Table of Contents
- What is Microsoft Cloud App Security
- Connect Office 365 with MCAS
- Configure Integration of Microsoft Cloud App Security (MCAS) with Azure Active Directory (AAD)
- Block Downloads while using Microsoft 365 Apps from a non-compliant / Unmanaged device.
- More Information
In this article, we will look into the Initial setup of Microsoft Cloud App Security, connect Office 365 app connector and configure basic settings on the Portal. We will create policies to block downloads and then block cut, copy, paste and print while using Microsoft Online applications via browser on an unmanaged device (non-compliant intune device). Then we will check the Activity logs to monitor the application traffic.
What is Microsoft Cloud App Security
Microsoft cloud app security can be used for log collection, API Connectors and reverse proxy. It provides visibility and insight into the apps and provides native integration with Microsoft Solutions. Microsoft Cloud app Security is a Cloud Access Security Broker (CASB) which acts as a broker service between users and cloud resources.
Connect Office 365 with MCAS
- Login on https://portal.cloudappsecurity.com
- Click on Add an app and in the App connectors tab select Office 365.
- Click on Connect Office 365.
- Select all Office 365 Components which you want to monitor and then click on Connect.
- It will add Office 365 connector in the App Connectors tab. Click on No recent status to check the current connection progress. Please note it will take some time for MCAS to analyse the data and users before the status will change to green.
Configure Integration of Microsoft Cloud App Security (MCAS) with Azure Active Directory (AAD)
To configure the integration of MCAS with AAD, we need to create an Azure AD Conditional access policy which routes app sessions to Cloud App Security. Lets see how to create a Conditional Access policy for this integration.
Creating a Conditional Access (CA) Policy
- Login on Microsot Azure Portal (https://portal.azure.com).
- Search for Azure AD Conditional Access to Access CA Policies page.
- Click on + New Policy to create a CA Policy and configure the settings as per below information:
|Name||Prevent downloads from unmanaged devices|
|Users and Groups||Include: All users||Exclude: Breakglass AAD Security Group|
|Cloud apps or actions||Select apps: Office365||Exclude: None|
|Conditions||Client apps: Browser|
|Device State||Include: All device state||Exclude: Devices Marked as Compliant|
|Session||Select Use Conditional Access App Control|
In the Session control, you can either select Block downloads / Monitor only / use custom policy… In each of the case the it will integrate AAD with MCAS. As our requirement is to block the downloads when user is using Microsoft 365 applications from an unmanaged / non-compliant PC, therefore, we selected Block downloads option in Session control setting of the CA.
Sign in to each Microsoft 365 Application to sync the app data to MCAS
Next thing we need to do is to Sign-in to each Microsoft 365 applications for example Microsoft Teams, Sharepoint Online, Exchange Online etc. using any browser. Make sure user who is trying to login on any of these applications is scoped in the CA Policy which we created in the previous step: Prevent downloads from unmanaged devices.
Cloud App Security will sync the policy details to its servers for each new app you sign into. This may take few minutes to show up on the Cloud App security Portal.
Let’s first see how it looks on the Cloud App Security Portal:
Cloud App Security Portal -> Investigate -> Connected Apps -> App connectors tab -> Office 365 app status is now showing as connected.
Cloud App Security Portal -> Investigate -> Connected Apps -> Conditional Access App Control apps
I see below two apps Microsoft 365 admin center – General and Office Portal – General. The data is collected / synced to Cloud App security automatically as you use Microsoft Online Services / Applications.
Sync Microsoft Teams App to Conditional Access App control Apps
As we discussed earlier, We need to login on each Microsoft 365 App for example Microsoft Teams, Sharepoint, Exchange Online etc. to sync the app data and policy to the Cloud App security portal. Now, lets login on Microsoft Teams App first to see it in action.
- Using any brower login on Microsoft Teams.
- After you login, the URL in the address bar will reflect Microsoft Teams Application is getting proxied via MCAS and you will be presented with below screen. Click on Continue to Microsoft Teams. You can also click on Hide this notification for all apps for one week so that you won’t get this notification everytime you try to access any office 365 / microsoft 365 application.
After couple of minutes, the app will get synced to cloud app security portal as you can see from below screenshot. You can sync other apps as well by sign-in into each app or you can wait for the users to access the applications and then the data for that app will be collected by cloud app security and app will also show under Conditional Access App Control apps Tab.
Click on Microsoft Teams Application and you go to the Activity log tab to find out more information about User Sign-ins Success / Failures, IP Information, Location, Device, Date / Time of the login etc. You can filter the results as well based on Users /IP Address / by Location / Activity.
Now that Microsoft Teams app data is getting synced to MCAS, we can create session policy to real time inspect / monitor the application and / or restrict certain user actions while using Microsoft Teams for example cut, copy, paste or print information, send / receive sensitive information via chat like password, bank credit / debit car, social security number etc. while using MS Teams app. The policy can be extended to all Microsoft 365 applications not only Microsoft Teams. While creating a session policy on MCAS portal, select Microsoft Online services from Activity Filters to include all Microsoft 365 applications plugged into MCAS.
Block Downloads while using Microsoft 365 Apps from a non-compliant / Unmanaged device.
We have already created a Conditional Access Policy to Block the downloads while any Office 365 Application. Let’s see our CA Policy Prevent downloads from unmanaged devices in Action.
|You can create an another CA policy (optional) which blocks users to access Mobile Apps and Desktop clients when using Microsoft 365 applications from an Unmanaged Device.|
- Launch Microsoft Teams
- Try to download a file which is uploaded to Microsoft Teams chat.
- You should receive error message Download blocked. Downloading <filename> is blocked by your organization’s security policy.