Microsoft Defender for Cloud Apps Client Credentials
Microsoft Defender for Cloud Apps provides full protection for SaaS applications by helping monitor and protect your organization’s cloud app data in a variety of ways.
|
•
|
Visibility into cloud app usage |
|
•
|
Managing your organization’s SaaS security posture |
Important:This Microsoft Defender for Cloud Apps integration requires the authentication method OAuth2 with client credentials.
The following sections explain prerequisites, resources, and instructions for integrating with SaaS Management.
Stored Microsoft Defender for Cloud Apps Client Credentials Information
The following table describes the available integration tasks and stored data within SaaS Management.
|
|
|
|
Discovered App Usage
|
|
•
|
Download Network Traffic In Bytes |
|
•
|
Upload Network Traffic In Bytes |
|
Note:The information stored is subject to change as enhancements are made to the SaaS application.
Required Minimum Permissions for Microsoft Defender for Cloud Apps Client Credentials
The minimum API required permissions are based on the Required Application Permissions for Microsoft Defender for Cloud Apps Client Credentials and the Required User Role for Microsoft Defender for Cloud Apps Client Credentials.
Required Application Permissions for Microsoft Defender for Cloud Apps Client Credentials
|
|
|
|
|
CloudApp-Discovery.Read.All
|
Enables you to read all the discovered cloud applications.
|
Discovered App Usage
|
Required User Role for Microsoft Defender for Cloud Apps Client Credentials
Note:The following SaaS application user role is not applicable to Flexera One roles.
|
|
|
|
Global Administrator
|
To grant the application permissions, the user must have Global Administrator access. For more information, see Microsoft’s documentation topic, Microsoft Entra Built-In Roles.
|
Authentication Method for Microsoft Defender for Cloud Apps Client Credentials
The required authentication method is OAuth 2.0 With Client Credentials. For more information, see Microsoft’s documentation topic, Microsoft Identity Platform and the OAuth 2.0 Client Credentials Flow.
Required Credentials for Microsoft Defender for Cloud Apps Client Credentials
The following credentials are required:
|
•
|
Application (Client) ID |
Obtaining Client Credentials and Directory (Tenant) ID for Microsoft Defender for Cloud Apps Client Credentials
Before Integrating Microsoft Defender for Cloud Apps Client Credentials With SaaS Management, you need to obtain client credentials and the directory (tenant) ID by completing the following steps.
To obtain Client Credentials and Directory (Tenant) ID:
|
1.
|
Sign in to your Microsoft Azure Portal. |
|
2.
|
In the Search box at the top of the page, enter App registrations and click App registrations in the search results to select it. The App registrations page opens. |
|
3.
|
Click New Registration. The Register an application page opens. |
|
4.
|
Enter a Name and choose the Accounts in this organizational directory only option. |
|
6.
|
On the Overview tab, copy and paste the Application (client) ID and the Directory (tenant) ID to a file. You will later enter these values in SaaS Management. |
|
7.
|
To generate a client secrets value, do the following: |
|
a.
|
Click the Certificates & secrets tab. |
|
b.
|
Under Client secrets, click New client secret. The Add a client secret dialog box opens. |
|
c.
|
In the Description field, enter a name for the new secret. |
|
d.
|
Under Expires, choose an expiration value. |
|
f.
|
Under Client secrets, copy and paste the client secret value to a file. You will later enter this value in SaaS Management. |
|
8.
|
Click the API permissions tab and complete the following: |
|
a.
|
Click Microsoft Graph. The Request API permissions panel opens. |
|
b.
|
Click Application permissions. |
|
c.
|
In the Select permissions search box, enter CloudApp-Discovery.Read.All, and select the CloudApp-Discovery.Read.All permission checkbox. |
|
d.
|
Click Update permissions. |
|
9.
|
After the permissions are added, grant admin consent. |
Important:If you modify any permissions in the Microsoft Azure Portal that are used to create the directory (tenant) ID and client secrets value, you need to reauthorize the Microsoft Defender for Cloud Apps integration in SaaS Management by completing all the steps in the Integrating Microsoft Defender for Cloud Apps Client Credentials With SaaS Management section.
Integrating Microsoft Defender for Cloud Apps Client Credentials With SaaS Management
Important:Before integrating, complete the prerequisite steps in Obtaining Client Credentials and Directory (Tenant) ID for Microsoft Defender for Cloud Apps Client Credentials.
To integrate Microsoft Defender for Cloud Apps Client Credentials with SaaS Management, perform the following steps.
To integrate Microsoft Defender for Cloud Apps Client Credentials with SaaS Management:
|
1.
|
Add the Microsoft Defender for Cloud Apps application in SaaS Management. For more information, see Adding an Application. |
|
2.
|
On the Add Application page for Microsoft Defender for Cloud Apps Client Credentials: |
|
a.
|
Select the Discovered App Usage integration task checkbox. |
Microsoft Power BI Reporting for Microsoft Defender for Cloud Apps Client Credentials
SaaS Management’s Microsoft Power BI report, which uses the SaaS Management API, provides insights into SaaS applications that are being used within your organization. For Microsoft Defender for Cloud Apps, the report helps you to easily surface occurrences of Shadow IT. The Microsoft Power BI report insights can be shared with contacts within your organization who do not typically use SaaS Management.
To create the Microsoft Power BI report, see the Microsoft Defender for Cloud Apps Power BI Reporting for Flexera One's SaaS Management Knowledge Base article.
Microsoft Defender for Cloud Apps Client Credentials API Endpoints
Discovered App Usage
https://graph.microsoft.com/beta/security/dataDiscovery/cloudAppDiscovery/uploadedStreams
https://graph.microsoft.com/beta/security/dataDiscovery/cloudAppDiscovery/uploadedStreams/<<streamId>>/aggregatedAppsDetails(period=duration'P90D')