Security architect at a energy/utilities company with 10,001+ employees
Real User
Top 10
2023-11-28T13:11:00Z
Nov 28, 2023
There could be more granular roles that are out of the box included in the product. I guess it would help people who aren't as savvy. Right now, I have to create many custom models for different use cases. It would be great if roles were more geared towards specific use cases to cover multiple aspects. In a case where a role is for a security admin, it could grant roles that are needed and not too many unnecessary roles. For example, it gives the security admin some access to the compliance portal, but the executive may not need that access. So it could be more granular.
CTO at a tech services company with 201-500 employees
Real User
Top 20
2023-11-28T10:51:00Z
Nov 28, 2023
I would like more customization of notifications. Currently, you either get everything or you get limited information. I would like to have something in between where we can customize the data that is included in notifications. That is one thing. The comment field also needs improvement. If you want to generate a workflow within the organization for a notification that occurs, the comment field is not visible to the next person who logs in. They should make that a little more visible. They should make the history more available to the next person I assigned a task to.
Software Security Specialist at a tech vendor with 51-200 employees
Real User
Top 20
2023-05-17T11:40:00Z
May 17, 2023
Defender for Cloud Apps is primarily useful for Azure apps. It has limited capabilities for applications based on other cloud platforms. Microsoft security products are excellent in the detection phase, but they should have more features for the response component. I would like to see a mobile app for managing Defender for Cloud Apps. We currently use the cloud dashboard, but it would be nice if Microsoft offered more solutions for managing the product.
Learn what your peers think about Microsoft Defender for Cloud Apps. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
Manager Information Security at a venture capital & private equity firm with 11-50 employees
Real User
Top 20
2023-05-04T10:04:00Z
May 4, 2023
Currently, we are only able to utilize the policies for blocking threats. I would prefer to have filtering options incorporated within the policies, enabling the solution to perform tasks beyond mere blocking or allowing.
Security Principal at Trifecta Cloud Security Solutions
Real User
Top 5
2023-04-07T18:36:00Z
Apr 7, 2023
Defender for Cloud Apps could come with more configured policies out of the box. Also, integration could be easier. Integration is moderately difficult because Microsoft hasn't developed a solution that unifies device onboarding and management. You have to use Intune to manage devices and Defender for Endpoint to enforce policies. They need to fix their integration, but I believe they will straighten it out by the end of the year.
Defender could integrate better with multi-cloud and hybrid environments. It requires some additional configuration to ingest data from non-Azure environments and integrate it with Sentinel.
We sometimes get errors when we create policies, which is somewhat annoying because some policies stop working due to misconfigurations. We find this challenging because it limits our options for troubleshooting an issue. A user policy might be disabled due to some minor issue, but it affects the policy for the entire group of users. It takes some time to troubleshoot it, find the issue, and correct it.
The visibility it provides is quite good. You get all the logs for investigation purposes. But there should be more clarity on what is happening with a file. Sometimes, we'll get false positive alarms. For example, when a SharePoint path has no file sharing, but there is an external user, it will trigger an alarm that the file has been shared with an external user. It happens because an external user has access to it but, in reality, he doesn't access it. But you need to check whether anyone has accessed the file and that takes some time. While giving the alert, if it could be more precise in terms of what happened with that file—why it is giving the alert—it would be more convenient for the investigation and save a lot of time. The alerting mechanism should be more precise when giving you an alert about what activity has been done with the file, whether it was shared or whether it was in a path where an external user had access to it. Also, Microsoft should provide more automation features. At this time, they are limited.
They need to improve the attack surface reduction (ASR) rules. In the latest version, you can implement ASR rules, which are quite useful, but you have to enable those because if they're not enabled, they flag false positives. In the Defender portal, it logs a block for WMI processes and PowerShell. Apparently, it's because ASR rules are not configured. So, you generally have to enable them to exclude, for example, WMI queries or PowerShell because they have a habit of blocking your security scanners. It's a bit weird that they have to be enabled to be configured, and it's not the other way around. Normally, you'd expect when something is not configured, it doesn't enable itself, but for the purpose of this, apparently, Microsoft has told us to enable them. So, you've got to enable them because they keep flagging and blocking products even when they're not configured. It was just an oversight in the design department when they deployed an update to the feature, but I'll live with it. I'd like to see them automate best-practice antivirus rules. If you search Microsoft best practice antivirus exclusions, there are virus scanning recommendations for antivirus computers running Windows or Windows Server. There is a whole list to exclude the most common things, which could be anything from NTFRS, check folders, temp.DB, or EDBs. There are a lot of things for group policy extensions, exclusion, etc. This is a list of best-practice antivirus rules, but they still have to be implemented manually. In Sophos, five or six years ago, if it was a SQL Server, they automatically included the rules to exclude certain folders or file extensions when doing on-demand scanning. I'd like Microsoft to do the same.
Modern Workplace Solution Architect at a tech consulting company with 11-50 employees
Real User
2022-09-04T20:24:00Z
Sep 4, 2022
One challenge is integrating the cloud apps with third-party and on-premises systems. We have had some scenarios where some third-party systems were not compatible with them. Apart from that, it's quite easy to integrate. Microsoft has also been able to bring all the security features to a particular portal, so you don't have to look around. But I've heard about some negative effects as a result, as the portal is now cumbersome. You have a whole lot of products there and it makes the whole portal jumbled. It's not bad for me because I just have to go to that particular portal and check whatever I have to check. It doesn't actually decrease the time to respond. This has been an issue with Microsoft recently. Sometimes, there is a delay when it comes to getting an alert policy email. I can't stay on the portal all day looking through alerts that have been triggered. So we create a flow whereby, if an alert is triggered, an email should be sent. Sometimes it takes two or three hours for that email to be sent. The response time, sometimes, can be very slow.
The visibility is 85%. Sometimes, it takes too long to load your page because Microsoft is having issues. There are a certain amount of hours in a day to solve and rectify issues. If you deploy this solution for a client, you need to be able to respond or rectify issues. Because if the solution goes down, your clients won't be happy with you. We would like to get more information from the endpoint. I don't get enough detailed information right now on why something failed. There is not enough visibility. The cost could be improved when you need to pay for anything. For example, refreshing files takes time to load, though it may be my Internet. To improve the refresh time, Microsoft says that we need to pay for a Premium license, and I don't like paying for things that help make a solution better.
Head of IT & Database Management at a educational organization with 51-200 employees
Real User
2022-05-25T10:59:00Z
May 25, 2022
I would like to see them include more features in the older licenses. There are some features that are not available, such as preventing or analyzing cloud attacks. We have Defender P2 licenses and Microsoft proposed P3. If it included what was in the old package, such as the M365 license and Office, that would be very good.
Principal Security Engineer at a tech services company with 5,001-10,000 employees
Real User
2022-04-25T09:36:14Z
Apr 25, 2022
We've had an issue where an in-session policy was not working. I want them to enhance the in-session policy. It's something I came across while adding the application into MCAS as I wanted to apply some MCAS policies on those applications.
There are some features, such as user navigation content filtering, that are disabled by default, and it probably makes sense to enable them by default.
Senior Solutions Engineer at a tech vendor with 1,001-5,000 employees
Real User
2021-11-24T04:08:00Z
Nov 24, 2021
If you have more elaborate needs or if you have some more sophisticated use cases, for example, if you need an in-line component, or if you need to distinguish between sanctioned and unsanctioned applications, this solution doesn't cut it. You need to have some other solution. Microsoft seems to want to mitigate that visible gap by deploying Microsoft DTP Defender for the in-line component. If you consume Microsoft, the more pieces you have, the better it is, although that's not necessarily true, technically speaking. They have limited deployment options. You have limited use cases for an endpoint with the firewalls port for IP tunnels for real-time traffic interception. You have to rule the endpoint. It's a less flexible deployment than the more mature players. There are challenges with detection and there are challenges with false-positive rates. They're improving it all the time. I haven't looked at it for six months or so, however, the last time I looked at it, they had to be configured in two different spots.
Senior Cloud & Security Consultant at a tech services company with 11-50 employees
MSP
2021-08-31T14:25:00Z
Aug 31, 2021
The integration with macOS operating systems needs to be better. The Cloud App Security integrates with Windows Defender for Endpoint, which is able to monitor the traffic from Windows 10 operating systems. When it integrates with Defender for Endpoints, the macOS capability does not let you directly see the shadow IT discovery. You have to be in your network, to be able to see if any activity from a macOS operating system is happening. If you're working from home without a VPN connection nowadays, which is the usual case for a remote workplace, you can't really monitor or track the activities in the shadow IT that users are using offsite on macOS operating systems. The Cloud App Security integration with external DLP solutions is not so seamless. There are solutions that you can integrate with Cloud App Security as an external DLP solution, however, it's not so seamless that you can have the integration with the endpoint. It's there, yet, it's not so seamless and integrable.
The response time could be better. It will be helpful if the alerts are even more proactive and we can see more data. Currently, the data is a little bit weak. It is not complete. I can't just see it and completely know which user or which device it is. It takes some effort and time on my part to investigate and isolate a user. It would be great if it is more user-friendly or easy for people to understand. If it is an Office 365 product, I expect it to be in the admin center. That way I would know that this is a part of Office 365. It feels like there is a mismatch, or they are trying to separate the product or do something like that. They should have streamlined the product. It is not always accurate. Sometimes, there could be some hiccups, and you see false positives, but security is not always reliable, and you cannot depend on one tool to give you all accurate results. It gives me a report that I can see, and if needed, I can act proactively on something. If it is a false positive, it is fine. If it is not, we know that we have done something about it.
Cloud Security & Governance at a financial services firm with 10,001+ employees
Real User
Top 20
2021-06-15T01:09:00Z
Jun 15, 2021
It takes some time to scan and apply the policies when there is some sensitive information. After it applies the policies, it works, but there is a delay. This is something for which we are working with Microsoft. It cannot detect all the things that are required as per our bank's standards. We are working with Microsoft to see how they are going to help us resolve this, and based on NDA, which new features are coming in because we require a unified solution. We have other security solutions that are working on top of it, but we don't want to use multiple solutions and then end up with a human error. From a security perspective, the weakest link is human error. If certain features are monitored by MCAS, certain features are handled by Zscaler, and certain features are handled by Symantec DLP, it becomes difficult to synchronize from an operational standpoint. This is the situation we are in currently, but these issues come with new products or new cloud solutions. We have to slowly orchestrate and see how to unify the solutions. So, at present, it doesn't solve all the problems. There are many problems, but at least, we have other solutions that are currently providing some mitigation. It doesn't provide any way to scan Microsoft Teams when an external exchange of images is happening. You can always do the filtering on the documents during the chat, but if there is an image, then some kind of OCR capability is required to detect it. At present, there is no way MCAS can go and detect those kinds of images and alert us. They can maybe integrate it with an existing OCR-capable product. This is something that we are absolutely looking into. There should also be a feature to immediately increase the time to detect some PI information being exchanged via chat. Its reporting capabilities can be better. Currently, to generate reports, you need to have Power Automate in place. If such capabilities are built into the product, it would be easier because when we bring in Power Automate, we need to make sure that Power Automate also gets monitored from the DLP and governance standpoints. MCAS doesn't have many reporting capabilities, and it's really an operational nightmare to get all these things done at this point in time by using MCAS. These are some of the operational capabilities that our engineers require from this solution from the reporting perspective. Symantec and other solutions are more mature in this area. It could be because MCAS is still an upcoming product.
Enterprise System Engineer at New Zealand Trade and Enterprise
Real User
2021-05-30T06:18:00Z
May 30, 2021
They should continue integration with all other Microsoft security-related products. The integration with all the other products is still ongoing. However, the solution has already begun scaling to meet the needs of getting visibility through from other products as well.
Director Global Strategic Alliances at Larsen & Toubro Infotech Ltd.
Real User
2020-04-02T07:00:10Z
Apr 2, 2020
If this solution were more robust then it would be much more useful. The interface needs to be more user-friendly. Cloud App Security should be more lightweight.
Information Technology Manager at a educational organization with 201-500 employees
Real User
2019-12-30T06:00:00Z
Dec 30, 2019
Generally, the pricing can always be improved along with the management system. We are using new Apple products increasingly in our company, such as iPads and Mac computers. The integration with Apple products would be good. They have started with some implementation using Microsoft Softbox from Apple products in there.
Microsoft Defender for Cloud Apps is a comprehensive security solution that provides protection for cloud-based applications and services. It offers real-time threat detection and response, as well as advanced analytics and reporting capabilities. With Defender for Cloud Apps, organizations can ensure the security of their cloud environments and safeguard against cyber threats. Whether you're running SaaS applications, IaaS workloads, or PaaS services, Microsoft Defender for Cloud Apps...
The product is very good so far, however, it would be better if it could include more up-to-date threat protection.
Microsoft has been high on implementing Copilot. If it is already integrated for using Copilot for security, that would be great.
There could be more granular roles that are out of the box included in the product. I guess it would help people who aren't as savvy. Right now, I have to create many custom models for different use cases. It would be great if roles were more geared towards specific use cases to cover multiple aspects. In a case where a role is for a security admin, it could grant roles that are needed and not too many unnecessary roles. For example, it gives the security admin some access to the compliance portal, but the executive may not need that access. So it could be more granular.
I would like more customization of notifications. Currently, you either get everything or you get limited information. I would like to have something in between where we can customize the data that is included in notifications. That is one thing. The comment field also needs improvement. If you want to generate a workflow within the organization for a notification that occurs, the comment field is not visible to the next person who logs in. They should make that a little more visible. They should make the history more available to the next person I assigned a task to.
The technical support team has room for improvement. Their response time is slow.
Defender for Cloud Apps is primarily useful for Azure apps. It has limited capabilities for applications based on other cloud platforms. Microsoft security products are excellent in the detection phase, but they should have more features for the response component. I would like to see a mobile app for managing Defender for Cloud Apps. We currently use the cloud dashboard, but it would be nice if Microsoft offered more solutions for managing the product.
Currently, we are only able to utilize the policies for blocking threats. I would prefer to have filtering options incorporated within the policies, enabling the solution to perform tasks beyond mere blocking or allowing.
Defender for Cloud Apps could come with more configured policies out of the box. Also, integration could be easier. Integration is moderately difficult because Microsoft hasn't developed a solution that unifies device onboarding and management. You have to use Intune to manage devices and Defender for Endpoint to enforce policies. They need to fix their integration, but I believe they will straighten it out by the end of the year.
Defender could integrate better with multi-cloud and hybrid environments. It requires some additional configuration to ingest data from non-Azure environments and integrate it with Sentinel.
We sometimes get errors when we create policies, which is somewhat annoying because some policies stop working due to misconfigurations. We find this challenging because it limits our options for troubleshooting an issue. A user policy might be disabled due to some minor issue, but it affects the policy for the entire group of users. It takes some time to troubleshoot it, find the issue, and correct it.
The visibility it provides is quite good. You get all the logs for investigation purposes. But there should be more clarity on what is happening with a file. Sometimes, we'll get false positive alarms. For example, when a SharePoint path has no file sharing, but there is an external user, it will trigger an alarm that the file has been shared with an external user. It happens because an external user has access to it but, in reality, he doesn't access it. But you need to check whether anyone has accessed the file and that takes some time. While giving the alert, if it could be more precise in terms of what happened with that file—why it is giving the alert—it would be more convenient for the investigation and save a lot of time. The alerting mechanism should be more precise when giving you an alert about what activity has been done with the file, whether it was shared or whether it was in a path where an external user had access to it. Also, Microsoft should provide more automation features. At this time, they are limited.
They need to improve the attack surface reduction (ASR) rules. In the latest version, you can implement ASR rules, which are quite useful, but you have to enable those because if they're not enabled, they flag false positives. In the Defender portal, it logs a block for WMI processes and PowerShell. Apparently, it's because ASR rules are not configured. So, you generally have to enable them to exclude, for example, WMI queries or PowerShell because they have a habit of blocking your security scanners. It's a bit weird that they have to be enabled to be configured, and it's not the other way around. Normally, you'd expect when something is not configured, it doesn't enable itself, but for the purpose of this, apparently, Microsoft has told us to enable them. So, you've got to enable them because they keep flagging and blocking products even when they're not configured. It was just an oversight in the design department when they deployed an update to the feature, but I'll live with it. I'd like to see them automate best-practice antivirus rules. If you search Microsoft best practice antivirus exclusions, there are virus scanning recommendations for antivirus computers running Windows or Windows Server. There is a whole list to exclude the most common things, which could be anything from NTFRS, check folders, temp.DB, or EDBs. There are a lot of things for group policy extensions, exclusion, etc. This is a list of best-practice antivirus rules, but they still have to be implemented manually. In Sophos, five or six years ago, if it was a SQL Server, they automatically included the rules to exclude certain folders or file extensions when doing on-demand scanning. I'd like Microsoft to do the same.
One challenge is integrating the cloud apps with third-party and on-premises systems. We have had some scenarios where some third-party systems were not compatible with them. Apart from that, it's quite easy to integrate. Microsoft has also been able to bring all the security features to a particular portal, so you don't have to look around. But I've heard about some negative effects as a result, as the portal is now cumbersome. You have a whole lot of products there and it makes the whole portal jumbled. It's not bad for me because I just have to go to that particular portal and check whatever I have to check. It doesn't actually decrease the time to respond. This has been an issue with Microsoft recently. Sometimes, there is a delay when it comes to getting an alert policy email. I can't stay on the portal all day looking through alerts that have been triggered. So we create a flow whereby, if an alert is triggered, an email should be sent. Sometimes it takes two or three hours for that email to be sent. The response time, sometimes, can be very slow.
The visibility is 85%. Sometimes, it takes too long to load your page because Microsoft is having issues. There are a certain amount of hours in a day to solve and rectify issues. If you deploy this solution for a client, you need to be able to respond or rectify issues. Because if the solution goes down, your clients won't be happy with you. We would like to get more information from the endpoint. I don't get enough detailed information right now on why something failed. There is not enough visibility. The cost could be improved when you need to pay for anything. For example, refreshing files takes time to load, though it may be my Internet. To improve the refresh time, Microsoft says that we need to pay for a Premium license, and I don't like paying for things that help make a solution better.
I would like to see them include more features in the older licenses. There are some features that are not available, such as preventing or analyzing cloud attacks. We have Defender P2 licenses and Microsoft proposed P3. If it included what was in the old package, such as the M365 license and Office, that would be very good.
We've had an issue where an in-session policy was not working. I want them to enhance the in-session policy. It's something I came across while adding the application into MCAS as I wanted to apply some MCAS policies on those applications.
There are some features, such as user navigation content filtering, that are disabled by default, and it probably makes sense to enable them by default.
It's not the cheapest. I believe it can be more reasonably priced. Sometimes the support is actually lacking. But we are talking about Microsoft.
If you have more elaborate needs or if you have some more sophisticated use cases, for example, if you need an in-line component, or if you need to distinguish between sanctioned and unsanctioned applications, this solution doesn't cut it. You need to have some other solution. Microsoft seems to want to mitigate that visible gap by deploying Microsoft DTP Defender for the in-line component. If you consume Microsoft, the more pieces you have, the better it is, although that's not necessarily true, technically speaking. They have limited deployment options. You have limited use cases for an endpoint with the firewalls port for IP tunnels for real-time traffic interception. You have to rule the endpoint. It's a less flexible deployment than the more mature players. There are challenges with detection and there are challenges with false-positive rates. They're improving it all the time. I haven't looked at it for six months or so, however, the last time I looked at it, they had to be configured in two different spots.
The integration with macOS operating systems needs to be better. The Cloud App Security integrates with Windows Defender for Endpoint, which is able to monitor the traffic from Windows 10 operating systems. When it integrates with Defender for Endpoints, the macOS capability does not let you directly see the shadow IT discovery. You have to be in your network, to be able to see if any activity from a macOS operating system is happening. If you're working from home without a VPN connection nowadays, which is the usual case for a remote workplace, you can't really monitor or track the activities in the shadow IT that users are using offsite on macOS operating systems. The Cloud App Security integration with external DLP solutions is not so seamless. There are solutions that you can integrate with Cloud App Security as an external DLP solution, however, it's not so seamless that you can have the integration with the endpoint. It's there, yet, it's not so seamless and integrable.
The response time could be better. It will be helpful if the alerts are even more proactive and we can see more data. Currently, the data is a little bit weak. It is not complete. I can't just see it and completely know which user or which device it is. It takes some effort and time on my part to investigate and isolate a user. It would be great if it is more user-friendly or easy for people to understand. If it is an Office 365 product, I expect it to be in the admin center. That way I would know that this is a part of Office 365. It feels like there is a mismatch, or they are trying to separate the product or do something like that. They should have streamlined the product. It is not always accurate. Sometimes, there could be some hiccups, and you see false positives, but security is not always reliable, and you cannot depend on one tool to give you all accurate results. It gives me a report that I can see, and if needed, I can act proactively on something. If it is a false positive, it is fine. If it is not, we know that we have done something about it.
It takes some time to scan and apply the policies when there is some sensitive information. After it applies the policies, it works, but there is a delay. This is something for which we are working with Microsoft. It cannot detect all the things that are required as per our bank's standards. We are working with Microsoft to see how they are going to help us resolve this, and based on NDA, which new features are coming in because we require a unified solution. We have other security solutions that are working on top of it, but we don't want to use multiple solutions and then end up with a human error. From a security perspective, the weakest link is human error. If certain features are monitored by MCAS, certain features are handled by Zscaler, and certain features are handled by Symantec DLP, it becomes difficult to synchronize from an operational standpoint. This is the situation we are in currently, but these issues come with new products or new cloud solutions. We have to slowly orchestrate and see how to unify the solutions. So, at present, it doesn't solve all the problems. There are many problems, but at least, we have other solutions that are currently providing some mitigation. It doesn't provide any way to scan Microsoft Teams when an external exchange of images is happening. You can always do the filtering on the documents during the chat, but if there is an image, then some kind of OCR capability is required to detect it. At present, there is no way MCAS can go and detect those kinds of images and alert us. They can maybe integrate it with an existing OCR-capable product. This is something that we are absolutely looking into. There should also be a feature to immediately increase the time to detect some PI information being exchanged via chat. Its reporting capabilities can be better. Currently, to generate reports, you need to have Power Automate in place. If such capabilities are built into the product, it would be easier because when we bring in Power Automate, we need to make sure that Power Automate also gets monitored from the DLP and governance standpoints. MCAS doesn't have many reporting capabilities, and it's really an operational nightmare to get all these things done at this point in time by using MCAS. These are some of the operational capabilities that our engineers require from this solution from the reporting perspective. Symantec and other solutions are more mature in this area. It could be because MCAS is still an upcoming product.
They should continue integration with all other Microsoft security-related products. The integration with all the other products is still ongoing. However, the solution has already begun scaling to meet the needs of getting visibility through from other products as well.
This service would be better if it had a separate license, only for this service, that could be used to track usage.
I would like for it to be available on Mac and for it to support all of the features of Microsoft financing products. It is really for Windows.
If this solution were more robust then it would be much more useful. The interface needs to be more user-friendly. Cloud App Security should be more lightweight.
Generally, the pricing can always be improved along with the management system. We are using new Apple products increasingly in our company, such as iPads and Mac computers. The integration with Apple products would be good. They have started with some implementation using Microsoft Softbox from Apple products in there.