Cloud Security SaaS Security Microsoft Defender for Cloud Apps Identity & Access Management

What is a CASB and Why Does it Matter?

Cloud bouncers, compliance cops, and why your Dropbox habit needs supervision

Imagine running a pub with no bouncer. Everyone gets in, nobody checks IDs, and sooner or later, trouble starts. In the cloud world, that’s pretty much what happens without a Cloud Access Security Broker (CASB). SaaS sprawl sneaks in, users start syncing sensitive data, and suddenly your business is exposed.

That’s where CASB solutions step in. They’re the bouncers of the SaaS scene — checking logins, enforcing rules, and escorting out the shady apps before they cause a problem.

What is a CASB?

A Cloud Access Security Broker (CASB) is a security control point that sits between your users and their cloud applications. It provides visibility, policy enforcement, and protection when cloud usage goes rogue.

Industry research usually defines CASB functions into four categories:

  • Visibility – Discover shadow IT (e.g. “Why is half the marketing team suddenly using Dropbox?”).
  • Compliance – Enable auditing and make sure cloud activities align with regulations (GDPR, ISO 27001).
  • Data Security – DLP-style controls, stop employees from dragging sensitive data out to personal apps.
  • Threat Protection – Detect compromised accounts, suspicious logins, and anomalous behaviour.

In plain English? CASBs are the in-between layer that helps enterprises safely embrace SaaS without losing their grip on security.

How it Works

CASBs can work in two primary modes:

  1. API-based integration – Directly connects to SaaS platforms (e.g. O365, Salesforce) via APIs for deep inspection and control.
  2. Proxy-based inspection – Inserts itself inline between user and cloud app traffic to enforce real-time controls.

Microsoft’s implementation, Defender for Cloud Apps (formerly MCAS), can do both — API connectors for sanctioned apps, and real-time enforcement via Conditional Access App Control through Entra ID.

Diagram – User to App with CASB Enforcement

flowchart LR U[User Device] -->|"Login / Session"| CA[Entra Conditional Access] CA --> MCAS["Defender for Cloud Apps (CASB)"] MCAS --> SaaS[SaaS Application]

Real-World Impact

Here’s why CASBs matter in day-to-day IT operations:

  • Stop Shadow IT – Uncover unsanctioned usage of Dropbox, Box, Slack etc.
  • Improve Governance – Ensure company data isn’t stored in dodgy regions.
  • Protect IP – Block exfiltration of sensitive documents.
  • Threat Detection – Spot logins from impossible geographies (Sydney at 9am, then London five minutes later).

For organisations racing towards SaaS-first models, a CASB isn’t “nice to have” — it’s mandatory to scale without blind spots.

Implementation Example

Allow Microsoft 365

  1. Go to the Microsoft 365 Defender portal.
  2. Navigate to Settings > Cloud Apps > Information Protection > Files.
  3. Enable File Monitoring and click Save.
  4. Connect Office 365 as an App Connector:
  5. Go to Settings > Cloud Apps > App Connectors.
  6. Click + Connect an app > Microsoft 365.
  7. Select all relevant services (e.g., Azure AD sign-ins, Office 365 activities/files).
  8. Click Connect and wait for the status to show Connected.
  9. Navigate to Control > Policies > Session policies.
  10. Create a policy like: “Block download of sensitive files from unmanaged devices” using filters like file sensitivity labels, device compliance, etc.

Bicep Snippet - Configure Conditional Access for Session Control (Optional) 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

resource conditionalAccessPolicy 'Microsoft.Authorization/policyAssignments@2020-09-01' = {
  name: 'CA-Policy-O365-MCAS'
  location: 'global'
  properties: {
    displayName: 'Block downloads of sensitive files from unmanaged devices'
    policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/ConditionalAccessPolicy'
    parameters: {
      policyName: {
        value: 'O365-MCAS-SessionControl'
      }
      state: {
        value: 'enabled'
      }
      conditions: {
        users: {
          includeUsers: [
            'All'
          ]
        }
        applications: {
          includeApplications: [
            'Office365'
          ]
        }
        clientAppTypes: [
          'browser'
        ]
        platforms: {
          includePlatforms: [
            'all'
          ]
        }
      }
      grantControls: {
        operator: 'OR'
        builtInControls: [
          'mcasSession'
        ]
      }
      sessionControls: {
        cloudAppSecurity: {
          cloudAppSecurityType: 'monitorOnly' // or 'blockDownloads'
        }
      }
    }
  }
}

Block Dropbox

  1. Go to the Microsoft 365 Defender portal.
  2. Navigate to Discover > Discovered apps.
  3. Find Dropbox: Use the search bar to locate Dropbox in the list of discovered apps.
  4. Mark as Unsanctioned: Click the three dots next to Dropbox.
  5. Block Access Automatically (Recommended): If you’re using Microsoft Defender for Endpoint, the unsanctioned app will be automatically blocked on enrolled devices.
  6. Create a conditional access policy (optional) to deny / block access

Bicep Snippet – Configure Conditional Access Policy 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

param appid string = 'dropbox-app' // Get the application ID from EntraID

resource caPolicy 'Microsoft.Entra/conditionalAccessPolicies@2023-07-01-preview' = {
  name: 'Block-Dropbox-Downloads'
  properties: {
    displayName: 'Block unsanctioned SaaS downloads'
    state: 'enabled'
    conditions: {
      users: {
        includeGroups: [
          'All'
        ]
      }
      applications: {
        includeApplications: [
          appid
        ]
      }
    }
    grantControls: {
      builtInControls: [
        'block'
      ]
    }
    sessionControls: {
      applicationEnforcedRestrictions: {
        mode: 'enforce'
      }
    }
  }
}

Gotchas & Edge Cases

  • API connectors don’t cover every SaaS app. Some can only be monitored inline.
  • Performance overhead: Routing traffic through proxy = network latency if it’s all users + all SaaS.
  • Users hate change: If enforcement is too strict, expect support tickets. Scope carefully.

Best Practices

  • Start with discovery only → see what SaaS apps are really in use.
  • Connect the core sanctioned apps (M365, Salesforce, ServiceNow).
  • Build pilot policies with one department (e.g., Finance).
  • Use session controls for high-risk scenarios (BYOD, contractors).
  • Monitor impact before going org-wide — balance control and user experience.
🍺
Brewed Insight: “Shadow IT isn’t evil; it’s often people just trying to get their job done faster. The trick is to shine a light on it with CASB, then decide what’s genuinely dangerous versus what just needs a proper license.”

Learn More