Microsoft Defender for Cloud Apps: CASB for Small Businesses in Berlin
Shadow IT is the hidden risk that most Berlin small business security programmes overlook. Employees use Dropbox to share files, personal Gmail to bypass attachment size limits, and free collaboration tools that have never been reviewed for GDPR compliance. Microsoft Defender for Cloud Apps — formerly Microsoft Cloud App Security (MCAS) — is the Cloud Access Security Broker (CASB) built into Microsoft 365 that makes shadow IT visible, lets you block or monitor risky applications, and enforces your data protection policies in real time across every cloud service your users touch.
This guide explains how Defender for Cloud Apps discovers shadow IT, how Conditional Access App Control enforces session policies, and how Berlin businesses can use it to meet GDPR accountability obligations for cloud application use.
What Is a CASB and Why Does It Matter for Berlin SMBs?
A Cloud Access Security Broker sits between users and cloud services, providing four control planes:
- Visibility: discover every cloud application employees use, scored by security and compliance risk
- Compliance: identify applications that store EU personal data outside GDPR-compliant jurisdictions
- Data security: apply DLP policies to files stored and shared in cloud applications
- Threat protection: detect anomalous activity — mass downloads, impossible travel, credential compromise — in cloud app sessions
For a Berlin business with 10–50 employees using a mix of sanctioned Microsoft 365 apps and unsanctioned SaaS tools, a CASB provides the data governance layer that IT policies alone cannot enforce.
Cloud Discovery: Shadow IT Inventory
Cloud Discovery analyses network traffic to build a catalogue of every cloud application in use across the organisation. There are two discovery methods:
Log upload: export traffic logs from your firewall, proxy, or network device and upload them (manually or via a log collector) to Defender for Cloud Apps. Supported sources include Cisco ASA, Palo Alto, Meraki, Fortinet, Zscaler, and dozens of others.
Defender for Endpoint integration: if Microsoft Defender for Endpoint is deployed on managed devices, it automatically feeds network traffic metadata to Cloud Discovery. This is the zero-touch option — no log collector required, and it covers remote workers not behind the office perimeter. For Berlin businesses already running Business Premium, MDE is included and the integration is a single toggle.
The Microsoft Cloud App Catalog contains risk scores (1–10) for over 31,000 cloud services, assessed across 90 risk factors including:
- Data-at-rest and in-transit encryption standards
- GDPR compliance certification and data processing agreements
- SOC 2 / ISO 27001 certification
- Data residency — whether EU data stays in the EU
- Breach history and disclosure practices
The resulting dashboard shows each discovered application with its risk score, number of users, and total traffic volume. Applications can be tagged as Sanctioned (approved for business use), Monitored (allowed but activity logged), or Unsanctioned (blocked).
App Governance: Blocking Unsanctioned Apps
Once you mark an application as Unsanctioned, Defender for Cloud Apps generates block indicators for the application’s known IP ranges and domains. These indicators can be pushed directly to Microsoft Defender for Endpoint as network protection rules, blocking access from all MDE-managed devices without requiring firewall or proxy changes.
For applications that cannot be blocked at the network layer (for example, a web-based tool accessed via a shared browser on an unmanaged device), Conditional Access App Control provides session-level enforcement.
Conditional Access App Control
Conditional Access App Control routes cloud application sessions through a Defender for Cloud Apps reverse proxy, enabling real-time session inspection and enforcement. The integration works through Entra ID Conditional Access: an access policy routes sessions for specified applications to the Defender for Cloud Apps proxy rather than directly to the application.
Once a session is proxied, you can create session policies that act on file activities in real time:
| Session Policy Action | Use Case |
|---|---|
| Block download | Prevent downloading sensitive files from SharePoint to unmanaged devices |
| Block upload | Prevent uploading files containing personal data to unsanctioned cloud storage |
| Require step-up authentication | Prompt re-authentication when a user tries to access a sensitive application from an unfamiliar location |
| Apply sensitivity label on download | Automatically apply a confidentiality label to files downloaded from SharePoint to personal devices |
| Monitor only | Log all activities in an application without blocking — useful for investigation baseline collection |
Access policies (enforced before a session is established) can additionally require device compliance as a condition of accessing a cloud application, integrating with Intune device compliance signals.
API Connectors: Deep Visibility into Sanctioned Apps
For sanctioned applications you have approved for business use, Defender for Cloud Apps connects via OAuth API to provide deep activity monitoring without proxying sessions. Supported API connectors include:
- Microsoft 365 (SharePoint, OneDrive, Exchange, Teams)
- Salesforce
- GitHub
- Box
- Dropbox
- Google Workspace
- ServiceNow
- Okta
API connectors enable visibility into activities that happen within the application — file sharing, permission changes, admin activity — not just the fact that a user accessed the service. For Microsoft 365, the Microsoft 365 connector provides near-complete parity with the Microsoft 365 Compliance Centre audit log.
Information Protection: DLP for Cloud Applications
Defender for Cloud Apps includes a native DLP engine that scans files stored in connected cloud applications for sensitive content. Integration with Microsoft Purview DLP policies extends your existing on-premises and Exchange DLP rules to cloud application storage: a file in Salesforce containing 16-digit sequences matching credit card patterns triggers the same policy response as a file emailed via Exchange.
Integration with Microsoft Purview Sensitivity Labels enables Defender for Cloud Apps to enforce labelling in third-party applications: a file classified as Confidential in SharePoint retains that label when shared to Box or Dropbox via an API connector, and session policies can require re-labelling before download to a personal device.
Anomaly Detection and Threat Protection
Defender for Cloud Apps includes built-in anomaly detection policies that use machine learning to identify suspicious activity in cloud applications:
- Impossible travel: sign-in from Berlin followed by sign-in from Singapore 90 minutes later — physically impossible without context (VPN, known business travel)
- Activity from anonymous IP: access from a Tor exit node or known anonymising proxy
- Mass download: a user downloads 300 files from SharePoint in 10 minutes — anomalous relative to their daily baseline
- Suspicious admin activity: global admin role assigned outside business hours by an account that has never performed this action before
- Ransomware activity: rapid sequential file renames in OneDrive matching known ransomware extension patterns
These anomaly detection policies generate alerts that flow into the Microsoft 365 Defender portal and can be ingested by Microsoft Sentinel for SIEM-level correlation.
GDPR Application Governance for Berlin Businesses
GDPR Article 28 requires data controllers (your business) to use only processors (cloud services) that provide sufficient guarantees of GDPR-compliant processing. Defender for Cloud Apps Cloud Discovery directly supports this obligation: the Cloud App Catalog’s GDPR compliance flag and data residency information let you identify applications where EU personal data is processed outside the EU without a valid transfer mechanism.
A practical GDPR workflow for Berlin SMBs:
- Run Cloud Discovery for 30 days to build an accurate shadow IT inventory
- Filter the discovered app list by “GDPR compliance: No” or “Data residency: US only”
- Cross-reference against the list of applications that employees upload files containing personal data (names, email addresses, client records)
- Tag identified applications as Unsanctioned and push block indicators to Defender for Endpoint
- Document the review and blocking decisions as evidence of GDPR Article 25 (data protection by design) compliance
Licensing
Defender for Cloud Apps is included in Microsoft 365 E5, Microsoft 365 E5 Security, and Enterprise Mobility + Security E5. It is available as a standalone add-on for approximately €3.50 per user per month. For Berlin businesses on Microsoft 365 Business Premium, Cloud Discovery (the shadow IT inventory feature) is available as part of the Defender for Endpoint integration at no additional licence cost — full CASB capabilities require upgrading to an E5 or EMS E5 plan.