Microsoft Cloud App Security is a Cloud Access Security Broker (CASB) with features including log collection, API connectors, and reverse proxy. As a CASB, it is able to provide visibility and control over any integrated applications. It's fully integrated with the Microsoft 365 stack and can plug into thousands of third-party applications as well. 

Cloud App Security's features are broken into four main pillars. They are as follows:

• Discover and manage the use of shadow IT (unapproved applications or services): Cloud App Security can identify the cloud apps and services used by an organization. Cloud App Security can provide analytics around usage patterns and the risk levels of more than 16,000 SaaS apps. 

• Protect sensitive information regardless of location: By connecting business applications to Cloud App Security, you can discover sensitive data stored in non-Microsoft services and use built-in policies to apply controls such as data encryption across cloud apps.
• Protect against cyber threats and anomalies: Detect unusual behaviors across cloud apps to identify risky situations, ransomware, and potentially compromised. Cloud App Security allows you to define and customize risky behaviors using built-in templates and then automate remediation actions.
• Assess the compliance of cloud apps: Cloud App Security can assess your cloud apps for compliance. Cloud App Security can enforce your organizational policies targeting data leaks to non-compliant apps.

 Cloud App Security's discovery features are included in AAD Premium Plan 1, and its enforcement and automation features are part of AAD Premium Plan 2.

The EMS Suite's features should very much be considered as a means to improve visibility and manageability across the security spectrum.