Connect Office 365 App with Microsoft Cloud App Security (MCAS), Integrate AAD with MCAS, Block Downloads using MCAS and CA Policies

Table of Contents

Overview

In this article, we will look into the Initial setup of Microsoft Cloud App Security, connect Office 365 app connector and configure basic settings on the Portal. We will create policies to block downloads and then block cut, copy, paste and print while using Microsoft Online applications via browser on an unmanaged device (non-compliant intune device). Then we will check the Activity logs to monitor the application traffic.

What is Microsoft Cloud App Security

Microsoft cloud app security can be used for log collection, API Connectors and reverse proxy. It provides visibility and insight into the apps and provides native integration with Microsoft Solutions. Microsoft Cloud app Security is a Cloud Access Security Broker (CASB) which acts as a broker service between users and cloud resources.

Connect Office 365 with MCAS

MCAS - Connect Office365 App
  • Click on Connect Office 365.
MCAS - Connect Office365 App
  • Select all Office 365 Components which you want to monitor and then click on Connect.
MCAS - Connect Office365 App
  • It will add Office 365 connector in the App Connectors tab. Click on No recent status to check the current connection progress. Please note it will take some time for MCAS to analyse the data and users before the status will change to green.
MCAS App connector for Office 365 - No recent status

Configure Integration of Microsoft Cloud App Security (MCAS) with Azure Active Directory (AAD)

To configure the integration of MCAS with AAD, we need to create an Azure AD Conditional access policy which routes app sessions to Cloud App Security. Lets see how to create a Conditional Access policy for this integration.

Creating a Conditional Access (CA) Policy

  • Login on Microsot Azure Portal (https://portal.azure.com).
  • Search for Azure AD Conditional Access to Access CA Policies page.
  • Click on + New Policy to create a CA Policy and configure the settings as per below information:
NamePrevent downloads from unmanaged devices
Users and GroupsInclude: All usersExclude: Breakglass AAD Security Group
Cloud apps or actionsSelect apps: Office365Exclude: None
ConditionsClient apps: Browser
Device StateInclude: All device stateExclude: Devices Marked as Compliant
SessionSelect Use Conditional Access App Control
Block downloads

In the Session control, you can either select Block downloads / Monitor only / use custom policy… In each of the case the it will integrate AAD with MCAS. As our requirement is to block the downloads when user is using Microsoft 365 applications from an unmanaged / non-compliant PC, therefore, we selected Block downloads option in Session control setting of the CA.

Sign in to each Microsoft 365 Application to sync the app data to MCAS

Next thing we need to do is to Sign-in to each Microsoft 365 applications for example Microsoft Teams, Sharepoint Online, Exchange Online etc. using any browser. Make sure user who is trying to login on any of these applications is scoped in the CA Policy which we created in the previous step: Prevent downloads from unmanaged devices.

Cloud App Security will sync the policy details to its servers for each new app you sign into. This may take few minutes to show up on the Cloud App security Portal.

Let’s first see how it looks on the Cloud App Security Portal:

Navigate to Cloud App Security Portal -> Investigate -> Connected Apps -> App connectors tab -> Office 365 app status is now showing as connected.

MCAS App connector for Office 365

Navigate to Cloud App Security Portal -> Investigate -> Connected Apps -> Conditional Access App Control apps

I see below two apps Microsoft 365 admin center – General and Office Portal – General. The data is collected / synced to Cloud App security automatically as you use Microsoft Online Services / Applications.

Conditional Access App Control apps

Sync Microsoft Teams App to Conditional Access App control Apps

As we discussed earlier, We need to login on each Microsoft 365 App for example Microsoft Teams, Sharepoint, Exchange Online etc. to sync the app data and policy to the Cloud App security portal. Now, lets login on Microsoft Teams App first to see it in action.

  • Using any brower login on Microsoft Teams.
  • After you login, the URL in the address bar will reflect Microsoft Teams Application is getting proxied via MCAS and you will be presented with below screen. Click on Continue to Microsoft Teams. You can also click on Hide this notification for all apps for one week so that you won’t get this notification everytime you try to access any office 365 / microsoft 365 application.
Access to Microsoft Teams is Monitored - MCAS

After couple of minutes, the app will get synced to cloud app security portal as you can see from below screenshot. You can sync other apps as well by sign-in into each app or you can wait for the users to access the applications and then the data for that app will be collected by cloud app security and app will also show under Conditional Access App Control apps Tab.

Conditional Access App Control apps - Microsoft Teams app Sync

Click on Microsoft Teams Application and you go to the Activity log tab to find out more information about User Sign-ins Success / Failures, IP Information, Location, Device, Date / Time of the login etc. You can filter the results as well based on Users /IP Address / by Location / Activity.

Now that Microsoft Teams app data is getting synced to MCAS, we can create session policy to real time inspect / monitor the application and / or restrict certain user actions while using Microsoft Teams for example cut, copy, paste or print information, send / receive sensitive information via chat like password, bank credit / debit car, social security number etc. while using MS Teams app. The policy can be extended to all Microsoft 365 applications not only Microsoft Teams. While creating a session policy on MCAS portal, select Microsoft Online services from Activity Filters to include all Microsoft 365 applications plugged into MCAS.

MCAS - Microsoft Teams App Activity Logs

Block Downloads while using Microsoft 365 Apps from a non-compliant / Unmanaged device.

We have already created a Conditional Access Policy to Block the downloads while any Office 365 Application. Let’s see our CA Policy Prevent downloads from unmanaged devices in Action.

You can create an another CA policy (optional) which blocks users to access Mobile Apps and Desktop clients when using Microsoft 365 applications from an Unmanaged Device.
  • Launch Microsoft Teams
  • Try to download a file which is uploaded to Microsoft Teams chat.
  • You should receive error message Download blocked. Downloading <filename> is blocked by your organization’s security policy.
MCAS - Download Blocked Unmanaged Device

More Information