We're living in a world where SaaS apps are woven into the fabric of every modern organization. They have transformed how we work, collaborate, and innovate, but they have also introduced new vulnerabilities and security challenges. As the SaaS ecosystem continues to expand, security teams are increasingly challenged to manage the sprawl, ensure safe configurations, and maintain a strong security posture across apps. Further, we face nation-state threat actors using OAuth apps to infiltrate systems with unprecedented stealth because employees often create app-to-app connections without much consideration. Now more than ever, security teams need effective SaaS posture management to proactively prevent SaaS-related threats, deep visibility into OAuth apps to secure app-to-app interactions, and enhanced operational efficiency for managing SaaS security, from permission management to shadow IT governance.
In response, today we are excited to announce the following innovations in Microsoft Defender for Cloud Apps to help address these challenges:
- SaaS security initiative: Microsoft Security Exposure Management empowers security teams to reduce risks and limit exposure of the most critical assets with unified exposure management. We are introducing a new SaaS security initiative within Exposure Management to provide best practice SaaS posture recommendations, along with an easy way for security teams to prioritize the most important controls.
- Enhanced visibility into OAuth apps: Get expanded visibility into OAuth apps to give security teams deeper insights into app origins, privilege levels, and permissions, while allowing them to set controls to mitigate risks more effectively.
- Streamlined SaaS security operations: To further enhance operational efficiency for SaaS security management, Defender for Cloud Apps now uses the unified role-based access control (RBAC) model in Defender XDR to enable central permission management, alongside a new discovered apps Graph API, and the ability to customize the block page experience.
Improve your app posture with the new SaaS security initiative in Microsoft Security Exposure Management
Managing SaaS app misconfigurations is crucial as attackers frequently exploit these vulnerabilities. Robust posture management is essential in building a proactive prevention strategy against SaaS attacks. Microsoft Security Exposure Management offers a focused, metric-driven way of tracking exposure using security initiatives and provides a simple way to assess security readiness for a specific security area or workload. Today, we are excited to introduce the SaaS security initiative, which delivers a consolidated and simplified experience to help organizations enhance their SaaS security posture.
The SaaS security initiative serves as the new homepage for the SaaS security posture management experience in the Defender portal. It delivers a clear view of your SaaS security coverage, health, configuration, and performance and consolidates all best-practice recommendations for configuring SaaS apps into 12 metrics that enable security teams to efficiently manage and prioritize the large number of security recommendations. By starting with the metrics that hold the greatest weight, security teams can enhance their SaaS Security posture more efficiently.
Each recommendation is weighted based on the impact it can have on your overall security, giving you an easy way to prioritize. For example, securing privileged access is crucial for most organizations, we recommend making it a priority. By clicking on the security recommendations tab, you can view all recommendations associated with the specific metric you selected, and detailed remediation steps.
Figure 1: SaaS security initiative within Microsoft Security Exposure Management in the Defender portal
Get better visibility into OAuth apps connected to your environment
OAuth apps have emerged as a prominent attack vector for adversaries and introduce risks that many organizations overlook. This January, Microsoft security team detected a nation-state attack leveraging OAuth apps to infiltrate corporate systems. The threat actor misused OAuth apps to infiltrate cloud environments and conduct post-compromise activity like email collection. One of the unique challenges with OAuth apps is that users often treat them as “set and forget” actions and lack visibility into the level of permissions and privileges granted to them. Once attackers compromise an OAuth app with high-level permissions, they can exfiltrate sensitive information. Securing OAuth apps begins with effective visibility. OAuth apps with external origins, high-level permissions, or access to legacy APIs present significant risks if compromised. Today, we’re announcing enhanced visibility into OAuth apps within Defender for Cloud Apps to help security teams set effective controls and mitigate risks. We’re making improvements in these key areas:
- Visibility into app origins
- Expanded visibility into app privilege levels
- Permissions filter and export capabilities
1. Visibility into app origins
Most organizations have hundreds, if not thousands, of OAuth apps connected to their environment but security teams often lack visibility into the origin of these apps. External OAuth apps, especially those not directly managed by an organization's IT team, often have access to sensitive information or the ability to perform tasks on behalf of the organization. If left unchecked, these apps can introduce security risks if they have more privileges than necessary.
With the new app origin functionality in Defender for Cloud Apps, security teams can gain visibility into the origins of OAuth apps connected to their Microsoft 365 environment. They can also create custom policies to monitor and get alerted on apps that have external origins to proactively review such apps and improve the security posture of the organization.
Figure 2: See apps with external origin with the new app origin filter in Defender for Cloud Apps2. Expanded visibility into app privilege levels
High-privilege apps often hold extensive access to sensitive information and undetected permission levels can pose serious security risks. Defender for Cloud Apps has been essential in providing visibility into the privilege levels of permissions granted to OAuth apps for the Microsoft Graph API. We’re now enhancing this capability to cover all major Microsoft first-party APIs. This expanded visibility gives security teams a complete view of app permissions and enables them to view and monitor. Additionally, security teams can create policies to monitor and get alerted for any app with highly privileged permissions.
3. Permissions filter and export capabilities
We’re introducing new permissions filtering and export capabilities to help security teams efficiently identify apps with specific permissions such as Mail.Read, Mail.ReadWrite, and Files.ReadWrite to access Microsoft 365. This will allow security teams to quickly identify and focus on apps that have high-risk permissions to access Microsoft 365 or can alter important settings. Further, we will provide insights into the level of access that OAuth apps have been granted, allowing security teams to make educated decisions on the associated risk.
Streamlined SaaS security operations
As SaaS usage grows, security teams are often stretched thin to secure their organization’s SaaS stack. To further streamline SaaS security tasks like managing granular access to SaaS apps and shadow IT governance, we’re introducing the following new capabilities in Defender for Cloud Apps:
Cloud apps integration with Defender XDR’s unified RBAC model
Managing permissions across various workloads in large organizations can be complex and time-consuming. To make this easier for security teams, today we are excited to announce that Defender for Cloud Apps is now integrated with the unified role-based access control (RBAC) model in Defender XDR, along with new capabilities to make permission management even simpler. The improved unified RBAC model offers enhanced granularity, consistent role assignments, and the ability to manage multiple roles effectively. It organizes permissions by categories and groups, allowing admins to grant a predefined set of aggregated permissions or select permissions one-by-one for a custom role. Additionally, roles can be assigned to either users or security user groups, which are synchronized with data managed in Entra ID.
Discovered apps Graph API
Cloud discovery in Defender for Cloud Apps provides comprehensive insights into the SaaS app landscape of your organization, such as apps that are being used in the organization, usage telemetry from the apps discovered, risk levels associated with those apps, and total traffic for each apps. The Graph API for discovered apps now enables scalable Shadow IT management by allowing you to programmatically query and retrieve data on discovered apps. It serves as an improved alternative to the existing Defender for Cloud Apps REST API and is designed to provide a more efficient and reliable way to query discovered apps information, enabling security teams to easily query and analyze risks associated with the discovered apps.
Enhanced block page experience
Cloud discovery helps security teams block risky or non-compliant apps from being used in the organization. Today, we are releasing an enhanced block screen experience that makes it easier for end users to differentiate between apps blocked by their organization's IT team and malicious apps blocked by SmartScreen. The redesigned block page features a white background, a new icon, and the option to configure a custom support URL that allows security teams to direct end users to relevant information or company-specific processes for requesting app exceptions.
As the SaaS landscape rapidly evolves, it’s essential to stay agile and adopt the latest innovations to protect your organization’s SaaS environment from today’s sophisticated cyber threats. With consolidate app posture insights, deeper visibility into OAuth apps, and streamlined SaaS security operations, Defender for Cloud Apps delivers a seamless, simplified experience for security teams to protect organizations against SaaS-related threats and maintain a secure and well-managed SaaS stack with speed and confidence.
Learn more:
- Get started using the new SaaS security initiative
- Move to the unified RBAC model in Microsoft Defender XDR
- Read our documentation to learn more about the discovered cloud app API
- Move to the unified RBAC model in Microsoft Defender XDR
- Join us online or in-person during Microsoft Ignite Simplify your SOC with Rob Lefferts and Allie Mellen.
- Want to know what other Threat Protection innovations are new at Ignite? Check out our XDR blog.
Microsoft