Microsoft Defender for Cloud Apps
  • 14 Mar 2025
  • 3 Minutes to read
  • Dark
    Light

Microsoft Defender for Cloud Apps

  • Dark
    Light

Article summary

Microsoft Defender for Cloud Apps is a solution that helps you secure your cloud applications across Microsoft 365 and other SaaS providers. Defender for Cloud Apps was previously known as Microsoft Cloud App Security.

For more information refer to the Microsoft product page.

Integration Method: API

Tables: Account Change (3001), Authentication (3002), Detection Finding (2004), Entity Management (3004), File System Activity (1001)

This integration supports the following events.

Event

Description

Entities

Get a list of users & accounts for your organization.

Activities

Get a list of activities regarding access and password changes.

Alerts

Get a list of alerts that requires immediate attention.

This integration supports the following versions.

Microsoft Defender for Cloud Apps API Version

v1

Note:

Microsoft Defender for Cloud Apps is a continuously updated cloud service. As for this document preparation, the latest release was in February 2025.

Prerequisites

  • The user should have access to the Azure portal with an account that has the Global Administrator privilege.

  • The user should have access to the DataBee console.

Configuration Overview

  1. Create an application with required permissions to fetch the data.

    1. Create an Application.

    2. Add Endpoint Access.

    3. Create the Client Secret.

  2. Add the Microsoft Defender for Cloud Apps data feed in the DataBee console with the below parameters.

    DataBee Parameters

    Azure Parameters

    API Base URL <tenant_id><tenant_region>

    API URL

    Client Key

    Application (client) ID

    Client Secret

    Client Secret Value

    Token URL <application_id>

    Directory (tenant) ID

Azure Configuration

Create an Application

  1. Log on to Azure portal with an account that has the Global Administrator privileges.  

  2. In the search bar, search for App Registrations and select it.
     

  3. On the “App registrations page”, select New registration, theRegister an application” window will appear.
     

  4. On the “Register an application” window:

    1. Under ‘Name’ enter your Application Name then click on Register to create the application.
       

  5. On the app Overview page, copy the Application (client) ID and Directory (tenant) ID for later use.  
     

Add Endpoint Access  

Once the application is created, permissions should be provided to get data. This section details how to configure and add permission to the required endpoints.   

Add Permissions

  1. Select the application registered in the previous step.

  2. Under Manage, click API Permissions and then click Add a Permission, the “Request API permissions” window will appear. 

  3. Click on APIs my organization uses and then search for Microsoft Cloud App Security.
     

  4. Select Microsoft Cloud App Security and then click on Application permissions
     

  5. The following permission needs to be granted, which is common for below events.

    Event

    Type

    Permission

    Entities

    Application

    Investigation.read

    Activities

    Application

    Investigation.read

    Alerts

    Application

    Investigation.read

  6. In the Select permissions search bar, enter the Investigation.read permission as shown below, and check the box to include them and click on Add permissions button.

  7. On the “API permissions” page, click on the Grant Admin Consent for <tenant>, and then click on Yes button on the consent confirmation.
     

  8. The required permissions are now added for the endpoints.

Create the Client Secret

The final step to accessing the APIs is creating a Client Secret. To create it from the Azure Portal:

  1. Select the application created in the previous step.

  2. Under Manage, click Certificates and secrets, and then click on Client secrets.
     

  3. Click New client secret. “Add a client secret” window appears.
     

  4. In “Add a client secret” window:

    1. Enter a ‘Description’ for this client secret and select the desired expiry period from the ‘Expires’ drop-list.

    2. Then click on Add to create the client secret.

      Note:

      The user needs to re-create the client secret when it expires.

  5. Copy the ‘Value’ fields for later use.


Get API URL

  1. Open Microsoft Defender Portal and navigate to “Settingsand select Cloud Apps.
     

  2. Go to System > About and copy the ‘API URL’ value for later use.
     

DataBee Configuration

  1. Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
     

  2. Search for Microsoft Defender for Cloud Apps and click it as shown below.

  3. Click on the API Ingest option for collection method.
     

  4. Enter feed contact information and click Next.
     

  5. In the configuration page, enter the following:

    • API Base URL: this is the base URL that DataBee will interact with.
      Replace <tenant_id> and <tenant_region> values, based on copied API URL format https://<tenant_id>.<tenant_region>.portal.cloudappsecurity.com

    • Authorization Method: OAuth2

    • Client Key: paste the Client ID generated earlier in the Azure portal.

    • Client Secret: paste the Client Secret value generated earlier in the Azure portal.

    • Token URL: replace <application_id> with your Directory (Tenant) ID.

    • Event Types: preselected for all the Event Types the integration pulls.
       

  6. Click Submit.

Troubleshooting Tips

  • If you are facing an invalid client or unauthorized client error this might be possibly due to incorrect credentials. Ensure the client key, client secret and Tenant ID are pasted correctly. Since you cannot view the client secret after the 1st time, re-create it, paste it on a text editor to ensure no spaces or unexpected characters are included and reconfigure the DataBee feed.

  • If you are facing a response code – 403 error, this might be possibly due to missing permission. Ensure that all the required permissions are granted correctly as per the above-mentioned steps.


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
ESC

Eddy AI, facilitating knowledge discovery through conversational intelligence