Microsoft Defender for Cloud Apps Client Credentials

Microsoft Defender for Cloud Apps provides full protection for SaaS applications by helping monitor and protect your organization’s cloud app data in a variety of ways.

• Shadow IT discovery

• Visibility into cloud app usage

• Managing your organization’s SaaS security posture

info

This Microsoft Defender for Cloud Apps integration requires the authentication method OAuth2 with client credentials.

The following sections explain prerequisites, resources, and instructions for integrating with SaaS Management.

Stored Microsoft Defender for Cloud Apps Client Credentials Information

The following table describes the available integration tasks and stored data within SaaS Management.

Available Integration Tasks	Information Stored
Discovered App Usage	Category Device Count Display Name Domains Download Network Traffic In Bytes ID IP Address Count Last Seen Date Time Risk Score Tags Transaction Count Upload Network Traffic In Bytes User Count

note

The information stored is subject to change as enhancements are made to the SaaS application.

Required Minimum Permissions for Microsoft Defender for Cloud Apps Client Credentials

The minimum API required permissions are based on the Required Application Permissions for Microsoft Defender for Cloud Apps Client Credentials and the Required User Role for Microsoft Defender for Cloud Apps Client Credentials.

Required Application Permissions for Microsoft Defender for Cloud Apps Client Credentials

Application Permission	Description	Integration Task Name
CloudApp-Discovery.Read.All	Enables you to read all the discovered cloud applications.	Discovered App Usage

Required User Role for Microsoft Defender for Cloud Apps Client Credentials

note

The following SaaS application user role is not applicable to Flexera One roles.

User Role	Description
Global Administrator	To grant the application permissions, the user must have Global Administrator access. For more information, see Microsoft’s documentation topic, Microsoft Entra Built-In Roles.

Authentication Method for Microsoft Defender for Cloud Apps Client Credentials

The required authentication method is OAuth 2.0 With Client Credentials. For more information, see Microsoft’s documentation topic, Microsoft Identity Platform and the OAuth 2.0 Client Credentials Flow.

Required Credentials for Microsoft Defender for Cloud Apps Client Credentials

The following credentials are required:

• Application (Client) ID

• Client Secrets Value

• Directory (Tenant) ID.

Obtaining Client Credentials and Directory (Tenant) ID for Microsoft Defender for Cloud Apps Client Credentials

Before Integrating Microsoft Defender for Cloud Apps Client Credentials With SaaS Management, you need to obtain client credentials and the directory (tenant) ID by completing the following steps.

1. Sign in to your Microsoft Azure Portal.

2. In the Search box at the top of the page, enter App registrations and click App registrations in the search results to select it. The App registrations page opens.

3. Click New Registration. The Register an application page opens.

4. Enter a Name and choose the Accounts in this organizational directory only option.

5. Click Register.

6. On the Overview tab, copy and paste the Application (client) ID and the Directory (tenant) ID to a file. You will later enter these values in SaaS Management.

7. To generate a client secrets value, do the following:

   1. Click the Certificates & secrets tab.
   2. Under Client secrets, click New client secret. The Add a client secret dialog box opens.
   3. In the Description field, enter a name for the new secret.
   4. Under Expires, choose an expiration value.
   5. Click Add.
   6. Under Client secrets, copy and paste the client secret value to a file. You will later enter this value in SaaS Management.

8. Click the API permissions tab and complete the following:

   1. Click Microsoft Graph. The Request API permissions panel opens.
   2. Click Application permissions.
   3. In the Select permissions search box, enter CloudApp-Discovery.Read.All, and select the CloudApp-Discovery.Read.All permission checkbox.
   4. Click Update permissions.

9. After the permissions are added, grant admin consent.

   info

   If you modify any permissions in the Microsoft Azure Portal that are used to create the directory (tenant) ID and client secrets value, you need to reauthorize the Microsoft Defender for Cloud Apps integration in SaaS Management by completing all the steps in the Integrating Microsoft Defender for Cloud Apps Client Credentials With SaaS Management section.

10. Proceed to Integrating Microsoft Defender for Cloud Apps Client Credentials With SaaS Management.

Integrating Microsoft Defender for Cloud Apps Client Credentials With SaaS Management

info

Before integrating, complete the prerequisite steps in Obtaining Client Credentials and Directory (Tenant) ID for Microsoft Defender for Cloud Apps Client Credentials.

To integrate Microsoft Defender for Cloud Apps Client Credentials with SaaS Management, perform the following steps.

1. Add the Microsoft Defender for Cloud Apps application in SaaS Management. For more information, see Adding an Application.
2. On the Add Application page for Microsoft Defender for Cloud Apps Client Credentials:
   1. Select the Discovered App Usage integration task checkbox.
   2. Copy and paste the Application (Client) ID, Client Secrets Value, and Directory (Tenant) ID values from Obtaining Client Credentials and Directory (Tenant) ID for Microsoft Defender for Cloud Apps Client Credentials into the respective SaaS Management fields.
   3. Click Authorize.

Microsoft Power BI Reporting for Microsoft Defender for Cloud Apps Client Credentials

SaaS Management’s Microsoft Power BI report, which uses the SaaS Management API, provides insights into SaaS applications that are being used within your organization. For Microsoft Defender for Cloud Apps, the report helps you to easily surface occurrences of Shadow IT. The Microsoft Power BI report insights can be shared with contacts within your organization who do not typically use SaaS Management.

To create the Microsoft Power BI report, see the Microsoft Defender for Cloud Apps Power BI Reporting for Flexera One's SaaS Management Knowledge Base article.

Microsoft Defender for Cloud Apps Client Credentials API Endpoints

Discovered App Usage

https://graph.microsoft.com/beta/security/dataDiscovery/cloudAppDiscovery/uploadedStreams

https://graph.microsoft.com/beta/security/dataDiscovery/cloudAppDiscovery/uploadedStreams/<<streamId>>/aggregatedAppsDetails(period=duration'P90D')