What happens when there’s no malware, no user clicks a dodgy link, and yet your data still walks out the door? The answer lies in a growing risk vector: non-human identities and app-to-app communication.

As Keith explains, today’s threat landscape includes apps that are granted legitimate permissions—either by end users through OAuth consent phishing or by IT admins who unknowingly over-provision access. These apps, once authorised, can operate with alarming freedom, reading or modifying mailboxes, altering configurations, or exfiltrating data. This isn’t hypothetical; it’s actively happening.

“Attackers don’t break in anymore,” Keith warns, “they log in.”

Understanding Non-Human Identities and Overprivileged Apps

In Azure and Microsoft Entra, these non-human identities—such as service principals—act autonomously. When permissions are overly broad or unused secrets remain active, attackers can exploit these vulnerabilities without ever triggering endpoint defences.

Microsoft Defender for Cloud Apps helps surface these hidden risks through capabilities like:

• App governance: Evaluates what permissions are granted, how they’re used, and flags overprivileged or dormant apps.

• Connected apps: Offers visibility and signal enrichment from platforms like Microsoft 365, Google Workspace, and Salesforce.

• Unified auditing and detection: Brings SaaS telemetry into Microsoft XDR for centralised monitoring and correlation.

From Visibility to Action: Governance, Detection, and Disruption

Visibility is only half the battle. Keith dives deep into the layered protections available:

• Custom policies: Organisations can define specific threat conditions and automate actions, including disabling risky apps.

• Built-in threat detection: Microsoft researchers feed real-world insights into out-of-the-box alerts for behaviours like inbox rule manipulation or legacy API abuse.

• Automated attack disruption: When Defender has high confidence in a threat, it can pause malicious activity by disabling apps in real time, reducing impact and buying investigation time.

These features are designed not just for response, but to pre-emptively mitigate threats before data is lost.

Beyond Microsoft: Coverage Across SaaS Ecosystems

Ru and Keith explore how Defender for Cloud Apps isn’t limited to Microsoft’s ecosystem. Through app connectors, organisations gain posture management and threat detection for third-party platforms. Whether it’s DocuSign, ServiceNow, or Google Workspace, security signals are normalised and enriched, offering a comprehensive SaaS security posture.

Moreover, these signals can be ingested directly into SIEM tools like Microsoft Sentinel, providing flexibility for organisations at different stages of maturity.

The Power of Prioritisation with Exposure Management

Security teams today are stretched thin, and prioritisation is everything. Keith highlights how Microsoft Security Exposure Management integrates with Defender for Cloud Apps, offering attack path visualisations and helping teams focus on the most critical threats.

This capability transforms overwhelming recommendation lists into actionable insights. Combined with the SaaS Security Initiative, it ensures that non-human identities and app-to-app risks are treated with the same rigour as traditional endpoint or identity security.