Exercise 05: SaaS shadow IT control with MDA (MDCA)

Exercise learning objectives

• Enable Cloud Discovery (via MDE integration or sample logs) and classify apps as sanctioned or unsanctioned.
• Create policies for impossible travel, OAuth risky apps, file governance, and session controls.
• Measure risk reduction and define enforcement paths using Conditional Access App Control.

Estimated time: 90 minutes

---

CISO Overview - Scenario and goals

Zava Oil & Resources faces a growing security concern as sensitive corporate data is being exposed through unauthorized file-sharing and unmonitored AI-based SaaS applications adopted by frontline employees. This uncontrolled SaaS sprawl introduces significant regulatory, compliance, and intellectual property (IP) risks to the organization’s data estate.

Your objective is to operationalize Microsoft Defender for Cloud Apps (MDCA) by:

• Activating Cloud Discovery to identify all shadow IT applications in use.
• Classifying each application as sanctioned or unsanctioned.
• Enforcing control over risky behaviors using Conditional Access App Control.

By completing this exercise, you’ll establish measurable SaaS governance and assign ownership and accountability for each app category.

---

Table of contents

• 01: Turn on Cloud Discovery and seed data
• 02: Classify apps as sanctioned, unsanctioned, and assign owners
• 03: Enforce risk using Conditional Access App Control and real-time session policies
• 04: Detect risky behaviors - OAuth apps, impossible travel, and file governance