Microsoft Defender for Cloud Apps automatically discovers cloud application usage (Shadow IT) by analyzing traffic logs from sources like Microsoft Defender for Endpoint. This discovery process populates the "Discovered apps" page. To efficiently identify users accessing a specific application like Facebook, the first administrative action is to classify the app. By tagging Facebook as "Unsanctioned," you are not blocking it, but rather categorizing it for easier monitoring and filtering. This simple, low-effort action allows you to use the Cloud Discovery filters to immediately isolate all usage data for Facebook and identify the specific users, devices, and browsers involved.

B. Create an app configuration policy in Microsoft Endpoint Manager.

This is incorrect because app configuration policies are used to configure settings for managed applications on enrolled devices, not for discovering or identifying unmanaged cloud app usage.

C. Create a Defender for Cloud Apps access policy.

This is a subsequent step. Access policies are control mechanisms to manage real-time sessions (e.g., block downloads) after an app has already been discovered and classified.

D. Create a Conditional Access policy.

This is also a control mechanism. Conditional Access policies enforce access requirements (like MFA) for apps but are not the primary tool for the initial discovery and identification of users.

---

1. Microsoft Learn. (2023). Sanctioning/unsanctioning an app. In Microsoft Defender for Cloud Apps documentation. Retrieved from https://learn.microsoft.com/en-us/defender-cloud-apps/governance-actions#sanctioningunsanctioning-an-app.

Section: Sanctioning/unsanctioning an app.

Quote: "Marking an app as unsanctioned doesn't block use

but enables you to more easily monitor its use with the Cloud Discovery filters." This directly supports that unsanctioning is a primary step for monitoring and identification.

2. Microsoft Learn. (2023). Working with discovered apps. In Microsoft Defender for Cloud Apps documentation. Retrieved from https://learn.microsoft.com/en-us/defender-cloud-apps/discovered-apps.

Section: Discovered apps page.

Content: This document explains that after apps are discovered

a primary task for the administrator is to review and classify them. It states

"Once you've identified an app

you can sanction or unsanction it." This establishes sanctioning/unsanctioning as a foundational administrative step in managing discovered apps.

3. Microsoft Learn. (2023). Set up Cloud Discovery. In Microsoft Defender for Cloud Apps documentation. Retrieved from https://learn.microsoft.com/en-us/defender-cloud-apps/set-up-cloud-discovery.

Section: Cloud Discovery dashboard.

Content: This document describes the workflow for Shadow IT discovery. The process begins with data collection and analysis

which is largely automatic. The first manual administrative phase involves evaluating the discovered apps

which includes the act of sanctioning or unsanctioning to apply organizational policy and facilitate further monitoring.