Configure Integration of Defender for Cloud Apps with Azure AD

by

To configure the Integration of Defender for Cloud Apps with Azure Active Directory (AAD), we need to create an Azure AD Conditional access policy which routes app sessions to Microsoft Defender for Cloud Apps. Lets see how to create a Conditional Access policy for this integration.

Creating a Conditional Access (CA) Policy

Let’s check the steps to create a conditional access policy to block downloads from Office 365 applications from uncompliant devices. This conditional access policy will use Defender for Cloud Apps Conditional Access App Control feature to block downloads on uncompliant devices.

When you create this conditional access policy all Office 365 traffic will traverse through Defender for Cloud apps Proxy to monitor the applications. If anyone tries to download any document or data from Office 365 on an uncompliant device, it will be blocked.

  • Login on Microsot Azure Portal (https://portal.azure.com).
  • Search for Azure AD Conditional Access to Access CA Policies page.
  • Click on + New Policy to create a CA Policy and configure the settings as per below information:
NamePrevent downloads from unmanaged devices
Users and GroupsInclude: All usersExclude: Breakglass AAD Security Group
Cloud apps or actionsSelect apps: Office365Exclude: None
ConditionsClient apps: Browser
Device StateInclude: All device stateExclude: Devices Marked as Compliant
SessionSelect Use Conditional Access App Control
Block downloads
In the Session control, you can either select Block downloads / Monitor only / use custom policy… In each of the case the it will integrate AAD with MCAS. As our requirement is to block the downloads when user is using Microsoft 365 applications from an unmanaged / non-compliant PC, therefore, we selected Block downloads option in Session control setting of the CA.

Sign in to the M365 Apps to sync app data with MDCA

Next thing we need to do is to Sign-in to each Microsoft 365 applications for example Microsoft 365 admin center, Microsoft Teams, Sharepoint Online, Exchange Online etc. using any browser. Make sure user who is trying to login on any of these applications is scoped in the CA Policy which we created in the previous step: Prevent downloads from unmanaged devices.

Let’s first see how it looks on Microsoft Defender for Cloud Apps. First make sure that Microsoft 365 app is added and the status is shown as Connected.

Navigate to Microsoft 365 Defender Portal -> Settings-> Cloud Apps -> Connected apps -> App Connectors.

I have now logged on to Microsoft 365 admin center and Microsoft Azure Portal. The URLs were proxied via Defender for Cloud Apps due to the conditional access policy in place. The is automatically added the apps to the Conditional Access App Control apps.

How to Sync Microsoft Teams App to Conditional Access App control apps

To start Microsoft Teams monitoring using Defender for cloud apps and manage it using Conditional Access Policy. We need to login on Microsoft Teams which will proxy via Defender for cloud apps as per the CA policy in place.

  • Using any brower login on Microsoft Teams.
  • After you login, the URL in the address bar will reflect Microsoft Teams Application is getting proxied via MDCA and you will be presented with below screen. Click on Continue to Microsoft Teams. You can also click on Hide this notification for all apps for one week so that you won’t get this notification everytime you try to access any office 365 / microsoft 365 application.
  • After couple of minutes, the app will get synced to cloud app security portal as you can see from below screenshot. You can sync other apps as well by sign-in into each app or you can wait for the users to access the applications and then the data for that app will be collected by MDCA and app will also show under Conditional Access App Control apps Tab.
  • As you can see, Microsoft Teams – General [PREVIEW] app is showing under Conditional Access App Control apps.
  • Click on Microsoft Teams Application and you go to the Activity log tab to find out more information about User Sign-ins Success / Failures, IP Information, Location, Device, Date / Time of the login etc. You can filter the results as well based on Users / IP Address / by Location / Activity.
Note
Now that Microsoft Teams app data is getting synced to MDCA, we can create session policy to real time inspect / monitor the application and / or restrict certain user actions while using Microsoft Teams. For example cut, copy, paste or print information, send / receive sensitive information via chat like password, bank credit / debit car, social security number etc. while using MS Teams app.

The policy can be extended to all Microsoft 365 applications not only Microsoft Teams. While creating a session policy on MDCA portal, select Microsoft Online services from Activity Filters to include all Microsoft 365 applications plugged into MDCA.
  • Click on each Event to get more details about it like Type, Source, App, Device type etc.

End User Experience

We have already created a Conditional Access Policy to block downloads while using Office 365 Apps from any Uncompliant device. Let’s see our CA Policy Prevent downloads from unmanaged devices in Action.

  • Launch Microsoft Teams
  • Try to download a file which is uploaded to Microsoft Teams chat.
  • You should receive error message Download blocked. Downloading <filename> is blocked by your organization’s security policy.

Conclusion

In this blog post, we have seen how to integrate Azure AD with Defender for cloud apps. We used Microsoft 365 defender portal for most of our configuration work. Please make sure to create a conditional access policy to sync the apps to Defender for cloud apps to monitor the traffic and analysis of data. We finally saw the error message an end user should expect while downloading any file from an uncompliant device.