Microsoft Defender for Cloud Apps Client Credentials

Microsoft Defender for Cloud Apps provides full protection for SaaS applications by helping monitor and protect your organization’s cloud app data in a variety of ways.

Shadow IT discovery
Visibility into cloud app usage
Managing your organization’s SaaS security posture

Important:This Microsoft Defender for Cloud Apps integration requires the authentication method OAuth2 with client credentials.

The following sections explain prerequisites, resources, and instructions for integrating with SaaS Management.

Stored Microsoft Defender for Cloud Apps Client Credentials Information
Required Minimum Permissions for Microsoft Defender for Cloud Apps Client Credentials
Authentication Method for Microsoft Defender for Cloud Apps Client Credentials
Required Credentials for Microsoft Defender for Cloud Apps Client Credentials
Obtaining Client Credentials and Directory (Tenant) ID for Microsoft Defender for Cloud Apps Client Credentials
Integrating Microsoft Defender for Cloud Apps Client Credentials With SaaS Management
Microsoft Power BI Reporting for Microsoft Defender for Cloud Apps Client Credentials
Microsoft Defender for Cloud Apps Client Credentials API Endpoints

Stored Microsoft Defender for Cloud Apps Client Credentials Information

The following table describes the available integration tasks and stored data within [ProductName].

Available Integration Tasks

Information Stored

Discovered App Usage

Category
Device Count
Display Name
Domains
Download Network Traffic In Bytes
ID
IP Address Count
Last Seen Date Time
Risk Score
Tags
Transaction Count
Upload Network Traffic In Bytes
User Count

Note:The information stored is subject to change as enhancements are made to the SaaS application.

Required Minimum Permissions for Microsoft Defender for Cloud Apps Client Credentials

The minimum API required permissions are based on the Required Application Permissions for Microsoft Defender for Cloud Apps Client Credentials and the Required User Role for Microsoft Defender for Cloud Apps Client Credentials.

Required Application Permissions for Microsoft Defender for Cloud Apps Client Credentials

Application Permission

Description

Integration Task Name

CloudApp-Discovery.Read.All

Enables you to read all the discovered cloud applications.

Discovered App Usage 

Required User Role for Microsoft Defender for Cloud Apps Client Credentials

Note:The following SaaS application user role is not applicable to Flexera One roles.

User Role

Description

Global Administrator

To grant the application permissions, the user must have Global Administrator access. For more information, see Microsoft’s documentation topic, Microsoft Entra Built-In Roles.

Authentication Method for Microsoft Defender for Cloud Apps Client Credentials

The required authentication method is OAuth 2.0 With Client Credentials. For more information, see Microsoft’s documentation topic, Microsoft Identity Platform and the OAuth 2.0 Client Credentials Flow.

Required Credentials for Microsoft Defender for Cloud Apps Client Credentials

The following credentials are required:

Application (Client) ID
Client Secrets Value
Directory (Tenant) ID.

Obtaining Client Credentials and Directory (Tenant) ID for Microsoft Defender for Cloud Apps Client Credentials

Before Integrating Microsoft Defender for Cloud Apps Client Credentials With SaaS Management, you need to obtain client credentials and the directory (tenant) ID by completing the following steps.

To obtain Client Credentials and Directory (Tenant) ID:

1. Sign in to your Microsoft Azure Portal.
2. In the Search box at the top of the page, enter App registrations and click App registrations in the search results to select it. The App registrations page opens.
3. Click New Registration. The Register an application page opens.
4. Enter a Name and choose the Accounts in this organizational directory only option.
5. Click Register.
6. On the Overview tab, copy and paste the Application (client) ID and the Directory (tenant) ID to a file. You will later enter these values in SaaS Management.
7. To generate a client secrets value, do the following:
a. Click the Certificates & secrets tab.
b. Under Client secrets, click New client secret. The Add a client secret dialog box opens.
c. In the Description field, enter a name for the new secret.
d. Under Expires, choose an expiration value.
e. Click Add.
f. Under Client secrets, copy and paste the client secret value to a file. You will later enter this value in SaaS Management.
8. Click the API permissions tab and complete the following:
a. Click Microsoft Graph. The Request API permissions panel opens.
b. Click Application permissions.
c. In the Select permissions search box, enter CloudApp-Discovery.Read.All, and select the CloudApp-Discovery.Read.All permission checkbox.
d. Click Update permissions.
9. After the permissions are added, grant admin consent.

Important:If you modify any permissions in the Microsoft Azure Portal that are used to create the directory (tenant) ID and client secrets value, you need to reauthorize the Microsoft Defender for Cloud Apps integration in SaaS Management by completing all the steps in the Integrating Microsoft Defender for Cloud Apps Client Credentials With SaaS Management section.

10. Proceed to Integrating Microsoft Defender for Cloud Apps Client Credentials With SaaS Management.

Integrating Microsoft Defender for Cloud Apps Client Credentials With SaaS Management

Important:Before integrating, complete the prerequisite steps in Obtaining Client Credentials and Directory (Tenant) ID for Microsoft Defender for Cloud Apps Client Credentials.

To integrate Microsoft Defender for Cloud Apps Client Credentials with SaaS Management, perform the following steps.

To integrate Microsoft Defender for Cloud Apps Client Credentials with SaaS Management:

1. Add the Microsoft Defender for Cloud Apps application in SaaS Management. For more information, see Adding an Application.
2. On the Add Application page for Microsoft Defender for Cloud Apps Client Credentials:
a. Select the Discovered App Usage integration task checkbox.
b. Copy and paste the Application (Client) ID, Client Secrets Value, and Directory (Tenant) ID values from Obtaining Client Credentials and Directory (Tenant) ID for Microsoft Defender for Cloud Apps Client Credentials into the respective SaaS Management fields.
c. Click Authorize.

Microsoft Power BI Reporting for Microsoft Defender for Cloud Apps Client Credentials

SaaS Management’s Microsoft Power BI report, which uses the SaaS Management API, provides insights into SaaS applications that are being used within your organization. For Microsoft Defender for Cloud Apps, the report helps you to easily surface occurrences of Shadow IT. The Microsoft Power BI report insights can be shared with contacts within your organization who do not typically use SaaS Management.

To create the Microsoft Power BI report, see the Microsoft Defender for Cloud Apps Power BI Reporting for Flexera One's SaaS Management Knowledge Base article.

Microsoft Defender for Cloud Apps Client Credentials API Endpoints

Discovered App Usage

https://graph.microsoft.com/beta/security/dataDiscovery/cloudAppDiscovery/uploadedStreams 

 

https://graph.microsoft.com/beta/security/dataDiscovery/cloudAppDiscovery/uploadedStreams/<<streamId>>/aggregatedAppsDetails(period=duration'P90D')