Microsoft Defender for Cloud Apps (MDCA) can connect directly to supported cloud applications by using the APIs provided by the app vendors. These connections are called app connectors. App connectors allow MDCA to move beyond traffic-based discovery and gain deep, inside-the-app visibility and control.
Unlike Cloud Discovery, which infers usage from network logs, app connectors allow MDCA to directly inspect users, files, activities, permissions, and governance actions within the connected application.
Purpose of app connectors
Detailed visibility into cloud app usage.
Investigation of user and admin activities.
Governance actions such as suspending users or revoking tokens.
Data protection actions such as quarantining or overwriting files.
All communication between Microsoft Defender for Cloud Apps and connected applications is encrypted using HTTPS.
Each cloud service imposes its own API constraints, such as throttling, rate limits, and time-based query windows. Microsoft Defender for Cloud Apps is optimized to respect these limitations while using the maximum allowed capacity.
Some operations, such as scanning all files in a large tenant, require a high number of API calls. As a result, certain scans and policies may take several hours or even several days to complete. This behavior is expected and should not be interpreted as a failure.
Multi-instance support
Microsoft Defender for Cloud Apps supports multiple instances of the same connected app.
One Salesforce tenant used by the sales department.
A second Salesforce tenant used by the marketing department.
Both instances can be connected to Microsoft Defender for Cloud Apps at the same time.
Manage all instances from a single console.
Create granular policies per instance.
Perform deeper investigations that are scoped to a specific tenant.
Important limitation. Multi-instance support applies only to API-connected apps. It does not apply to:
Cloud Discovered apps.
Proxy-connected apps using Conditional Access App Control.
This distinction is exam-relevant and frequently overlooked.
How app connectors work
When an app connector is configured, Microsoft Defender for Cloud Apps is deployed with system administrator–level privileges within the connected application. This level of access is required to provide full visibility and governance capabilities.
Microsoft Defender for Cloud Apps scans and saves the authentication permissions granted during connector setup.
Microsoft Defender for Cloud Apps requests the user list from the connected application.
The first user list request may take time, depending on tenant size.
After the initial user request completes, Microsoft Defender for Cloud Apps periodically scans:
Users.
Groups.
Activities.
Files.
All activities become available only after the first full scan completes.
Tenant size.
Number of users.
Number and size of files.
API limitations imposed by the cloud provider.
Capabilities enabled by API connections
Once an application is connected through an API connector, Microsoft Defender for Cloud Apps can provide the following capabilities.
Account information
Visibility into users and accounts.
Profile information.
Account status, such as active, suspended, or disabled.
Group membership.
Privilege levels.
Audit trail
User activities.
Administrative activities.
Sign-in activities.
Account governance
Ability to suspend users.
Ability to revoke passwords.
Other account-level governance actions, depending on app support.
App permissions
Visibility into OAuth tokens issued to apps.
Visibility into permissions granted to those tokens.
App permission governance
Ability to remove or revoke issued tokens.
Data scan
Periodic scans, which occur approximately every 12 hours.
Real-time scans, which are triggered whenever a change is detected.
Data governance
Ability to quarantine files.
Ability to quarantine files that are already in the trash.
Ability to overwrite files when required by policy.
These capabilities make API-connected apps the most powerful integration option within Microsoft Defender for Cloud Apps.