Forum Discussion
MicrosoftMCAS Webinar Q&A
Q & A:
Thank you and a great session today.
Can I get a follow up from my Question in the Webinar:
I asked:
reply from Moderator
2nd: You stated "Flow has built in DLP capabilities and the ability to block specific connections which might answer the requirement" ..... but the Flow DLP does not provide any kind of connection Block? can you provide details or a contact who can provide more details on this?
to mu understanding the Flow DLP only limits the use of connectors with other connectors, it does not bock a connector from being used or connecting to data.
Sebastien Molendijk1st: I don't this my question was under stood correctly, as Setting up connectors to authenticate uses Browser sessions as does PowerApps and Flow. (and if flow data connection cannot be monitored in MCAS then does this not Bypass any security policies that we put in place using MCAS??)App Control (reverse proxy) only works for browser based sessions, after the user authenthicated against the IdP, like Azure AD. The IdP is the one redirecting the user to MCAS instead of redirecting him/her to the app.In the case of apps like Flow connecting to Box, the connections between the apps will use the apps API's, not any browser, and the user account used to create the connection doesn't authenticate against the IDP but the app uses an oauth token generated when the user created the connection, so we can't redirect to a limited session.MCAS will see the activities, like download or delete of the file, but can't prevent them in real time.2nd: You stated "Flow has built in DLP capabilities and the ability to block specific connections which might answer the requirement" ..... but the Flow DLP does not provide any kind of connection Block? can you provide details or a contact who can provide more details on this?
to mu understanding the Flow DLP only limits the use of connectors with other connectors, it does not bock a connector from being used or connecting to data.
Hi, this is correct.
Sorry for the typo, as answering through the several hundreds of questions during the call I typed connections instead of connectors.Thank you Sebastien Molendijk for you reply,
Sorry My mistake here I left out one on every important item in my first part, sorry.
If we have SSO set up to 3rd party Services/Apps via Enterprise application in Azure AD, and then have Conditional access set to enforce SSO, then when a connector is set up it would need to Authenticate Via SSO to AAD, would this then not enable MCAS to have control/Monitor capabilities on the connector usage in Flow?
For example if we set up SSO to Dropbox via Azure AD, then set conditional access to enforce this, so the only way any user can get access to Dropbox is if they are provided Access via AAD and use SSO.
Now when using Flow if that user tries to set up a Dropbox connector, at the authentication section at the beginning when creating the connector, will SSO not be enforced, so then authenticating the connector is Via AAD.
My Questions here:
- Will SSO Via AAD using Conditional access, allow us to control the initial set up and authentication to create a connector?
- When a connector is created via SSO to AAD what information/Controls can MCAS give us or what details can it log at initial connector setup
- If MCAS cannot provide any visibility of API traffic/usage to connection from the tenant that use oauth tokenised connections. what can provide a monitoring and control of this traffic in and out of out tenant
- MCAS will not monitor or give any control over any API calls
- Sebastien Molendijk
Thank for the details.
Let me discuss this internally and see what would be possible for this use case.
- Ryan Heffernan
TOnymcgra wrote:
Q & A:
Thank you and a great session today.
Can I get a follow up from my Question in the Webinar:
I asked:
"when MCAS policy is in place...Yoann_David_Mallet: Can you address this?
