cases to the technical consultants. If it's a typical question, a typical scenario, I would say it's good. Cloud App Security is a beast of a product, so the major issue is with the Pro support.

If it would have been directly with Microsoft, this help has been really good, however, it's a third-party service provider who's helping you out, and they just don't have the insights an actual Microsoft user has. 

I don't have any experience working with a third party or a competitor of Cloud App Security, however, I know there is one called McAfee, which is supposed to be equally good.

McAfee offers a cloud app security service that is very, very good and close to what Microsoft offers. That is what I understand from customers and the discussions I've had surrounding it, though I have not really worked on McAfee. What I understand from customers is, Cloud App Security, the integration, the capabilities that it has to offer, are much more advanced. For example, Microsoft's identity posture assessment. There is no solution in Europe, anywhere, which offers such a capability. It's an integrated solution with Defender for Identity, however, it's a service that Cloud App Security at least offers, which otherwise would not be available.

Similarly, integration with the number of applications, as I mentioned, is great with Microsoft. The capability for you to monitor and route your traffic for all of these different applications, and to be able to analyze the traffic from those corporate applications is important.

The reverse proxy capability that Microsoft Cloud App Security offers is really good. It lets you track anything in real-time, and monitor all those things, which is not possible using other solutions.

The initial onboarding of Cloud App Security with Office 365 is pretty straightforward. For an organization that does not use Office 365 as its primary SaaS application, you will still have to follow a few steps, however, those are also straightforward steps.

In general, I would say, Cloud App Security implementation, within the initial adoption of an application, is very seamless. 

The time it takes to deploy depends on the use cases. If you're talking about a simple activation of Cloud App Security, and enabling and monitoring the activities of certain basic applications, it shouldn't take more than a few hours for integration. If there are more complex situations, more complex scenarios, depending on what the scenarios are, then there may be a little bit more effort and time required. Other than that, if the default integration with applications is already there, it should not take more than a few hours to have it up and running.

I've worked with almost eight to 10 customers using Cloud App Security. This is Microsoft Cloud App Security. Cloud App Security has two offerings. One is Office 365 Cloud App Security, which is a basic cloud app security. Then there is Advanced Cloud App Security which is called Microsoft Cloud App Security.

The Office 365 one, the one which you get with E5 licenses, it'll give you basic Office 365 monitoring and snapshot reports, but not a whole lot of capabilities.

That said, I don't have any information about the actual costs of the license themselves. 

I deploy this solution. I don't utilize this solution as a solution for my organization, and instead, deploy this solution for clients. I'm a consultant for this product. My company is a Microsoft partner. 

This is a SaaS application.

I would advise new users to first try to identify the applications which are corporate-owned applications, be it if it's an on-prem application or if it's a cloud application. Once you identify all those applications which you're using in your organizations as a whole, you should try to integrate all those applications with Cloud App Security. 

Once you've started integrating and planning ahead what applications are needed to be monitored first, start integrating those applications and monitoring them. Slowly, integration after integration, all the monitoring will start happening.

Once the integration for those applications has happened, you should go ahead and start implementing what kind of policies you want. If you want activity monitoring policies, then you should start creating those activity monitoring policies. Let's say you want to apply DLP policies for third-party applications. You will need to reach out to those different teams who'll be able to give you better answers as to how to approach the data that is being shared or being uploaded from those applications to any other applications.

Based on that, create those policies in Cloud App Security. The correct and the right approach is to use the network appliances that you have in your organization. Once you have identified that information, you can go ahead and start implementing the Cloud App Security and start integrating those network appliances and those applications with Cloud App Security.

Overall, I would rate the solution at an eight out of ten.

I am not sure if the product has improved our organization yet. However, it certainly gives another level of confidence that the assets are secure. We are aware of the activity in the tenant.

The product’s most valuable feature is SQL database. It notifies us even in case of false positives when people log in after a long time and when we're out of compliance with the security baseline.

Microsoft Defender for Cloud Apps’s technical support services needs improvement.

We have been using Microsoft Defender for Cloud Apps for three years.

The product has good stability.

The product has good scalability.

The technical support services need improvement. They take a while to get responses. Their first-level engineers are generally not skilled. It takes time to get an engineer who can help us. Usually, whenever we come up with a problem, it is something that we can’t figure out on our own. We have to go through the process of submitting a ticket, waiting for a callback, and then finally getting help.

Neutral

I have used other products while working at other places. They all are more expensive than Microsoft Defender for Cloud Apps.

The initial setup process was simple. We had to merge the landing zone and part of a template. Later, we started the portal and selected resources we wanted to protect along with the level of protection. The implementation strategy is to just start using it.

We did the product implementation ourselves.

I haven't tracked an ROI for the product. It was set by default while setting up Azure Tenant. It has been successful in monitoring activities and keeping the network safe. It is less expensive than buying a separate license. It provides ease and convenience of use. We just turn the product on by default.

The product has helped save a medium amount of money. It has pretty good pricing.

I don’t know if the product provides a single pane for managing immune access. We connect it with the Active Directory and other similar tools. It helps save a low amount of time.

I advise others to try using Microsoft Defender for Cloud Apps. I rate it an eight out of ten.

I used to deploy it in the customer's environment and set the requirements. It's used for blocking downloads, for example, and is a security feature for data centers.

The solution is helping a lot. We get a lot of very detailed reporting on security that really shows what users are doing, including what they've opened, what else they're sharing, downloading, viewing, et cetera, as well as when they are logging in. It's a very detailed activity and reporting of my units.

The file policy and activity policy are very useful aspects of the solution.

I can get information, for example, data location, IP address, et cetera. I use it for getting information about what's happening in my environment with certain files. I can see, for example, which user is sharing files externally, and if they're downloading or might be downloading, the documents on their personal device, a corporate device, or if they are sharing any folders with the outside world.

The initial setup is straightforward.

The general usability of the solution is very straightforward.

We've had an issue where an in-session policy was not working. I want them to enhance the in-session policy. It's something I came across while adding the application into MCAS as I wanted to apply some MCAS policies on those applications.

I've been using the solution for about five years now. 

The solution is 99.99% stable.

The solution is extremely scalable. 

I've handled technical support for my customers. 

I've only really worked with this solution. 

The initial setup is straightforward. I already have experience putting the solution into place and therefore I'm pretty adept at setting it up. The implementation simply requires understanding how the customer wants to use it and what they want to monitor. 

It's an ongoing deployment and I've been deploying the solution for almost six years now. 

I basically use authority to integrate all users and exchanges together. We have basically a Microsoft-oriented system.

When I deployed it, I applied it to around 4,000 users. I indirectly did it myself and it took around one month for me to integrate everything and to meet those policies to ensure they were in line and working as to my expectations and that I was getting the expected results that I wanted.

You only need one person to handle the deployment. Maybe two people.

We do not need the assistance of an integrator or consultant. 

I'm not acquainted with the licensing and pricing of the solution. 

I did not evaluate other options previously. 

I don't have a business relationship with Microsoft. I deploy the solution and I am managing MCAS for customers.

If a person has an Office-specific environment and they are looking for a solution, this is a good option. It's a good native application. Even if they were in a different cloud, I'd advise migration to a Microsoft environment. 

I'd rate the solution an eight out of ten.

The solution is primarily used for cloud visibility and getting a better understanding of what the data footprint is, including what kinds of files are exposed, and getting our heads around compliance. It's a component that adds DLP. Presently, there are two separate DLP policies between Microsoft's traditional DLP and the MCA DLP. 

The solution is bundled with E3 and E5 licenses. That's the reason it's most commonly deployed. It's part of the bundle. It's not a separate cost.

If your business requirements are relatively simple, it can get the job done. 

If you have more elaborate needs or if you have some more sophisticated use cases, for example, if you need an in-line component, or if you need to distinguish between sanctioned and unsanctioned applications, this solution doesn't cut it. You need to have some other solution.

Microsoft seems to want to mitigate that visible gap by deploying Microsoft DTP Defender for the in-line component. If you consume Microsoft, the more pieces you have, the better it is, although that's not necessarily true, technically speaking. They have limited deployment options. You have limited use cases for an endpoint with the firewalls port for IP tunnels for real-time traffic interception. You have to rule the endpoint. It's a less flexible deployment than the more mature players.

There are challenges with detection and there are challenges with false-positive rates.

They're improving it all the time. I haven't looked at it for six months or so, however, the last time I looked at it, they had to be configured in two different spots.

I've been dealing with the solution for a while, on and off. 

A lot of customers that we work with have the solution installed today and we see them running it by themselves as well.

The solution is stable. I haven't bumped any stability issues.

I haven't tested the scalability. I don't have any opinion on the scalability. It seems to me that it fits the customer's needs from a scalability perspective.

I don't work with technical support directly.

The solution is super easy to configure. All it requires is an admin for the various apps. Once it's authorized it can start the scans. Mainly, you need to be mindful of policies and what you're looking for. Tuning policies and making sure that your policies are set properly is important. It's very easy to do, especially the out-of-box stuff. 

You can buy it alone, however, it's not worth it. Nobody buys it alone as it's not that good as a standalone product. It's better as a part of the E3 and E5 suites. We don't sell it.

We're a Microsoft partner.

I'd rate the solution at a seven out of ten.

Mainly you want to just be clear on what your use cases are, and what you're trying to accomplish, as everything's use case driven. If you know what you need to accomplish from a security strategy standpoint, it's better. For example, it might be helpful for compliance or having an understanding of where sensitive data is. It might be part of a broader initiative around classification and data protection. Having those use cases written out first and going from there is better. Then, I suggest taking a measured approach as you go in. Implement it right. Test for or validate that the policies that you have in place are working as expected. However, you have to build out requirements for the policies.