Control 2.9: Defender for Cloud Apps — Copilot Session Controls — Troubleshooting

Common issues and resolution steps for Defender for Cloud Apps session controls.

Common Issues

Symptoms: Copilot interactions are not visible in the Defender for Cloud Apps activity log despite session policies being configured
Root Cause: Conditional Access App Control may not be fully configured for Microsoft 365, or the session routing may not be active for the specific Copilot workload.
Resolution:
Verify Conditional Access App Control is enabled for Microsoft 365 in Defender settings
Check the Conditional Access policy routes traffic through Defender for Cloud Apps
Verify the user's session was proxied (check for the MCAS proxy indicator in the browser)
Allow 24 hours for activity data to appear in the log

Symptoms: Users report slower Copilot responses or Office application performance degradation when session controls are active
Root Cause: Proxying sessions through Defender for Cloud Apps adds latency. Content inspection adds additional processing time.
Resolution:
Review session policy scope — limit content inspection to specific conditions rather than all traffic
Optimize content inspection rules to target only high-risk activities
Consider monitoring-only policies (no blocking) for general use and blocking policies for specific conditions
Work with Microsoft support to optimize proxy routing if latency is significant

Symptoms: High volume of alerts for normal Copilot usage patterns, creating alert fatigue
Root Cause: Alert thresholds may be too sensitive, or alert conditions may match normal business activity.
Resolution:
Review alert patterns and identify the most common false positive types
Adjust alert thresholds to reduce noise (e.g., increase the activity count threshold)
Create suppression rules for known-good activity patterns
Use alert aggregation to group related alerts into single incidents
Implement a tiered alerting approach (informational vs. actionable)

Symptoms: Known sensitive data passes through Copilot sessions without triggering content inspection alerts
Root Cause: Content inspection patterns may not match the specific data format, or inspection may not be configured for the specific Copilot interaction type.
Resolution:
Review content inspection sensitive information type definitions
Test with known data patterns to verify detection capability
Verify the session policy applies to the specific interaction type where data was missed
Add custom inspection rules for organization-specific data patterns

Symptoms: Copilot agents are deployed but no agent-related alerts appear in Defender XDR; the Incidents & alerts view shows no agent incidents despite agent activity
Root Cause: Agent threat detection may require specific licensing (Defender for Office 365 P2 or Microsoft 365 Defender) and may need to be explicitly enabled for agent workloads. Agent coverage was added in September 2025 and may require feature updates in older tenants.
Resolution:
Verify the tenant has the required Defender XDR license tier for agent threat detection (included in M365 E5 Security or Defender for Office 365 P2)
Navigate to Defender portal > Settings > Microsoft Defender XDR and confirm unified XDR is enabled
Check that the agents are registered in Agent Registry (MAC > Agents > All agents / Registry) — unregistered agents may not have threat detection coverage
Verify no filter is hiding agent incidents: in Incidents & alerts, clear all filters and search for recent agent-related events
Allow 24-48 hours after enabling detection — initial alert generation may be delayed
If alerts still do not appear after enabling: open a Microsoft support ticket referencing Defender XDR agent threat detection

Symptoms: The Cloud app catalog Generative AI filter shows apps but no "discovered" usage data, or the catalog shows fewer apps than expected
Root Cause: Discovery data requires traffic analysis either through Microsoft Defender for Endpoint integration or manual log upload. Without endpoint agents or log upload configured, only the catalog (not discovery) will be visible.
Resolution:
Navigate to Defender portal > Cloud Apps > Settings > Cloud Discovery to check discovery configuration
If Microsoft Defender for Endpoint is deployed: verify the "Defender for Endpoint integration" toggle is enabled in Cloud Discovery settings — this enables automatic traffic analysis for discovery
If Defender for Endpoint is not deployed: configure manual log upload from proxy or firewall logs to enable discovery
Allow 24-48 hours after enabling discovery for initial data to appear
Verify the correct data source is connected: Defender portal > Cloud Apps > Cloud Discovery > Data sources

Verify proxy routing: Check browser URL for MCAS proxy indicators during Copilot use
Check policy status: Defender > Policies > verify all session policies are "Enabled"
Review activity log: Search for any Copilot-related activities in the last 24 hours
Test detection: Use a test document with known sensitive data patterns
Check CA integration: Verify the Conditional Access policy references Defender for Cloud Apps

Severity	Condition	Escalation Path
Low	Minor logging gaps	Security Operations
Medium	Session controls causing user-impacting latency	Security Operations and Microsoft support
High	Content inspection failing to detect sensitive data	Security Operations and Information Protection team
Critical	Session controls non-functional — no monitoring on Copilot	CISO and Security Operations immediately