Microsoft Defender for Cloud Apps: Controlling Shadow IT for Small Businesses in Berlin
Most organisations have a sanctioned list of approved cloud applications — and a much longer list of cloud apps that employees are using anyway without IT approval. File sharing via personal Dropbox, project management in unsanctioned Trello workspaces, AI tools processing business data — this is shadow IT, and it creates data governance, compliance, and security risks that traditional perimeter controls cannot see.
Microsoft Defender for Cloud Apps (formerly MCAS) provides visibility into all cloud app traffic, classifies apps by risk, and enables policy-based control without requiring a full proxy deployment.
Shadow IT Discovery
Cloud App Discovery works by analysing network traffic logs from your firewall, proxy, or — most simply for SMBs — from the Defender for Endpoint sensor already installed on managed devices. Every cloud service a device communicates with is logged and classified against Microsoft’s catalogue of 31,000+ cloud apps, each with a risk score based on factors including data location, encryption standards, GDPR compliance status, and certifications.
The discovery report typically reveals 5–10x more cloud apps than IT had documented, including consumer-grade storage and communication tools handling business data.
App Governance Actions
| Action | What It Does | Use Case |
|---|---|---|
| Sanction | Mark as approved; apply consistent monitoring | Microsoft 365, Salesforce, approved tools |
| Unsanction | Block access via integrated firewall/proxy enforcement | High-risk file sharing, shadow AI tools |
| Monitor | Log all access without blocking; alert on anomalies | Grey-area apps used by specific teams |
| Session control | Proxy session to enforce controls (block download/upload, watermark) | Trusted apps accessed from unmanaged devices |
Conditional Access App Control Integration
When an Entra ID Conditional Access policy routes a session through Defender for Cloud Apps, in-session controls become available even for apps you don’t own. You can block file downloads to unmanaged devices, prevent copy/paste of sensitive content from a cloud app, apply watermarks to documents opened in the browser — all without modifying the application itself.
This is particularly powerful for contractor scenarios: a contractor uses a corporate-managed cloud app from a personal device. Conditional Access App Control prevents them from downloading any files, even though they have read access.
Anomaly Detection
Beyond shadow IT, Defender for Cloud Apps applies behavioural analytics to cloud app usage. Built-in detection policies include:
- Impossible travel: Sign-in from Berlin followed by a sign-in from another country 30 minutes later
- Mass download: A user downloads hundreds of files from SharePoint or OneDrive in a short window — potential data exfiltration or pre-resignation activity
- Admin activity from a new country: Admin account used from an unfamiliar geography
- Ransomware activity: File creation pattern consistent with ransomware encryption (many files renamed with new extensions rapidly)
GDPR and Data Residency Considerations
Defender for Cloud Apps can identify which cloud apps store data outside the EU, which apps lack a GDPR Data Processing Agreement, and which have had security incidents. For Berlin SMBs processing personal data of EU residents, this audit capability supports Article 28 GDPR compliance — knowing who processes your data on your behalf.
Want to run a shadow IT discovery audit for your Berlin organisation? Contact us — we can have a full app inventory ready in days.