Free Cyber Security AssessmentGet your personalised report in under 10 minutes
TheLogic IT Solutions Logo20 Years in Business
← Back to Resources

Microsoft 365

Microsoft Defender for Cloud Apps: Licensing, Policies & Monitoring

Updated 22 April 2026

Microsoft Defender for Cloud Apps (MDCA, formerly MCAS) is Microsoft's Cloud Access Security Broker, a CASB that sits in front of Microsoft 365 and third-party SaaS apps and watches everything that happens. Used properly, it's the best single source of truth for "what just happened in our cloud environment, and should we be worried?"

Used badly, it's an expensive noise machine. This guide is a practical starter for turning it on correctly.

What MDCA actually does

Four big things:

  1. Activity monitoring, every sign-in, file share, permission change, admin action across M365 gets logged and searchable.
  2. Threat detection, built-in anomaly detection flags impossible travel, mass downloads, suspicious OAuth consents, and so on.
  3. Policy enforcement, you can block risky file shares, require step-up authentication on sensitive actions, or stop users uploading to unsanctioned cloud storage.
  4. Shadow IT discovery, ingests firewall and proxy logs to find SaaS tools your staff are using that IT doesn't know about.

Licensing, what you need

MDCA is an add-on product. It comes bundled with these licences:

  • Microsoft 365 E5
  • Microsoft 365 E5 Security (add-on to E3)
  • Enterprise Mobility + Security E5 (EMS E5)
  • Microsoft Defender for Cloud Apps (standalone, ~£3.50/user/month at current list)

What's included in Business Premium?

This catches people out. Microsoft 365 Business Premium does not include the full MDCA product. What it does include:

  • App governance for OAuth application risk (part of Defender for Cloud Apps but licensed under Business Premium)
  • Limited activity logging through the Unified Audit Log, basically the raw telemetry, not the dashboards or the anomaly detection

If you're on Business Premium and want the full MDCA experience (anomaly detection, policies, Shadow IT discovery), you'll need to add standalone MDCA licences or upgrade to E5.

What you get with E3 only

E3 gives you Defender for Cloud Apps Discovery, enough to do Shadow IT discovery but without the real-time protection, anomaly detection, or policy engine. In practice: useful for visibility, not enough for protection.

Turning it on

Once licensed, MDCA lives at https://security.microsoft.com under Cloud apps. First steps:

  1. Connect your Microsoft 365 tenant, this is one click under Settings → Cloud apps → Connected apps → App connectors. Without it, MDCA is blind to M365.
  2. Connect Azure and Dynamics if relevant.
  3. Connect third-party apps, Google Workspace, Salesforce, AWS, GitHub, Dropbox all have first-party connectors.
  4. Set your governance log retention to 180 days minimum. 90 is the default and it's not enough for incident investigations.

Which policies to turn on first

MDCA ships with a long list of built-in policy templates. Turning on all of them is a fast route to alert fatigue. Here's a minimum starting set that catches the most common real-world threats without drowning you in noise:

Anomaly detection policies (enable all)

These are pre-tuned by Microsoft and largely self-managing. Turn on:

  • Impossible travel, sign-in from two locations too far apart in time
  • Activity from infrequent country, first time seeing activity from a new country
  • Malware detected, malware found in OneDrive/SharePoint
  • Activity from anonymous IP addresses, TOR, proxy, VPN sign-ins
  • Multiple failed login attempts
  • Unusual administrative activities
  • Unusual impersonated activity
  • Unusual file deletion / sharing / download activity
  • Mass download by a single user
  • Ransomware activity
  • Suspicious OAuth app file download

Activity policies (start with these three)

Custom rules you'll want on day one:

  • Mass external file sharing, alert if a user shares more than 20 files externally in a short window
  • Admin activity from non-admin IP, alert if a Global Admin signs in from outside a known admin network
  • Login from risky user, block or step-up sign-ins from users Entra ID has flagged as high-risk

OAuth app policies

OAuth consent phishing is one of the quietest attack vectors. Configure:

  • Unapproved OAuth app consent, alert any time a user approves a new OAuth app
  • High-privilege OAuth app consent, alert (and optionally auto-revoke) apps requesting mail.read or files.readwrite.all

Governance actions

Don't just alert, build in automatic responses where it's safe to:

  • Suspend user, for repeated failed MFA challenges from risky IPs
  • Require user to sign in again, on impossible travel
  • Remove sharing links, on mass external sharing events
  • Put file in quarantine, on malware detection

Start with alert-only for the first two weeks. Tune. Then enable automatic governance once false positives are below ~5%.

The monitoring problem

MDCA's dashboard is good. What it isn't is actively watched by anyone at 2am on a Saturday. And a 2am-Saturday alert is exactly when you need it.

The default setup:

  • Alerts appear in the MDCA portal
  • High-severity alerts send email to a distribution list
  • Some alerts forward into Microsoft Sentinel if you have it
  • Everything else waits for someone to log in and look

That's not enough for a 20-person accountancy firm that doesn't have a SOC. Nobody's watching the portal between Friday and Monday.

TheLogic Portal, where we step in

We run a bespoke monitoring platform that pulls alerts out of Defender for Cloud Apps (plus Entra ID sign-ins, Defender for Office 365, audit log activity, and third-party feeds) and presents them as a single, triaged feed.

What the portal does that the native MDCA console doesn't:

  • Combines sources, an impossible-travel alert from MDCA plus an unusual sign-in from Entra plus an OAuth consent from Defender for Office 365 get correlated into one incident, not three.
  • Watches 24/7, alerts are triaged by our engineers, not parked in an inbox.
  • Suppresses known-good patterns, we learn your team's travel, third-party app usage, and out-of-hours norms, so the noise drops month over month.
  • Makes responses actionable, when something warrants a call, you get one, with what happened and what we've already contained.

For accountants and solicitors, we offer this free of charge as part of our commitment to regulated professionals. For other businesses, it's included with Managed IT or available standalone.

What to do next

If you're already licensed for MDCA (E5 or standalone):

  1. Connect your tenant if you haven't already
  2. Enable all anomaly detection policies
  3. Add the three activity policies above
  4. Set a two-week review cadence to tune out false positives

If you're on Business Premium and haven't seen MDCA features yet, that's expected, it's not included. We can help you work out whether standalone MDCA licences, an E5 upgrade, or a different monitoring stack is the right call for your size.

For a tour of the portal or help turning MDCA on properly, get in touch.