Forum Discussion

GI472's avatar
GI472
Brass Contributor
Mar 07, 2023

Blocking unsanctioned apps

Hi everyone,

 

I am using Microsoft Defender for Endpoint, and now that it has incorporated Microsoft Defender for Cloud Apps, I am exploring how I can block access to unsanctioned apps.

 

I created a device group and a scoped profile for a test Allow group (Group A) and I am able to block access to a specific, unsanctioned app, which I'll call App A, for everyone else (Group B). I created the device group by tagging the relevant devices in the device inventory, and then used tags as the device group attribute. 

 

However, is it possible to get more granular control to create or use multiple groups for multiple apps, like you can do in Active Directory?

 

Ultimately, I want to be able to block unsanctioned apps for everyone, but then create exceptions for App A for Group A, App B for Group C etc., so that it isn't simply a Block OR Allow situation?

 

    • GI472's avatar
      GI472
      Brass Contributor
      Hi Yoann,

      Thank you for sharing the link. I have read that guidance before, but I don't think it answered my question clearly.

      I have fifty-four apps in total.

      I have fifty apps that I want to block access to for everyone.

      I have the following four apps that I want to block access to for nearly everyone, but allow for certain users only, who I will call Alice, Bob, Chris and Dave:
      - Dropbox
      - Gmail
      - Google Docs
      - Google Drive

      How do I allow Alice, Bob and Chris access to Dropbox and Gmail, whilst stopping Dave and everyone else from accessing it?

      Also, I want to allow Alice, Chris and Dave access to Google Docs but stop Bob and everyone else from accessing it.

      Lastly, I want to allow Bob and Dave access to Google Drive, but stop Alice, Chris and everyone else.

      I found out about importing user groups from AD, but the literature seems to suggest this is only for deciding which groups to monitor for app discovery, rather than governance actions.

      My understanding is (please correct me if I'm wrong!) that currently I can only use scoped profiles based on Device groups. This means that if a user gets their laptop swapped, I need to make sure to move the old/new laptops into/out of the device group.

      It also means that a laptop can only be in one device group at a time, with the highest ranked device group taking precedence.

      So, if I create a scoped profile for allow Dropbox and I put Alice, Bob and Chris' laptops in the device group, and then create a deny device group for Alice and Chris to prevent access to Google Drive, then Alice and Chris' laptops would be blocked from accessing Dropbox as the Google Drive block device group takes precedence.

      Is it possible to created scoped profiles based on membership of an Active Directory group, import that group, and have that user be a member of more than one AD group/scoped profile, depending on the app and requirement to block/allow?

      So, if I have an AD group called 'Allow Dropbox' and added Alice, Bob, and Chris, I could unsanction Dropbox to block access to Dropbox for but except that group?

      And then if I had an AD group called 'Allow Google Drive' and added Bob and Dave, I could unsanction Google Docs to block access to everyone but Bob and Dave, without it having any impact on Alice and Chris being able to access Dropbox?

      Sorry for the wordy reply, but I'm really trying to figure this out!
      • Joe_16's avatar
        Joe_16
        Copper Contributor
        GI472
        Hi,
        Did you work this out?
        In same kind of situation.
        Thanks.

Resources