To set up Defender for Cloud Apps with Azure AD/Entra ID, we’ll create an Entra Conditional Access policy that re-directs app sessions to Microsoft Defender for Cloud Apps. Let’s walk through the process of creating this policy.
Table of Contents
STEP 1 – Create a Conditional Access Policy
Example: Now, let’s go through the steps for creating a Conditional access policy that prevents downloads from Office 365 applications on non-compliant devices. This policy will utilize the Defender for Cloud Apps Conditional Access App Control feature to block downloads on such devices.
Once you establish this conditional access policy, all Microsoft 365 traffic will be routed through the Defender for Cloud Apps Proxy for application monitoring. If someone attempts to download any document or data from a non-compliant device, the action will be blocked. Let’s check the steps:
- Login on Entra admin center (https://entra.microsoft.com)
- Search for Entra ID Conditional Access to Access CA Policies page.
- Click on + New Policy to create a CA Policy and configure the settings as per the below information:
| Name | Prevent downloads from unmanaged devices | |
| Users and Groups | Include: All users | Exclude: Your breakglass users |
| Cloud apps or actions | Select apps: Office365 | Exclude: None |
| Conditions | Client apps: Browser | |
| Device State | Include: All device state | Exclude: Devices Marked as Compliant |
| Session | Select Use Conditional Access App Control Block downloads |
In the Session control settings, you have three options: Block downloads, Monitor only, or use a custom policy. For a specific requirement of blocking downloads when users are using Microsoft 365 applications on unmanaged or non-compliant PCs, you selected the “Block downloads” option in the Session control setting of the Conditional Access policy.
STEP 2 – Sign in to the M365 Apps
As users continue to utilize / Sign in to Microsoft 365 apps, the Microsoft 365 App connection in Defender for Cloud Apps will automatically refresh to update the connection status, appearing under “Available controls” as part of Azure AD Conditional Access.
It’s important to note that the name “Azure AD Conditional Access” might be changed to “Entra Conditional Access” in the future, as Microsoft has renamed Azure AD to Entra ID.
Just after creating a Conditional Access policy, you will not see App connections created under Defender for Cloud Apps. At least one user must Initiate a connection with any of Microsoft 365 Apps/Office 365 apps which will proxy through Defender for cloud apps.
After waiting for a couple of hours, You will see App connections will be created as shown in the below screenshot. “Microsoft 365 admin center – General” is listed under the App connection. This connection is automatically established once at least one user signs in to the app, and their traffic is routed through Defender for Cloud Apps.
STEP 3 – Sync Microsoft Teams App with Defender for Cloud Apps
To begin monitoring Microsoft Teams through Defender for Cloud Apps and manage it using the Conditional Access Policy, you must Sign in to the Microsoft Teams app at least once via a web browser. Once you do that, the connection will be proxied according to our CA policy, and the Microsoft Teams connection will be established and visible under “Apps” on the Defender for Cloud Apps portal.
- Log in to Microsoft Teams using any web browser.
- Once you log in, you’ll notice that the URL in the address bar indicates that the Microsoft Teams application is being proxied via MDCA (Microsoft Defender for Cloud Apps). You’ll then be presented with the following screen. You can click on “Continue to Microsoft Teams“.
- Additionally, there’s an option to click on “Hide this notification for all apps for one week” so that you won’t receive this notification every time you attempt to access any Office 365/Microsoft 365 application.
- After a few minutes, the app will be synchronized with the Cloud App Security portal, as shown in the screenshot below.
- You can sync other apps by signing in to each app individually, or you can wait for users to access the applications. In that case, the data for that app will be collected by Defender for Cloud apps, and the app will also appear under the Conditional Access App Control apps tab.
- As evident from the below screenshot, the “Microsoft Teams – General [PREVIEW]” app is now displayed under the Conditional Access App Control apps.
- When you click on the Microsoft Teams – General connection on Defender for cloud apps portal , you can access the Activity log tab to gather more information about user sign-ins, including successes and failures.
- This log provides details on IP information, location, device used, and the date and time of each login. You can also apply filters to the results, such as by users, IP address, location, or specific activities.
- Now that Microsoft Teams app data is synchronized with Defender for Cloud Apps, you can create session policies to actively inspect and monitor the application in real time.
- You have the capability to restrict certain user actions while using Microsoft Teams, such as copying, pasting, or printing information, as well as sending or receiving sensitive data via chat, such as passwords, bank and credit card information, or social security numbers.
- Click on each Event to get more details about it like Type, Source, App, Device type, etc.
End-user Experience
We’ve previously set up a Conditional Access Policy designed to prevent downloads when using Office 365 Apps from uncompliant devices. Now, let’s observe this policy, “Prevent downloads from unmanaged devices,” in action.
- Launch the Microsoft Teams App.
- Try to Download a file that is uploaded to Microsoft Teams chat.
- You will receive an error message Download blocked. Downloading <filename> is blocked by your organization’s security policy.
Conclusion
In this blog post, we’ve covered the integration of Entra ID with Defender for Cloud Apps, primarily using the Microsoft 365 Defender Portal for configuration. It’s crucial to remember to create a Conditional Access Policy to synchronize the apps with Defender for Cloud Apps, enabling the monitoring of traffic and data analysis. We’ve also demonstrated the error message that an end user would encounter when attempting to download a file from an uncompliant device.
