Forum Discussion

Dean_Gross's avatar
Dean_Gross
Silver Contributor
Mar 07, 2018

EMS E3 CAS Discovery Functionality

When I look at the O365 EM+S E3 license setting in the O365 Admin Center, it shows Cloud App Security Discovery as an option. This page https://support.office.com/en-us/article/get-ready-for-office-3...
Cloud App Security
Cloud Discovery
Niv Goldenberg's avatar
Niv Goldenberg
Former Employee
Mar 21, 2018

Hi Dean,

 

I understand why it might be confusing. Let me try to clarify that.

Cloud App Security powers 3 different Discovery solution using the same engine.

 

Discovery in MCAS (EMS E5) - The full blown Shadow IT Discovery solution. Documented here: https://docs.microsoft.com/en-us/cloud-app-security/set-up-cloud-discovery

 

Discovery in AAD (EMS E3) - known as CAD. Similar functionality to MCAS but doesn't include risk assessment and anomaly detection in discovered usage. Documented here: https://docs.microsoft.com/en-us/azure/active-directory/cloudappdiscovery-get-started

 

You can see the comparison between Discovery in AAD CAD and MCAS here: https://docs.microsoft.com/en-us/cloud-app-security/editions-cloud-app-security-aad

 

When you activate CAS Discovery (in the screenshot you attached in the pervious message), you enable CAD.

 

 

Discovery in OCAS (Office365 E5) - Covers only cloud apps with similar functionality to Office 365. Does not include risk assessment and anomaly detection in discovered usage, automated upload, and more features. Documented here: https://support.office.com/en-us/article/overview-of-office-365-cloud-app-security-81f0ee9a-9645-45ab-ba56-de9cbccab475?ui=en-US&rs=en-US&ad=US#dashboard

 

You can see the comparison between Discovery in MCAS and OCAS here: https://docs.microsoft.com/en-us/cloud-app-security/editions-cloud-app-security-o365

 

 

 

Dean_Gross's avatar
Dean_Gross
Silver Contributor
Mar 21, 2018

Thanks, after rereading those, I'm still confused because of the behavior I have seen in my customers tenant. They have EMS E3 (CAD) and according to the Setup Steps, web traffic logs must be uploaded so that there is something to analyze. When I look in the portal on the Investigate, Users and Accounts page, it shows some users but log data has never been uploaded so I can't figure out why data is showing. This is not consistent with the description of how CAD is supposed to work. 

 

It seems as if some activity analyses are being performed directly against O365 network traffic, but this is not mentioned in any of the documentation that I can find. 

  • Dinesh babu kanagala's avatar
    Dinesh babu kanagala
    Copper Contributor
    Oct 11, 2019
    I also have same question, but I will keep it straight forward. We have EMSE3 assigned for all users. Are we allowed to add O365 App under connect apps section in Cloud app security portal ?

    Thanks
    Kangalaz