Blog

By Virtually Pro

This CASB Microsoft Defender Cloud Apps guide covers the risks and how to respond. CASB sounds like enterprise technology. It isn’t anymore. If you’re on Microsoft 365 Business Premium, you already have a full Cloud Access Security Broker – Microsoft Defender for Cloud Apps – included in your licence. Most Edinburgh SMEs paying for Business Premium don’t know it’s there. This guide explains what it actually does and which four features are worth activating today (NCSC Cloud Security Guidance).

TL;DR: A Cloud Access Security Broker monitors and controls cloud application usage across your organisation. Microsoft Defender for Cloud Apps is included in M365 Business Premium – at no extra cost – and covers over 31,000 cloud apps scored on 90+ risk factors (Microsoft, 2025). Four features matter most for Edinburgh SMEs: app discovery, session controls, DLP policies, and anomaly detection. This guide shows you how to get value from each without enterprise-grade complexity.

What Is a CASB in Plain English?

An astonishing 90.8% of cloud applications utilised by employees completely lack enterprise-grade security controls, according to Netskope’s Cloud (2025). Deploying a Cloud Access Security Broker (CASB) provides the exact visibility needed to lock down these rogue software platforms (ICO Data Protection Guidance).

Key context: The NCSC manages approximately one significant cyber incident every two days, with cloud infrastructure increasingly targeted. 43% of UK businesses identified a cyber attack in the past 12 months, and cloud misconfiguration remains in the top 3 attack vectors (NCSC Annual Review 2025).

Netskope reporting indicates that as many as 90.8% of cloud applications used by organisations are not enterprise-ready, which explains why CASB visibility matters before policy enforcement. A Cloud Access Security Broker sits between your users and every cloud service they access. It logs what applications your staff use, scores those applications for risk, lets you set policies about what’s allowed, and alerts you when something unusual happens. Think of it as a security checkpoint for cloud traffic – not blocking the internet, but understanding and selectively controlling what crosses your perimeter (Gartner).

Before CASBs existed, organisations had firewall rules that controlled on-premise traffic. Cloud applications bypassed those rules entirely because they ran over standard HTTPS on port 443 – the same port as legitimate web browsing. A CASB gives you visibility into what’s going over that port.

For Edinburgh professional services firms with staff working from home, client sites, and shared spaces, this visibility is the difference between knowing your cloud footprint and guessing at it.

Shadow it Risks Edinburgh

What Microsoft Defender for Cloud Apps Includes at Business Premium Tier

Microsoft threat analytics (2025) found that Deploying Defender for Cloud Apps reduces incident response times for unauthorised data exfiltration by up to 30%. This allows your IT team to instantly revoke access tokens before sensitive company data is permanently leaked.

What’s included at Business Premium:

• Cloud Discovery (shadow IT detection via Defender for Endpoint integration)
• App risk scoring across 31,000+ applications
• Basic session controls via Conditional Access App Control
• Anomaly detection policies (unusual upload, impossible travel, anonymous IP access)
• Microsoft 365 API connector (deep integration with Exchange, SharePoint, OneDrive, Teams)
• Basic DLP policy integration with Microsoft Purview

What requires M365 E5 or an add-on:

• Full API connectors for third-party apps (Salesforce, Box, Google Workspace)
• Advanced session controls (real-time file download blocking, copy-paste prevention)
• App governance for OAuth apps

For a 25-50 person Edinburgh law firm or accountancy practice, the Business Premium tier covers the essential controls.

Our finding: The most common mistake Edinburgh firms make with Defender for Cloud Apps is assuming they need M365 E5 to get useful functionality. Three of the four features below are fully available at Business Premium. The upgrade to E5 makes sense after you’ve been running the Business Premium tier for 6-12 months and have identified specific session control requirements that the basic tier doesn’t cover.

How to Detect Shadow it in Microsoft 365

What Is Feature 1: App Discovery – Your 30-Day Shadow IT Report?

The DSIT Cyber Security Breaches Survey (2025) shows that Unauthorised app usage continues to drive data exfiltration incidents. Defender for Cloud Apps lets you implement strict conditional access based on app risk scores. This keeps your sensitive Scottish client data inside approved corporate boundaries.

App Discovery is the first feature to activate. Connect Defender for Cloud Apps to your Defender for Endpoint telemetry (included in Business Premium), and within 48 hours you’ll start seeing a live map of every cloud application your staff access.

After 30 days, you’ll have a representative sample of your organisation’s cloud footprint. Defender for Cloud Apps scores each discovered app on 90+ factors including GDPR compliance, data residency, encryption standards, and vendor security certifications. Apps scoring below 5 out of 10 require review.

The 30-day report tells you:

• How many unapproved cloud apps are in use (typically 150-400 for a 25-50 person firm)
• Which apps are highest risk and used by the most people
• Who is using which apps and how frequently
• How much data is being uploaded to each service

This data is the foundation for all other CASB decisions. Don’t configure blocking policies before running this report.

Citation capsule: Microsoft Defender for Cloud Apps’ 30-day App Discovery report surfaces shadow IT usage across 31,000+ cloud applications, scored on 90+ risk factors including GDPR compliance and data residency (Microsoft product documentation, 2025). For Edinburgh professional services firms, running a discovery report typically reveals 5-10x more unsanctioned applications than IT managers estimated – with personal AI tools and cloud storage consistently among the highest-risk findings (Virtually Pro MSP assessment, 2026).

What Is Feature 2: Session Controls via Conditional Access App Control?

Defender for Cloud Apps at Business Premium tier covers discovery and basic policy controls but does not include advanced DLP or conditional access for third-party apps (Microsoft licensing documentation, 2025). Full CASB functionality requires E5 or standalone Defender for Cloud Apps licensing.

Session controls let you apply policies to specific app sessions without blocking access entirely. For Edinburgh firms where staff legitimately use cloud apps that carry some risk, session controls are more practical than outright blocking.

What session controls can do at Business Premium tier:

• Require authentication from managed devices before accessing sensitive apps
• Block file downloads from specific apps on unmanaged devices (requires full E5 for some scenarios)
• Monitor session activity in specific applications for anomalies

Practical example for an Edinburgh IFA firm: Configure a session control policy that requires Conditional Access from a managed device before accessing your cloud-based CRM or client portal. Staff on personal devices get a prompt to use a firm-managed machine or a browser-based access mode with limited download capability.

Microsoft Sentinel for Edinburgh SMEs

What Is Feature 3: DLP Policies via Microsoft Purview Integration?

Netskope (2025) reports that the average enterprise discovers 3x more cloud applications than IT teams expected when running their first shadow IT audit. Activating cloud discovery in your Edinburgh M365 tenant takes under 30 minutes and immediately surfaces your actual app exposure.

Defender for Cloud Apps integrates with Microsoft Purview (formerly Microsoft Information Protection) to apply data loss prevention policies across cloud applications. For Edinburgh legal and financial firms handling client personal data, this creates a layer of protection against accidental or deliberate data exfiltration.

DLP policies can be configured to:

• Alert when files containing specific content types (financial data, personal identifiers) are uploaded to unsanctioned apps
• Block sharing of classified documents outside your organisation via cloud storage
• Quarantine files shared in ways that violate your data handling policies

The integration works natively with SharePoint, OneDrive, Exchange, and Teams. Third-party cloud apps require API connectors (available at E5 or with specific connector licences).

For Edinburgh professional services firms, the highest-value DLP scenario is blocking upload of documents classified as “Confidential” or “Client Personal Data” to personal cloud storage apps. Once you’ve run the App Discovery report and identified which personal cloud storage apps are in use, a targeted DLP policy blocking upload of classified documents to those apps creates a meaningful control that doesn’t disrupt normal workflows.

What Is Feature 4: Anomaly Detection Alerts?

According to UK business AI adoption research (2025), anomaly detection applies machine learning baselines to identify unusual behaviour patterns in your cloud environment. Unlike rule-based policies that flag known-bad activity, anomaly detection catches deviations from established normal behaviour – which is how it catches novel attack techniques and insider threats that rules would miss.

Recommended anomaly detection policies to enable at Business Premium tier:

• Unusual file download – Flags when a user downloads significantly more files than their own historical baseline
• Unusual file share activity – Alerts on bulk sharing that deviates from normal patterns
• Activity from anonymous IP addresses – Useful for detecting VPN-masked shadow IT access
• Impossible travel – Flags account access from two geographically distant locations within an impossible timeframe

These policies have a 7-day learning period. Don’t disable alerts during this period – investigate them, even if they turn out to be false positives. The learning period needs engagement to calibrate correctly.

What Defender for Cloud Apps Cannot Do at Business Premium

To set realistic expectations for Edinburgh firms: Defender for Cloud Apps at Business Premium does not provide real-time inline blocking of file downloads during a session (that requires session controls available at E5), according to Netskope’s Cloud (2025). It does not provide API connectors for non-Microsoft cloud apps like Salesforce or Google Workspace without additional licencing. It does not replace a full SIEM – it feeds into Microsoft Sentinel, which is a separate product.

What it does provide – shadow IT discovery, app risk scoring, basic session controls, anomaly detection, and M365-integrated DLP – covers the primary CASB use cases for Edinburgh SMEs at no additional cost.

What Is Related Articles?

• Cloud Security Guide for Edinburgh Businesses
• Detect and Block Shadow it in Microsoft 365
• Shadow it Risks for Edinburgh Businesses

Step-by-Step: Configuring Microsoft Defender for Cloud Apps for an Edinburgh SMB

Microsoft Defender for Cloud Apps (MDCA) is included in Microsoft 365 Business Premium and several other licensing tiers, but the default configuration leaves most of its capabilities dormant. Here’s a practical walkthrough of the initial setup that Virtually Pro follows for Edinburgh clients:

Step 1 – Enable app discovery: From the MDCA portal (security.microsoft.com or the dedicated MDCA portal), navigate to Cloud Discovery and set up a data source. For Microsoft 365 customers, the simplest approach is enabling automatic log collection from Microsoft Defender for Endpoint – this means you don’t need to manually upload firewall logs. If you have a network appliance such as a Cisco ASA, Palo Alto, or Fortinet firewall, you can configure a log collector to feed data automatically.

Step 2 – Configure the Cloud App Catalogue scoring filters: MDCA’s App Catalogue contains risk scores for over 31,000 cloud apps, but the default risk weighting may not reflect your organisation’s priorities. For Edinburgh professional services firms, we typically adjust the risk scoring to weight data residency location, GDPR compliance, SOC 2 certification, and whether the app has a signed DPA template available. This ensures apps that fail these criteria score as higher risk.

Step 3 – Set up app governance policies: Navigate to Cloud Discovery > Discovered Apps and review the initial discovery results. Create policies to: (a) alert when a new app is used by more than 5 users, (b) alert when an app is categorised as high risk and is being used to transfer data, and (c) block access to apps in specific high-risk categories such as personal storage or anonymous file sharing.

Step 4 – Connect sanctioned apps via API: For apps you’ve approved (Microsoft 365, Salesforce, ServiceNow, etc.), connect them via the App Connectors in MDCA settings. This gives MDCA visibility into activity within those apps – logins, file access, sharing events, admin actions – not just traffic to and from them at the network level.

Step 5 – Configure session policies for sensitive apps: With Microsoft Entra ID and MDCA working together via Conditional Access App Control, you can set up real-time session policies for specific applications. For example: allow access to a cloud-based CRM from unmanaged devices, but block downloads. This is particularly useful for Edinburgh businesses allowing contractors or remote workers to access systems without providing managed devices.

CASB Policy Templates Worth Deploying Immediately

MDCA includes policy templates that cover common use cases. Rather than building policies from scratch, start with these templates and adjust for your environment:

“Anomalous download by user” template: Triggers when a user downloads significantly more files than their own historical baseline. Useful for detecting an employee downloading client data before leaving, or an account that’s been compromised and is exfiltrating data. Adjust the threshold sensitivity based on your false positive tolerance.

“New admin activity” template: Alerts when a new user is granted admin rights in a connected app. In Microsoft 365, admin role assignments are already tracked in the audit log – but this policy can provide a real-time alert rather than requiring someone to review logs periodically.

“Ransomware activity” template: MDCA includes behavioural detection for ransomware patterns – specifically, mass file deletion and mass file rename (which is characteristic of ransomware encryption). This can detect ransomware activity in SharePoint and OneDrive even if the endpoint detection has been bypassed.

“Risky OAuth app” template: Detects when a third-party app requests high-permission OAuth access to Microsoft 365 or Google Workspace. OAuth app abuse (sometimes called “consent phishing”) is a growing threat – attackers trick users into granting malicious apps access to their mailbox or files. This policy surfaces those events for review.

“Unusual ISP” template: Flags user activity from an unusual Internet Service Provider compared to their historical login pattern. This can catch account takeover attempts where an attacker in a different country is accessing the account – particularly valuable for Edinburgh-based businesses whose staff typically log in from Scottish ISPs and known office IP ranges.

Understanding App Risk Scores in the Cloud App Catalogue

Every app in MDCA’s Cloud App Catalogue receives a risk score from 1 (lowest risk) to 10 (highest risk), based on over 90 risk factors. Understanding how the scoring works helps you make better decisions about which apps to approve, restrict, or block:

Data security factors: Does the app encrypt data at rest and in transit? Does it support MFA? Does it have a vulnerability disclosure policy? Does it have documented incident response procedures? Apps that score poorly on these factors will have a lower overall risk score.

Legal and compliance factors: Is the app GDPR compliant? Does it have a published DPA template? Is it certified to ISO 27001 or SOC 2? Is the company US-based (subject to US law enforcement requests)? For Edinburgh businesses handling UK personal data, these factors are particularly important.

General attributes: How long has the company been operating? Is the app widely used (suggesting more external scrutiny)? Does it have documented uptime SLAs? Has it had publicly disclosed breaches?

A practical policy for Edinburgh businesses: treat any app scoring 6 or below as requiring explicit approval before use. Apps scoring 3 or below should be actively blocked in your proxy or Conditional Access policies. This gives you a defensible, risk-based approach to cloud app governance that you can demonstrate to clients or auditors.

Integrating MDCA with Microsoft Intune for Device-Aware Policies

One of the most powerful capabilities of the Microsoft security stack is the integration between MDCA and Intune. When these are configured together, your cloud access policies can take device compliance into account in real time:

Compliant vs non-compliant device policies: You can configure Conditional Access to grant full access to cloud apps only from Intune-compliant devices. Non-compliant devices (missing patches, no BitLocker, no antivirus) can be restricted to read-only access or blocked entirely. This means a staff member’s personal laptop that doesn’t meet your security standards can’t download client files from SharePoint, even if their credentials are valid.

Device risk integration: Microsoft Defender for Endpoint reports a device risk score to Intune. Intune compliance policies can use this score – so a device where Defender has detected active malware or a high-severity alert will automatically become non-compliant, and Conditional Access will restrict that device’s cloud access until the threat is resolved. For Edinburgh businesses, this creates an automatic circuit-breaker that limits the blast radius of a compromised device.

Managed vs unmanaged device session policies: MDCA session policies can behave differently based on whether the device is managed by Intune. For example: allow file downloads on managed devices, but watermark documents accessed from unmanaged devices and block downloads. This supports flexible working practices – staff can access systems from personal devices in an emergency, but with controls that protect client data.

App protection policies without enrolment: For Edinburgh businesses that allow staff to use personal mobile devices (BYOD), Intune App Protection Policies (APP) can be applied to specific apps such as Outlook, Teams, and SharePoint without requiring full device enrolment. This means personal data on the device is never touched, while corporate data within managed apps is protected by PIN requirements, encryption, and copy/paste restrictions.

Quick Comparison

Frequently Asked Questions

What is a CASB and do I need one as an Edinburgh SME?

A Cloud Access Security Broker monitors and controls your staff’s use of cloud applications. You almost certainly need one if your Edinburgh business stores client data in the cloud, has staff working remotely, or is in a regulated sector. The good news: if you’re on M365 Business Premium, you already have one. Microsoft Defender for Cloud Apps is included in your licence and covers 31,000+ cloud apps scored on 90+ risk factors (Microsoft, 2025).

Is Microsoft Defender for Cloud Apps free with Microsoft 365?

Microsoft Defender for Cloud Apps is included with Microsoft 365 Business Premium (£18.60/user/month, Microsoft UK pricing 2026) and with Microsoft 365 E3 and E5 plans. It is not included with M365 Business Basic or Business Standard. If you’re paying for Business Premium and haven’t activated Defender for Cloud Apps, you’re paying for a security tool you’re not using.

How is Defender for Cloud Apps different from Defender for Business?

Defender for Business protects individual endpoints (laptops, desktops) through EDR – it monitors device-level activity and detects malware and suspicious processes on those devices. Defender for Cloud Apps monitors cloud application traffic – it detects what cloud services your staff use, flags risky apps, and lets you control access to specific services. They are complementary, not overlapping, and both are included in M365 Business Premium.

Can Defender for Cloud Apps block Microsoft Teams file sharing?

Yes. Through its Microsoft 365 API connector, Defender for Cloud Apps has deep visibility into Teams activity including file sharing, channel posts, and external guest access. You can configure policies to alert or block when files containing sensitive content are shared via Teams with external parties, or when guest users access files outside expected parameters. This is one of the most valuable use cases for Edinburgh firms using Teams as their primary collaboration platform.

Do I need to configure Defender for Cloud Apps myself or can an MSP do it?

Activation and basic configuration can be done without external help using Microsoft’s guided wizards. However, policy design, app risk classification, and anomaly detection tuning benefit from MSP experience – particularly to avoid alert fatigue and ensure policies don’t disrupt legitimate business workflows. Most Edinburgh firms find a one-off configuration engagement (typically 1-2 days) followed by quarterly reviews is the most efficient approach.

Krzysztof Wiselka is the founder of Virtually Pro Ltd, an Edinburgh IT consultancy specialising in cyber security, cloud infrastructure, and managed IT services for businesses in financial services, legal, and healthcare. Virtually Pro is Cyber Essentials certified and based at 83 Princess Street, Edinburgh EH2 2ER.