What Microsoft Defender for Cloud Apps Actually Does
Microsoft Defender for Cloud Apps (MDCA) — formerly Microsoft Cloud App Security (MCAS) — is Microsoft's Cloud Access Security Broker (CASB) solution. It provides visibility into and control over cloud application usage across your organisation, detecting shadow IT, enforcing data protection policies for SaaS applications, investigating anomalous user activity, and protecting sensitive information from being uploaded to unsanctioned cloud services.
The product sits at the intersection of three security disciplines: Cloud Access Security Broker (CASB) for SaaS visibility and control, Information Protection for data security across cloud apps, and User and Entity Behaviour Analytics (UEBA) for threat detection. Understanding which of these capabilities you actually need — and which licensing tier delivers them — is the key to avoiding both under-investment and over-spend in this area of your security stack.
MDCA is included in Microsoft 365 E5 and the Microsoft 365 E5 Security add-on. For organisations on M365 E3, accessing MDCA requires either upgrading to E5, purchasing the E5 Security add-on, or buying MDCA standalone. Each path has a different commercial and operational profile that should be evaluated before committing.
Licensing Tiers: What's Included Where
| Plan / Bundle | MDCA Included | Coverage Level | Approx. Cost (list) |
|---|---|---|---|
| Microsoft 365 E3 | No | — | ~£28.10/user/mo |
| Microsoft 365 E5 | Yes | Full MDCA | ~£52.70/user/mo |
| Microsoft 365 E5 Security add-on (for E3) | Yes | Full MDCA | ~£13.60/user/mo |
| Microsoft 365 E5 Compliance add-on (for E3) | Partial (App Governance only) | Limited — no full CASB | ~£13.60/user/mo |
| MDCA Standalone | Yes | Full MDCA | ~£3.50/user/mo |
| Defender for Endpoint Plan 2 | Shadow IT discovery only | Discovery without control | Included in E5 Security |
The Microsoft 365 E5 Compliance add-on includes "App Governance" — a subset of MDCA capabilities focused on OAuth app oversight and compliance reporting. It does not provide the full CASB functionality of MDCA (Shadow IT discovery, Conditional Access App Control, session policies, information protection for third-party apps). If your requirement is full CASB, E5 Compliance alone does not deliver it. E5 Security is the correct add-on for MDCA access.
Core MDCA Capabilities: What Each Tier Unlocks
Shadow IT Discovery
Shadow IT discovery is the most widely deployed MDCA capability. It analyses traffic logs from firewalls and proxies (or uses native integrations with network appliances from Palo Alto, Check Point, Cisco, Zscaler, and others) to identify cloud applications being used across the organisation — applications that may not be sanctioned, secured, or governed by IT. MDCA's cloud app catalogue contains over 31,000 rated cloud applications, each scored on security and compliance criteria.
A partial form of shadow IT discovery is available through Microsoft Defender for Endpoint Plan 2 without a full MDCA licence — Defender for Endpoint sends endpoint traffic signals to MDCA for discovery reporting. This Defender-native discovery is useful for a first-look view of cloud app usage but lacks the full policy enforcement and governance capabilities of the complete MDCA product.
Conditional Access App Control
Conditional Access App Control (CAAC) is one of the most operationally significant MDCA capabilities for regulated industries. It enables real-time session monitoring and control for sanctioned SaaS applications — allowing you to permit access to, say, Salesforce or ServiceNow while blocking download of sensitive files, preventing copy-paste, or watermarking content. It functions as a reverse proxy integrated with Entra ID Conditional Access policies.
CAAC requires both an MDCA licence and Microsoft Entra ID P1 (for the Conditional Access integration). Entra ID P1 is included in M365 E3, so the Entra dependency is typically already satisfied for E3+ organisations. The incremental requirement is MDCA itself.
Information Protection for Cloud Apps
MDCA can enforce Microsoft Purview Information Protection (sensitivity labels) policies across third-party SaaS applications — preventing users from uploading confidential-labelled documents to personal OneDrive, unsanctioned file sharing services, or non-approved collaboration tools. This integration requires both MDCA and a Purview Information Protection licence (included in M365 E3 via Microsoft Purview).
This capability is particularly relevant for organisations with mature sensitivity label deployments that want label-based access controls to extend beyond the Microsoft application boundary.
Threat Detection and UEBA
MDCA's threat detection engine analyses user activity across connected SaaS applications for anomalous behaviour: impossible travel, activity from anonymous IP addresses, mass downloads before account termination, ransomware patterns, and administrative activity anomalies. The UEBA scoring aggregates these signals into an Investigation Priority Score for users, allowing security operations to triage cloud-based threats without manually reviewing activity logs.
For M365 E5 organisations, MDCA's UEBA signals feed into Microsoft Defender XDR for correlated threat investigation. This integration is a meaningful capability uplift — the ability to see cloud app activity alongside endpoint, identity, and email signals in a single incident view — and is a legitimate justification for E5 or E5 Security for security-mature organisations.
E5 Security vs MDCA Standalone: The Commercial Analysis
The central commercial question for M365 E3 organisations evaluating MDCA is whether to add MDCA standalone (~£3.50/user/month) or upgrade to the E5 Security add-on (~£13.60/user/month) which includes MDCA plus four other products.
The Microsoft 365 E5 Security add-on includes: Microsoft Defender for Identity, Defender for Endpoint Plan 2, Defender for Office 365 Plan 2, Defender for Cloud Apps, and Microsoft Entra ID P2. For organisations that genuinely need all five of these products, the E5 Security add-on at £13.60/user/month delivers significant value relative to purchasing them separately (combined standalone pricing would be approximately £22–£26/user/month for the same products).
The trap occurs when organisations purchase E5 Security primarily to access MDCA, without a clear activation plan for the other four components. The cost difference between MDCA standalone (£3.50) and E5 Security (£13.60) is nearly £10/user/month — roughly £120,000/year for 1,000 users. That premium is only justified if at minimum two or three of the other E5 Security components are actively deployed and providing security uplift within the licence term.
| Product | Included in E5 Security | Standalone Price | Already in E3? |
|---|---|---|---|
| Defender for Identity | Yes | ~£2.35/user/mo | No |
| Defender for Endpoint Plan 2 | Yes | ~£4.70/user/mo | No (Plan 1 only in E3) |
| Defender for Office 365 Plan 2 | Yes | ~£4.80/user/mo | No (Plan 1 in E3) |
| Defender for Cloud Apps | Yes | ~£3.50/user/mo | No |
| Microsoft Entra ID P2 | Yes | ~£7.65/user/mo | P1 only in E3 |
The evaluation sequence: first identify which of the five E5 Security components your security roadmap requires within the next 18 months. If the answer is two or more beyond MDCA, E5 Security almost certainly delivers better value than standalone purchases. If MDCA alone is the requirement, standalone at £3.50/user/month is the appropriate starting point — with a clear commercial review at EA renewal to determine if the full E5 Security bundle has become justified.
This analysis is detailed in our guide to evaluating the M365 E5 Security add-on and our broader framework for rationalising Microsoft security licensing.
MDCA vs Third-Party CASB: When Microsoft Is Not the Right Choice
Microsoft Defender for Cloud Apps is strong for Microsoft-centric environments and increasingly capable for multi-cloud scenarios, but it is not the best CASB for all organisations. The market leaders in specialist CASB capabilities — Netskope, Zscaler Internet Access, Palo Alto Prisma Access — retain advantages in specific areas that are commercially significant for the right buyer.
Where Third-Party CASB Still Outperforms MDCA
Non-Microsoft SaaS depth: MDCA's connectors for Microsoft applications (SharePoint, OneDrive, Teams, Exchange, Dynamics 365) are deep and well-maintained. Its connectors for third-party applications — Salesforce, ServiceNow, Box, Dropbox, Slack, GitHub — are more variable in depth. Netskope and Zscaler have built their businesses on precisely the deep, real-time policy enforcement in non-Microsoft SaaS environments that MDCA approximates but does not always match at the API level.
SSL/TLS inspection at network layer: MDCA's Conditional Access App Control operates as an identity-aware reverse proxy — powerful for managed devices with Entra ID integration, but limited for unmanaged devices and network-layer use cases. Zscaler and Netskope are architectural secure web gateways that perform full SSL inspection at the network layer regardless of device management state. For organisations with significant BYOD populations, contractor networks, or OT/IoT device categories, network-layer CASB capability remains a genuine gap in the MDCA model.
Data classification breadth: MDCA's information protection enforcement relies on Microsoft Purview sensitivity labels as the classification signal. Organisations using third-party data classification (Boldon James, Titus, Fortra) or with existing DLP policies built on non-Microsoft classification frameworks will find MDCA's enforcement model more disruptive to existing workflows than a specialist CASB with classification-agnostic policy enforcement.
Where MDCA Wins for E5 Organisations
For M365 E5 organisations that have already invested in the Microsoft Defender XDR stack, MDCA is compelling not primarily as a standalone CASB but as a component of the integrated security platform. The signal sharing between MDCA, Defender for Endpoint, Defender for Identity, and Defender for Office 365 — surfaced in Defender XDR as correlated incidents — produces security outcomes that are difficult to replicate with a third-party CASB that does not have native integration with the Microsoft identity and endpoint signals.
If your security operations team is already operating out of the Microsoft Defender portal, MDCA is the CASB that adds the least workflow overhead and the most contextual enrichment to existing investigation workflows. If you are running a best-of-breed SOC with a non-Microsoft SIEM and third-party endpoint detection, the integration value of MDCA diminishes and a specialist CASB may remain the better commercial choice.
Deployment Modes and Their Licensing Implications
MDCA operates in four deployment modes, each with different technical requirements and different implications for what the licence actually enables in practice:
Log collection (Discovery mode): Upload firewall/proxy logs for Shadow IT analysis. No network changes, no proxy integration. This is available with any MDCA licence and is the lowest-friction starting point. It provides discovery reporting but no real-time session control.
API connectors: Connect MDCA to specific SaaS applications via their APIs (Salesforce, ServiceNow, Box, AWS, etc.) for activity monitoring, DLP policy enforcement, and governance. API connectors require both the MDCA licence and that the specific application's API connector be configured. This is the primary mode for SaaS governance beyond the Microsoft application boundary.
Conditional Access App Control (reverse proxy): Real-time session monitoring and control via reverse proxy. Requires Entra ID Conditional Access and managed device deployment for full capability. This is the highest-value deployment mode for regulated industries with specific data handling requirements.
Defender for Endpoint integration: Endpoint-based discovery using signals from Defender for Endpoint. Requires Defender for Endpoint Plan 2 (included in E5 Security). This is the most accurate discovery mode for managed endpoints, eliminating the need for separate log collection infrastructure.
The practical deployment reality: most organisations begin with log-based discovery (no additional technical requirements), progress to API connectors for specific high-priority SaaS applications, and evaluate CAAC deployment for their highest-sensitivity application categories. The licence is the same at each stage — the capability expands through configuration, not additional licensing.
MDCA in EA Negotiation: What to Know
If MDCA standalone is the right commercial choice (rather than E5 Security bundle), include it in your EA renewal rather than purchasing it as a cloud subscription. At enterprise volume, MDCA standalone in the EA should attract 15–20% off list price, bringing the cost to approximately £2.80–£3.00/user/month for a 1,000+ user commitment.
The more important negotiation consideration is the E5 Security bundle decision. If your security roadmap genuinely requires E5 Security, negotiate the transition from E3 + individual add-ons to E5 Security at the EA renewal rather than mid-cycle. The commercial position is stronger at renewal — you have the alternative of separate standalone licences as a benchmarking anchor, and Microsoft has a structural incentive to close the E5 Security commitment as part of a renewal rather than losing it to standalone purchases.
The timing principle for security licence upsells: Microsoft typically applies commercial pressure for E5 Security upgrades in the 6–9 months before EA renewal. That pressure is commercially driven by Microsoft's quota cycle, not by your security requirements. Evaluate E5 Security on the basis of your security roadmap, not the urgency communicated by your account team. Our guidance on managing EA renewal commercial pressure covers this dynamic in detail.
Frequently Asked Questions
Does MDCA work for multi-cloud environments (AWS, GCP)?
Yes — MDCA includes connectors for AWS and GCP cloud platforms, providing visibility into resources, activity, and misconfigurations in these environments. The Azure integration is deeper (native, as expected), but AWS and GCP discovery is meaningful. For organisations with significant multi-cloud infrastructure footprints, evaluate whether Microsoft Defender for Cloud (the infrastructure-focused product, separate from Defender for Cloud Apps) is also in scope — they address different layers of the cloud security stack.
Is there a difference between "Microsoft Cloud App Security" and "Microsoft Defender for Cloud Apps"?
No — Microsoft Cloud App Security was rebranded as Microsoft Defender for Cloud Apps in November 2021, as part of Microsoft's broader Defender product consolidation. The abbreviation "MCAS" is still commonly used informally; "MDCA" is Microsoft's current nomenclature. The product capabilities and licensing model did not change materially with the rebrand.
Can MDCA policies be enforced on iOS and Android devices?
MDCA's Conditional Access App Control can enforce session policies on mobile devices accessing SaaS applications through a browser. For native mobile applications, enforcement depends on whether the application supports Entra ID Conditional Access integration and the specific policy type. Session download/upload controls work on browser-based access on mobile; native application enforcement is more limited and varies by application.
What data does MDCA collect, and where is it stored?
MDCA stores collected data (traffic logs, activity data, alert information) in Microsoft's cloud infrastructure, subject to your M365 tenant data residency region. For EU tenants, data is stored within EU boundaries. Activity data from connected apps is retained for 180 days by default for investigation purposes. This data residency and retention context should be confirmed against your regulatory compliance requirements before deployment.