Microsoft Entra ID · Security & Compliance
Cloud App Security Administrator
Full permissions in Microsoft Defender for Cloud Apps including adding administrators, policies, and governance actions.
Scope: Full administration of Microsoft Defender for Cloud Apps
Permissions
- Add Defender for Cloud Apps administrators
- Create and modify policies
- Upload logs for analysis
- Perform governance actions
- Full admin access to MCAS
Common use cases
- Cloud app discovery
- Shadow IT detection
- Data loss prevention
- Threat detection for cloud apps
Best practices
- Configure app discovery
- Set up alerts for anomalies
- Review governance policies
- Monitor sanctioned apps
Security considerations
- Full access to cloud app data
- Can perform governance actions
- Can block apps organization-wide
Common questions
When should I assign the Cloud App Security Administrator role?
Assign Cloud App Security Administrator when you need to: Cloud app discovery; Shadow IT detection; Data loss prevention; and Threat detection for cloud apps. It is part of Microsoft Entra ID and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Cloud App Security Administrator role do?
The Cloud App Security Administrator role grants permissions including: Add Defender for Cloud Apps administrators; Create and modify policies; Upload logs for analysis; Perform governance actions; and Full admin access to MCAS. See the Permissions section above for the full list.
What are the security risks of the Cloud App Security Administrator role?
Key considerations when assigning Cloud App Security Administrator: Full access to cloud app data; Can perform governance actions; and Can block apps organization-wide. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.