Defender for Cloud Apps — shadow IT discovery, the AU rollout playbook (2026)

The first Cloud Discovery report in an Australian mid-market tenant is always the same shock. Eight hundred to fourteen hundred distinct cloud services in use across the workforce. Generative AI services nobody approved. Three different note-taking apps competing with OneNote. File-sharing services that should have been retired five years ago. The CFO's finance team using a personal Trello workspace because the corporate Planner rollout stalled in 2023. The legal team on a free Dropbox account because SharePoint approval policies are too strict.

Microsoft Defender for Cloud Apps' Cloud Discovery is the right tool to turn this from anxiety into action. It's been part of the M365 E5 stack since the MCAS days, but in most AU tenants it's enabled and unused. This is the playbook Frontrow runs for AU mid-market.

What Cloud Discovery actually does

Cloud Discovery analyses firewall and proxy logs to identify SaaS apps in use. Microsoft Defender for Endpoint sends device traffic metadata to MDCA natively (no firewall log integration needed) since 2021. For tenants without full Defender for Endpoint coverage, MDCA accepts log uploads from Palo Alto, Fortinet, Cisco, Check Point, Zscaler and most enterprise firewalls. The output is a per-app risk score, user count, traffic volume, and a catalogue of 35,000+ cataloged cloud apps with risk attributes Microsoft maintains.

Week 0 — turn it on properly

Two activations matter. First, the Defender for Endpoint integration — in the Defender XDR portal, under Endpoints / Advanced features, enable 'Microsoft Defender for Cloud Apps'. This routes endpoint device traffic to MDCA for discovery. Second, the egress firewall integration — upload a week of perimeter firewall logs to MDCA via the Cloud Discovery log uploader. Combine the two for fullest visibility (Defender for Endpoint covers managed devices wherever they are; firewall logs cover everything on-network including unmanaged devices and IoT).

Week 1 — review the discovery report

After seven days of data, open the Discovered Apps report. Filter to the top 50 by users (cuts the noise of one-off visits). For each app, you'll see Microsoft's risk score (0-10) and a breakdown of compliance, security and legal risk factors. The report categorises apps automatically — Generative AI, Cloud Storage, Email, Collaboration, Project Management, CRM, etc.

The categories that always need the most attention in AU tenants in 2026: Generative AI (ChatGPT, Claude.ai, Gemini consumer, Poe, character.ai), Cloud Storage (personal Dropbox, Box, Mega, file.io), File Conversion (smallpdf, ilovepdf — convenient but exfiltration risk), Code Repository (personal GitHub, GitLab, Bitbucket personal), Project Management (personal Trello, Asana, Notion personal).

Week 2 — tag and decide

Three tags matter operationally: Sanctioned (the corporate-approved version of this app type), Unsanctioned (banned — block at egress), Monitored (in review — visibility only). Apply liberally. The most common AU outcome: SharePoint and OneDrive are Sanctioned for cloud storage; Dropbox personal is Unsanctioned; Box (where used legitimately) is Monitored pending decision.

Sanctioned tags drive Conditional Access — gating sanctioned cloud apps with stronger MFA and compliance. Unsanctioned tags drive blocking — when integrated with Defender for Endpoint network protection, MDCA can block unsanctioned apps tenant-wide. Monitored gives you another week to investigate before deciding.

Week 3 — enforce blocking on Unsanctioned apps

Enable Defender for Endpoint network protection in block mode for Unsanctioned apps. Communicate explicitly to staff: 'these apps will be blocked starting Monday, here's the corporate alternative, here's the exception path if you genuinely need this app for legitimate work'. The exception path is critical — without it, security teams become the team that breaks workflows for no apparent reason.

Week 4 — turn discovery into governance

Cloud Discovery is now ongoing. Schedule the discovery report to email the security operations team monthly. Tune Discovery anomaly alerts (sudden spike in users of a new app, sudden jump in upload volume from a single user) and route them to your SOC. Move the broader Cloud Discovery operating model to MDCA App Governance — the OAuth-app-review and conditional-access-app-control layer that builds on Discovery.

The four discovery patterns AU mid-market always finds

1. 1Generative AI use without any corporate AI policy — staff pasting customer data into ChatGPT. The fix is not 'block ChatGPT' (it'll come back via VPN or mobile). The fix is 'sanction Microsoft 365 Copilot or Azure OpenAI, communicate the approved path, then block the consumer alternatives'.
2. 2Departing employees with personal storage app spikes — appears in week-on-week velocity reports. Pair with the Purview Insider Risk Management 'Data theft by departing users' template.
3. 3Personal email forwarding rules at the gateway — staff forwarding corporate Outlook to Gmail to read on mobile. Block via Conditional Access and an explicit company policy.
4. 4Shadow finance tools — finance teams using Wave, FreshBooks or other apps because internal finance system access is too friction-heavy. The fix is operational (provision better access), not enforcement.

How discovery feeds Insider Risk Management

MDCA-discovered unsanctioned cloud storage usage feeds the Purview Insider Risk Management 'Risky browser usage' template directly. Wire them together — the same activity that shows up as 'discovered upload to file.io' in MDCA becomes a scored risk indicator on the user in Insider Risk Management. This pairing is the most valuable use of MDCA for tenants that have it in E5.