Microsoft Defender for Cloud Apps (MDCA) Integration for SaaS Discovery

Set up an integration with Microsoft Defender for Cloud Apps to streamline the discovery of your SaaS applications.

Overview

🚧

Note

We're currently experiencing a known issue with the API endpoint /api/v1/discovery/discovered_apps used for the integration, which is preventing the retrieval of all applications.

Responses from the endpoint are paginated, and we encounter difficulties when attempting to fetch all applications due to a persistent internal server error (HTTP status code 500) that occurs after the 21000 index. This error code signifies an unknown or unhandled internal server error on the MDCA side.

Despite our best efforts to resolve this issue, it has unfortunately persisted. We've observed that only a small fraction of our enterprise customers are affected by this issue. We expect that over time we'll be able to receive all applications as the sorting in the responses appears to be random and we do multiple requests of the same data. However, we cannot guarantee that there will be no gaps in the data we can discover with the MDCA integration. We appreciate your understanding and patience as we continue working on a resolution.

Microsoft Defender for Cloud Apps (MDCA) is Microsoft's cross-platform solution that offers visibility, control, and protection for cloud applications.

  • It provides insights into cloud app usage and risks.
  • It enforces policies to prevent data leakage.
  • It identifies and combats cyber threats to secure cloud applications.

Because of these capabilities, it can be used to identify and catalog all SaaS applications in use, providing visibility into shadow IT and unauthorized app usage.

👍

Tip

If you plan to manually review every link for discovered applications, before configuring the integration, deactivate automatic linking in the discovery inbox settings. For details, see Automatic Linking.

Integration Details

Integration CategoriesAuthentication MechanismAPI Endpoints Used
Cloud Access Security Brokers (CASB)REST API - OAuth For API authentication: /<tenantID>/oauth2/v2.0/token

For SaaS discovery: /api/v1/discovery/discovered_apps

Implementation Details

Users provide SAP LeanIX with credentials that have the correct permissions to connect with the integration. Once connected, SAP LeanIX periodically pulls data from the Microsoft Defender API for the discovered applications, specifically calling the /api/v1/discovery/discovered_apps/ endpoint.

📘

Note

The Defender API is only partially documented by Microsoft, and the endpoint used by the SaaS discovery feature is undocumented.

SAP LeanIX has permission to only read applications within Microsoft Defender. Applications are added to Cloud Apps in MS Defender when someone accesses a cloud application through their browser, which could lead to a significant number of discovered applications. To learn more, see Microsoft's documentation Set up Cloud Discovery and Discover and Manage Shadow IT. If you want to cross-check the discovered services, you can do so by navigating to security.microsoft.com and checking the Cloud discovery reports under Cloud apps.

For usage adoption metrics, the count of total active unique users in MDCA is determined by the configured stream in your system and what you have defined as a time window in MDCA.

Discovery Capabilities

Available capabilitiesEntity descriptionMDCA resource
SaaS DiscoverySaaS discovery is the process of automatically identifying applications.Discovered Apps

Set up MDCA

Register a new application in Microsoft Entra ID

  1. Sign in to the Azure portal with an Azure administrator account that is also a member of the Global Administrator directory role in your Microsoft Entra ID tenant.
  2. On the left navigation pane, click Microsoft Entra ID.

  1. On the Microsoft Entra ID page, click App registrations.
  2. On the App registrations page, in the toolbar on the top, click New registration.
  3. Register an application page opens, perform the following steps:
    1. Enter a name for the integration.
    2. Under Supported account types, select Accounts in this organizational directory only (Default Directory only - Single tenant).
    3. Click Register at the bottom of the screen.

Grant permissions to the application

  1. Now that we have the application we need to grant it permissions, in the left menu click API permissions.

  2. Click the Add a permission button.

  3. A new configuration panel Request API permissions will display on the right, select the APIs my organization uses tab, and search for Microsoft Cloud App Security.

  4. Select Application permissions button and discovery.read permission.

  5. Click on the Add permissions button at the bottom to assign permission to the SAP LeanIX application. Note that only the administrator in MDCA has full access and visibility to the settings and can provide the API URL. If you are not the administrator, kindly reach out to MDCA's admin to obtain the necessary API URL.

  6. Click on the Grant admin consent for Default Directory button to enable configured permissions for the application.

  7. Next, click Yes to grant consent for the requested permissions.

  8. The permission status indicator in the API permissions page will change to approved.

Gather configuration settings

  1. Return to the application overview section (App Registrations -> click on created app) from where you will need to grab the following identifiers: Application (client) ID and Directory (tenant) ID.

  2. In the left menu, navigate to Certificates & secrets to generate a client secret, also called the application password.

  3. Click on the New client secret button to create a new password.

    1. Optionally, enter a description for the client secret.

    2. Select the expiration length of the secret. Once the expiration date of the created client secret is reached, you will have to create a new one and reconfigure the integration in the SAP LeanIX application.

    3. Click Add.

  4. Copy the Secret Value to your clipboard.

  5. Go to MDCA product and open Settings > Cloud Apps > System > About and copy the API URL value.


Pass configuration values to the SAP LeanIX app

  1. Proceed to SAP LeanIX and input the credentials you have generated on the Azure Admin Portal.

  2. Click Finish and wait for the connection to be established.