What's new - Microsoft Defender for Cloud Apps (2024)

Applies to: Microsoft Defender for Cloud Apps

This article is updated frequently to let you know what's new in the latest release of Microsoft Defender for Cloud Apps.

RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader: https://aka.ms/mda/rss

For more information on what's new with other Microsoft Defender security products, see:

• What's new in Microsoft Defender XDR
• What's new in Microsoft Defender for Endpoint
• What's new in Microsoft Defender for Identity

For news about earlier releases, see Archive of past updates for Microsoft Defender for Cloud Apps.

March 2024

Podman supported for automatic log collection (Preview)

Microsoft Defender for Cloud Apps log collector now supports Podman, and you can configure automatic log collection on Podman for continuous reporting with Defender for Cloud Apps.

Automatic log collection is supported using a Docker container on multiple operating systems. For Linux distributions using RHEL version 7.1 and higher, you must use Podman as the container's runtime system.

For more information, see Configure automatic log upload using Podman.

New threat detections for Microsoft Copilot for Microsoft 365

Defender for Cloud Apps now provides new detections for risky user activities in Microsoft Copilot for Microsoft 365 with the Microsoft 365 connector.

• Related alerts are shown together with other Microsoft Defender XDR alerts, in the Microsoft Defender portal.
• Copilot for Microsoft 365 activities are available in the Defender for Cloud Apps activity log.
• In the Microsoft Defender portal's Advanced hunting page, Copilot for Microsoft 365 activities are available in the CloudAppEvents table, under the Microsoft Copilot for Microsoft 365 application.

For more information, see:

• Get started with Microsoft Copilot for Microsoft 365
• How Defender for Cloud Apps helps protect your Microsoft 365 environment
• Investigate alerts in Microsoft Defender XDR
• Defender for Cloud Apps Activity log
• Proactively hunt for threats with advanced hunting
• CloudAppEvents table in the advanced hunting schema

Data in motion protection for Edge for Business users (Preview)

Defender for Cloud Apps users who use Microsoft Edge for Business and are subject to session policies are now protected directly from within the browser. In-browser protection reduces the need for proxies, improving both security and productivity.

Protected users experience a smooth experience with their cloud apps, without latency or app compatibility issues, and with a higher level of security protection.

In-browser protection is turned on by default, and is being gradually rolled out across tenants, starting early in March 2024.

For more information, see In-browser protection with Microsoft Edge for Business (Preview), Protect apps with Microsoft Defender for Cloud Apps Conditional Access App Control, and Session policies.

Defender for Cloud Apps in the Microsoft Defender portal now available to all Defender for Cloud Apps roles

The Defender for Cloud Apps experience in the Microsoft Defender portal is now available for all Defender for Cloud Apps roles, including the following roles that were previously limited:

• App/Instance admin
• User group admin
• Cloud Discovery global admin
• Cloud Discovery report admin

For more information, see Built-in admin roles in Defender for Cloud Apps.

February 2024

SSPM support for more connected apps in general availability

Defender for Cloud Apps provides you with security recommendations for your SaaS applications to help you prevent possible risks. These recommendations are shown via Microsoft Secure Score once you have a connector to an application.

Defender for Cloud Apps has now enhanced its SSPM support in general availability by including the following apps:

• Atlassian
• Dropbox
• Zendesk

SSPM is also now supported for Google Workspace in General Availability.

For more information, see:

• SaaS security posture management (SSPM)
• User, app governance, and security configuration visibility
• Microsoft Secure Score

New App governance alerts for Credential Access and Lateral Movement

We've added the following new alerts for App governance customers:

• Application initiating multiple failed KeyVault read activity with no success
• Dormant OAuth App predominantly using MS Graph or Exchange Web Services recently seen to be accessing ARM workloads

For more information, see App governance in Microsoft Defender for Cloud Apps.

January 2024

SSPM support for multiple instances of the same app (Preview)

Defender for Cloud Apps now supports SaaS security posture management (SSPM) across multiple instances of the same app. For example, if you have multiple instances of AWS, you can configure Secure Score recommendations for each instance individually. Each instance will show up as a separate item on the App Connectors page. For example:

For more information, see SaaS security posture management (SSPM).

Limitation removed for the number of files that can be controlled for uploading in session policies (Preview)

Session policies now support control over uploading folders with more than 100 files, with no limit to the number of files that can be included in the upload.

For more information, see Protect apps with Microsoft Defender for Cloud Apps Conditional Access App Control.

Automatic redirection for the classic Defender for Cloud Apps portal (Preview)

The classic Microsoft Defender for Cloud Apps portal experience and functionality have been converged into the Microsoft Defender XDR Portal. As of January 9th, 2024, customers using the classic Defender for Cloud Apps portal with Preview features are automatically redirected to Microsoft Defender XDR, with no option to revert back to the classic portal.

For more information, see:

• Microsoft Defender for Cloud Apps in Microsoft Defender XDR
• Preview features in Microsoft Defender for Cloud Apps

December 2023

New IP addresses for portal access and SIEM agent connection

The IP addresses used for portal access and SIEM agent connections have been updated. Make sure to add the new IPs to your firewall's allowlist accordingly to keep the service fully functional. For more information, see:

• Portal access network requirements
• SIEM agent connection network requirements

Backlog period alignments for initial scans

We've aligned the backlog period for initial scans after connecting a new app to Defender for Cloud Apps. The following app connectors all have an initial scan backlog period of seven days:

• Dropbox
• Salesforce
• ServiceNow
• Okta

For more information, see Connect apps to get visibility and control with Microsoft Defender for Cloud Apps.

SSPM support for more connected apps

Defender for Cloud Apps provides you with security recommendations for your SaaS applications to help you prevent possible risks. These recommendations are shown via Microsoft Secure Score once you have a connector to an application.

Defender for Cloud Apps has now enhanced its SSPM support by including the following apps: (Preview)

• Atlassian
• Dropbox
• NetDocuments
• Workplace
• Zendesk

SSPM is also now supported for Google Workspace in General Availability.

For more information, see:

• SaaS security posture management (SSPM)
• User, app governance, and security configuration visibility
• Microsoft Secure Score

November 2023

Defender for Cloud Apps application certificate rotation

Defender for Cloud Apps plans to rotate its application certificate. If you’ve previously explicitly trusted the legacy certificate and currently have SIEM agents running on newer versions of the Java Development Kit (JDK), you must trust the new certificate to ensure continued SIEM agent service. While it’s likely no action is needed, we recommend running the following commands to validate:

1. In a command line window, switch to the bin folder of your Java installation, for example:

   cd "C:\Program Files (x86)\Java\jre1.8.0_291\bin"

2. Run the following command:

   keytool -list -keystore ..\lib\security\cacerts

3. If you see the following 4 aliases, that means you have previously explicitly trusted our certificate and need to take action. If those aliases are not present, no action should be needed.

   • azuretls01crt
   • azuretls02crt
   • azuretls05crt
   • azuretls06crt

If you are in need of action, we recommend that you already trust the new certificates to prevent issues once the certificates are fully rotated.

For more information, see our Issue with new versions of Java troubleshooting guide.

CSPM support in Microsoft Defender for Cloud

With the continual Microsoft Defender for Cloud Apps convergence into Microsoft Defender XDR, cloud security posture management (CSPM) connections are fully supported via Microsoft Defender for Cloud.

We recommend that you connect your Azure, AWS, and Google Cloud Platform (GCP) environments to Microsoft Defender for Cloud to get the latest CSPM capabilities.

For more information, see:

• What is Microsoft Defender for Cloud?
• Cloud Security Posture Management (CSPM) in Defender for Cloud
• Connect your Azure subscriptions to Microsoft Defender for Cloud
• Connect your AWS account to Microsoft Defender for Cloud
• Connect your GCP project to Microsoft Defender for Cloud

Test mode for admin users (Preview)

As an admin user, you might want to test upcoming proxy bug fixes before the latest Defender for Cloud Apps release is fully rolled out to all tenants. To help you do this, Defender for Cloud Apps now provides a test mode, available from the Admin View toolbar.

When in test mode, only admin users are exposed to any changes provided in the bug fixes. There is no effect on other users. We encourage you to send feedback about the new fixes to the Microsoft support team to help speed up release cycles.

When you're finished testing the new fix, turn test mode off to return to regular functionality.

For example, the following image shows the new Test Mode button in the Admin View toolbar, laid over OneNote being used in a browser.

For more information, see Diagnose and troubleshoot with the Admin View toolbar and Test mode.

New cloud app catalog category for Generative AI

The Defender for Cloud Apps app catalog now supports the new Generative AI category for large language model (LLM) apps, like Microsoft Bing Chat, Google Bard, ChatGPT, and more. Together with this new category, Defender for Cloud Apps has added hundreds of generative AI-related apps to the catalog, providing visibility into how generative AI apps are used in your organization and helping you manage them securely.

For example, you may want to use Defender for Cloud Apps' integration with Defender for Endpoint to approve or block the usage of specific LLM apps based on a policy.

For more information, see Find your cloud app and calculate risk scores.

General availability for more discovery Shadow IT events with Defender for Endpoint

Defender for Cloud Apps can now discover Shadow IT network events detected from Defender for Endpoint devices that are working in the same environment as a network proxy, in general availability.

For more information, see Discover apps via Defender for Endpoint when the endpoint is behind a network proxy and Integrate Microsoft Defender for Endpoint.

October 2023

Automatic redirect to Microsoft Defender XDR general availability

Now, all customers are automatically redirected to Microsoft Defender XDR from the classic Microsoft Defender for Cloud Apps portal, as the redirect is in general availability. Admins can still update the redirect setting as needed to continue using the classic Defender for Cloud Apps portal.

Integrating Defender for Cloud Apps inside Microsoft Defender XDR streamlines the process of detecting, investigating, and mitigating threats to your users, apps, and data – so that you can review many alerts and incidents from a single pane of glass, in one XDR system.

For more information, see Microsoft Defender for Cloud Apps in Microsoft Defender XDR.

September 2023

More discovery for Shadow IT events (Preview)

Defender for Cloud Apps can now discover Shadow IT network events detected from Defender for Endpoint devices that are working in the same environment as a network proxy.

For more information, see Discover apps via Defender for Endpoint when the endpoint is behind a network proxy (Preview) and Integrate Microsoft Defender for Endpoint.

Continuous NRT frequency supported for CloudAPPEvents table (Preview)

Defender for Cloud Apps now supports the Continuous (NRT) frequency for detection rules using the CloudAppEvents table.

Setting a custom detection to run in Continuous (NRT) frequency allows you to increase your organization's ability to identify threats faster. For more information, see Create and manage custom detections rules.

August 2023

New security recommendations in Secure Score (Preview)

New Microsoft Defender for Cloud Apps recommendations have been added as Microsoft Secure Score improvement actions. For more information, see What's new in Microsoft Secure Score and Microsoft Secure Score.

Microsoft 365 connector updates

We've made the following updates to Defender for Cloud Apps's Microsoft 365 connector:

• (Preview) Updated SSPM support with new CIS benchmark security recommendations.
• Aligned the names of existing recommendations to match the CIS benchmark.

To view related data, make sure that you've configured the Microsoft 365 connector. For more information, see Connect Microsoft 365 to Microsoft Defender for Cloud Apps.

Next steps

• For a description of releases prior to those listed here, see Past releases of Microsoft Cloud App Security.

If you run into any problems, we're here to help. To get assistance or support for your product issue, please open a support ticket.