Microsoft Defender for Cloud Apps (MDCA)

Set up an integration with Microsoft Defender for Cloud Apps to streamline the discovery of your SaaS applications.




We're currently experiencing a known issue with the API endpoint (/api/v1/discovery/discovered_apps) used for the integration, which is preventing the retrieval of all applications.

Responses from the endpoint are paginated, and we encounter difficulties when attempting to fetch all applications due to a persistent internal server error (HTTP status code 500) that occurs after the 21000 index. This error code signifies an unknown or unhandled internal server error on the MDCA side.

Despite our best efforts to resolve this issue, it has unfortunately persisted. We've observed that only a small fraction of our enterprise customers are affected by this issue. We expect that over time we'll be able to receive all applications as the sorting in the responses appears to be random and we do multiple requests of the same data. However, we cannot guarantee that there will be no gaps in the data we can discover with the MDCA integration. We appreciate your understanding and patience as we continue working on a resolution.

Microsoft Defender for Cloud Apps (MDCA) is Microsoft's cross-platform solution that offers visibility, control, and protection for cloud applications.

  • It provides insights into cloud app usage and risks.
  • It enforces policies to prevent data leakage.
  • It identifies and combats cyber threats to secure cloud applications.

Because of these capabilities, it can be used to identify and catalog all SaaS applications in use, providing visibility into shadow IT and unauthorized app usage.

Integration details

  • Integration categories : Cloud Access Security Brokers (CASB)
  • Authentication mechanism: REST API - OAuth

Discovery Capabilities

Available capabilitiesEntity descriptionMDCA resource
SaaS DiscoverySaaS discovery is the process of automatically identifying applications.Discovered Apps

Set up MDCA

Register a new application in Microsoft Entra ID

  1. Sign in to the Azure portal with an Azure administrator account that is also a member of the Global Administrator directory role in your Microsoft Entra ID tenant.
  2. On the left navigation pane, click Microsoft Entra ID.

  1. On the Microsoft Entra ID page, click App registrations.
  2. On the App registrations page, in the toolbar on the top, click New registration.
  3. Register an application page opens, perform the following steps:
    1. In the Name textbox, type LeanIX SaaS Discovery Integration (it is just a label so it can be anything that will make you identify it relates to LeanIX integration).
    2. Under Supported account types select Accounts in this organizational directory only (Default Directory only - Single tenant).
    3. Click Register at the bottom of the screen.

Grant permissions to the application

  1. Now that we have the application we need to grant it permissions, in the left menu click API permissions.

  2. Click the Add a permission button.

  3. A new configuration panel Request API permissions will display on the right, select the APIs my organization uses tab, and search for Microsoft Cloud App Security.

  4. Select Application permissions button and permission.

  5. Click on the Add permissions button at the bottom to assign permission to the LeanIX application.

  6. Click on the Grant admin consent for Default Directory button to enable configured permissions for the application.

  7. Next, click Yes to grant consent for the requested permissions.

  8. The permission status indicator in the API permissions page will change to approved.

Gather configuration settings

  1. Return to the application overview section (App Registrations -> click on created app) from where you will need to grab the following identifiers: Application (client) ID and Directory (tenant) ID.

  2. In the left menu, navigate to Certificates & secrets to generate a client secret, also called the application password.

  3. Click on the New client secret button to create a new password.

    1. Please choose the description for the secret (e.g. LeanIX SaaS Discovery Integration secret) or leave it empty.

    2. Select the expiration length of the secret. Once the expiration date of the created client secret is reached, you will have to create a new one and reconfigure the integration in the LeanIX application.

    3. Click Add.

  4. Copy the Secret Value to your clipboard.

  5. Go to MDCA product and open Settings > Cloud Apps > System > About and copy the API URL value.

Pass configuration values to the LeanIX app

  1. Proceed to LeanIX and input the credentials you have generated on the Azure Admin Portal.

  2. Click Finish and wait for the connection to be established.