Microsoft Defender for Cloud Apps (formerly MCAS) is the CASB for organisations running Microsoft 365. Its discovery capability — surfacing every SaaS application your users are reaching — is the lowest-friction, highest-value piece of MDCA for most Australian mid-market tenants. Nine out of ten tenants we onboard discover more than 1,000 unique SaaS apps in use, with the top 50 accounting for over 90% of traffic. The discovery output reframes every subsequent conversation about SaaS posture, vendor risk and licence rationalisation.
Two ways to feed MDCA discovery
- 1Defender for Endpoint connector — the easiest path. If MDE is deployed, MDCA discovery turns on with no additional agent and surfaces apps from endpoint traffic. The trade-off is visibility is limited to MDE-managed devices.
- 2Firewall and proxy log upload — for orgs with a centralised egress (Cisco ASA, Palo Alto, Fortinet, Check Point, Squid, Zscaler). Continuous reports run automatically via a log-uploader VM in Azure. Higher fidelity than MDE alone, especially for BYOD-heavy environments.
The top-50 list as a strategic asset
The first useful output of MDCA discovery is the top-50 list — the 50 most-used SaaS apps ranked by user count, transaction volume, or upload volume depending on what you sort by. The strategic value of this list is twofold. First, it surfaces shadow IT — applications IT didn't sanction but users are relying on. Second, it surfaces shadow spend — apps the org is paying for but not officially counting in IT budget. In nine out of ten AU mid-market discoveries Frontrow has run, the top-50 contains at least three apps that IT didn't know existed and at least two competing apps for the same job (two task managers, two file-sharing tools, two video tools).
What to do with the top-50
- 1Sanction the apps that are mission-critical and well-governed — surface them in the MDCA Cloud App Catalog with the Sanctioned tag, integrate via API connector where supported.
- 2Unsanction apps that fail risk scoring (the MDCA risk score uses GDPR/HIPAA/SOC2 attestation, data residency, breach history, security feature set as inputs) and are not in business use.
- 3Consolidate competing duplicates — file sharing (OneDrive + Dropbox + Box → OneDrive only), task management (Asana + Monday + Trello → Planner or Asana only), comms (Slack + Teams → Teams only).
- 4Block via the MDCA-aware proxy or via MDE indicator the apps that are both unsanctioned and demonstrably bad — usually a list of 5-15 apps per tenant.
- 5Surface the licence savings from consolidation to the CFO — typically 4-8% of SaaS spend in mid-market.
The Australian regulatory angle
Shadow IT is a Privacy Act problem before it is a security problem. APP 11 (security of personal information) and the OAIC's reasonable-steps guidance both turn on knowing where personal information is held and how it is protected. A SaaS app no-one in IT knows about cannot meet either test. The OAIC has been increasingly explicit that an organisation that cannot enumerate the systems holding personal information is not meeting APP 11. MDCA discovery is the most cost-effective way to close that gap for an org already on M365 E5.
Try it
Scan your SharePoint oversharing
MDCA finds shadow IT outside your tenant. Use the SharePoint oversharing tool to find sharing issues inside your tenant — the Copilot prerequisite story.
Score each dimension · 4 options
Is your tenant ready for Microsoft 365 Copilot?
Copilot is as smart as your tenant is tidy. Twelve quick questions — each mapped to a Microsoft-native capability that closes the gap. Takes about ten minutes.
- 01
Anonymous "anyone with the link" shares
External access
How does your tenant handle anonymous sharing links?
- 02
Tenant-wide / "Everyone except external" site sharing
Permissions hygiene
Do you have sites shared with "Everyone" or "Everyone except external users"?
- 03
External guest access hygiene
External access
How do you manage external guest users in Entra ID?
- 04
Site collection admin sprawl
Identity & privileged access
How tightly is SharePoint site collection admin access controlled?
- 05
Broken permission inheritance
Permissions hygiene
How much unique (non-inherited) permissioning exists across your sites?
- 06
Orphaned sites with no active owner
Permissions hygiene
How do you handle sites whose owner has left or gone inactive?
- 07
OneDrive personal sharing patterns
External access
Do staff share sensitive documents (HR, finance, contracts) from OneDrive?
- 08
Sensitivity label coverage
Content classification
How much of your content is classified with Microsoft Purview sensitivity labels?
- 09
Restricted SharePoint Search / content discovery controls
Content classification
Have you enabled Restricted SharePoint Search or equivalent discovery controls for sensitive sites?
- 10
Microsoft Teams / Groups public vs private hygiene
Permissions hygiene
How strict is the hygiene on Team / Microsoft 365 Group privacy settings?
- 11
Legacy classic SharePoint sites
Permissions hygiene
Do you still have classic (pre-modern) SharePoint sites in the tenant?
- 12
Access review cadence for sensitive sites + external access
Identity & privileged access
How often do you review access to sensitive sites and external user lists?