You want to use Copilot to investigate security alerts and user activities in Microsoft Defender for Cloud Apps. This integration connects natural language queries directly to your cloud app data, including Shadow IT discovery and app permissions. The setup requires a Microsoft 365 E5 license or a standalone Defender for Cloud Apps license. This article explains how the integration works and how to configure it.
Key Takeaways: Copilot and Defender for Cloud Apps Integration
- Microsoft Defender for Cloud Apps portal > Settings > Security extensions > Copilot for Security: The toggle that enables Copilot to read and query cloud app data.
- Copilot for Security standalone portal > Data sources > Microsoft Defender for Cloud Apps: Where you verify the connection status and grant consent for data access.
- Natural language queries in the cloud app investigation panel: Lets you ask questions like “Show me all admin activities from Russia in the last 24 hours” without writing Kusto Query Language.
How the Copilot and Defender for Cloud Apps Integration Works
Copilot for Security connects to Microsoft Defender for Cloud Apps through a secure API channel. This channel uses the same Microsoft Graph security data model that powers alerts and activities in the Defender portal. When you ask a question in natural language, Copilot translates that query into a structured search against the cloud app activity log, alert database, and app discovery data.
The integration does not require a separate data connector or custom scripting. After you enable the toggle in Defender for Cloud Apps settings, Copilot can access the following data types:
- Cloud app alerts with severity, category, and status
- User and admin activities from connected apps like Microsoft 365, Salesforce, and Box
- Shadow IT discovered apps and their risk scores
- App permissions and OAuth token details
- IP address and location context for each activity
The data stays within your tenant boundary. Copilot does not send raw logs to Microsoft for model training. All processing happens in the Microsoft 365 compliance boundary.
Prerequisites for the Integration
Before you start, confirm these requirements are met:
- One of these licenses: Microsoft 365 E5, Microsoft 365 E5 Security, Microsoft 365 E5 Compliance, or a standalone Defender for Cloud Apps license
- Global Administrator or Security Administrator role in Microsoft Entra ID
- Copilot for Security enabled in your tenant. This requires a Copilot for Security capacity that you provision in the Azure portal under the Copilot for Security resource type
- Network access to the following endpoints: api.security.microsoft.com and graph.microsoft.com
Steps to Enable Copilot for Defender for Cloud Apps
- Open the Defender for Cloud Apps portal
Go to https://portal.cloudappsecurity.com and sign in with your Global Administrator or Security Administrator account. - Navigate to the Security extensions settings
In the left menu, select Settings. Then select Security extensions. This page lists all external integrations for Defender for Cloud Apps. - Enable Copilot for Security
Find the Copilot for Security row and set the toggle to On. A consent dialog appears. Read the data access statement and select Accept. This step connects your Defender for Cloud Apps tenant to Copilot for Security. - Verify the connection in the Copilot for Security portal
Open a new browser tab and go to https://securitycopilot.microsoft.com. Select the Data sources option in the left menu. Confirm that Microsoft Defender for Cloud Apps appears with a status of Connected. If it shows Disconnected, return to the Defender portal and repeat step 3. - Test the integration with a sample query
In the Copilot for Security portal, type a question such as “Show me the top 10 most active users in cloud apps today.” Copilot returns a table with user names, activity counts, and the source apps. If you see data, the integration is working correctly.
If the Integration Fails to Connect
Copilot for Security shows a Disconnected status
This usually happens when the consent step was not completed or the session token expired. Go back to the Defender for Cloud Apps portal and open Settings > Security extensions. Turn the Copilot for Security toggle Off, wait 10 seconds, then turn it On again. Complete the consent dialog again. Return to the Copilot for Security portal and refresh the Data sources page.
Copilot returns no results for cloud app queries
Your tenant might not have enough activity data. Defender for Cloud Apps starts logging activities only after you connect cloud apps. Go to the Connected apps page in Defender for Cloud Apps and verify that at least one app connector is active. If no app connectors exist, add one by selecting App connectors > Connect an app and following the wizard for your app type.
The consent dialog does not appear
Your browser may block pop-ups or third-party cookies. Add portal.cloudappsecurity.com and securitycopilot.microsoft.com to your browser’s allowed sites for pop-ups and cookies. After you allow these, refresh the Security extensions page and toggle the Copilot for Security setting again.
Copilot for Security vs Defender for Cloud Apps Native Queries: Key Differences
| Item | Copilot for Security Integration | Defender for Cloud Apps Native Queries |
|---|---|---|
| Query language | Natural English sentences | Kusto Query Language or filter expressions |
| Data scope | Alerts, activities, Shadow IT, app permissions | Same data scope plus file policies and governance actions |
| Output format | Summarized table with plain-language explanation | Raw log table or CSV export |
| Action execution | Read-only queries only | Full governance actions like suspend user or revoke OAuth token |
| User interface | Copilot for Security standalone portal or embedded panel | Defender for Cloud Apps portal only |
The integration is best for quick investigations and triage. For deep forensic analysis or automated remediation actions, use the native Defender for Cloud Apps query interface.
You can now query cloud app security data using plain English in Copilot for Security. Start with a simple question about recent admin activities to confirm the connection works. For faster results, save your most common queries as custom promptbooks in the Copilot for Security prompt library.