Forum Discussion
Questions on Controlling and monitoring Microsoft Teams workloads.
Hi Community,
One of our customer raised the below queries:
- Monitoring and enforcement policies (OCAS and MCAS) and differences between the 2 solutions
This https://docs.microsoft.com/en-us/cloud-app-security/editions-cloud-app-security-o365 differentiates things, however, partner is looking for the answers for below specific scenarios.
- Alert for adding GA or adding users to a security role
- Alert for Adding external guests to Teams sites
- Alert for adding user for specific group (Like domain admin)
2. Is monitoring Live? If not what is the delay?
According to this https://docs.microsoft.com/en-us/cloud-app-security/proxy-intro-aad, Conditional Access App Control enables user app access and sessions to be monitored and controlled in real time based on access and session policies.
- Are live monitoring control only application based “web access” or include desktop client such as “desktop Teams, desktop outlook app”?
3. When will the enforcement occur following a monitoring alert? How much time?
According to this https://docs.microsoft.com/en-us/cloud-app-security/proxy-intro-aad, it uses aa reverse proxy architecture and is uniquely integrated with Azure AD Conditional Access. Azure AD Conditional Access allows you to enforce access controls on your organization’s apps based on certain conditions as soon as the policy is enabled.
- When will the enforcement occur following a monitoring alert? How much time? (without reverse proxy)
4. Blocking of upload to Teams site and alerting for sensitive data as opposed to other types of documents.
- They want to create alerts when someone upload or download files in Teams
- Specific alert if there is sensitive information in the file.
5. Blocking share options for sensitive data
According to this https://docs.microsoft.com/en-us/cloud-app-security/best-practices#block-and-protect-download-of-sensitive-data-to-unmanaged-or-risky-devices, they can use MCAS to Block and protect download of sensitive data to unmanaged or risky devices.
- Can they do it with OCAS?
- Can it apply only on web app or include desktop app?6. Risky sign in options under OCAS, real time? Alerts? Enforcement?
According to this https://docs.microsoft.com/en-us/cloud-app-security/proxy-intro-aad, it Monitor user sessions for compliance, Risky users are monitored when they sign into apps and their actions are logged from within the session. You can investigate and analyze user behavior to understand where, and under what conditions, session policies should be applied in the future.
- Can it apply only on web app or include desktop app?
7. Alerting and blocking multiple sign in attempts
According to this https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy, you can create anomaly policies to get instantaneous behavioral analytics and anomaly detection and then block the appropriate activity.
- Are all the built-in policies that we can see in the OCAS portal can be applied?
8. Blocking options in Teams/SharePoint for sharing options from internal vs external users
- Blocking / alert for sharing files based on if the user is external or internal user.
9. Blocking or alerting on user connection to O365 portal/O365 services from outside Israel
- Block and alert if the connection to O365 portal and O365 services was from other country then Israel.
Any pointers would be of great help. Many thanks!
Hi Newlife, thank you for the questions. Please see my responses below:
Alert for adding GA or adding users to a security role
Yes, these activity types are supported “Add member to group/role”. In addition, with integrations with Azure ATP, we can detect suspicious additions to sensitive groups. Custom sensitive groups can be defined by admins.Another approach is to customize your filter to include the “Acitvity objects” “Activity object ID” equals the AAD group objectID from Azure AD. This can easily be added to any filter within the Activity Log by navigating to the activity and clicking the “Activity Objects”. Within those objects, there are icons to include the objects in the filter.
Alert for Adding external guests to Teams sites
We have MS Teams specific templates that will detect this activity. See below:
Access level change (Teams): Alerts when a team's access level is changed from private to public.
External user added (Teams): Alerts when an external user is added to a team.
Mass deletion (Teams): Alerts when a user deletes a large number of teams.Alert for adding user for specific group (Like domain admin)
Same as #1
Are live monitoring control only application based “web access” or include desktop client such as “desktop Teams, desktop outlook app”?
Conditional Access App Control can monitor and control the session in real time for web-based applications. We have access control policies which can be used to block the desktop and mobile clients.
https://docs.microsoft.com/en-us/cloud-app-security/proxy-intro-aad#access-controlsWhen will the enforcement occur following a monitoring alert? How much time? (without reverse proxy)
When using Conditional Access App Control, session controls are in real time. If you elect to monitor the session, no controls will be used. This provides an avenue to analyze user behavior to understand under what conditions session policies should be applied in the future. Without CaaC enabled, you can leverage API connected application that perform governance functionality in near real time.
They want to create alerts when someone upload or download files in Teams
We have activity filters that support upload/download file.
Specific alert if there is sensitive information in the file.
File policies support DLP functionality.
https://docs.microsoft.com/en-us/cloud-app-security/data-protection-policiesMCAS to block and protect download of sensitive data to unmanaged or risky devices: Can they do it with OCAS?
Only for Office Apps but the license requirements also include Azure AD P1.
https://docs.microsoft.com/en-us/cloud-app-security/proxy-intro-aadCan it apply only on web app or include desktop app?
Only web-based applications. You would need to use access policies to limit desktop and mobile applications to provide a comprehensive approach to securing those apps.Are all the built-in policies that we can see in the OCAS portal can be applied?
Yes
Blocking / alert for sharing files based on if the user is external or internal user.
That control should be handled with the native tools built into OD4B/Sharepoint https://docs.microsoft.com/en-us/sharepoint/external-sharing-overviewBlock and alert if the connection to O365 portal and O365 services was from other country then Israel.
This can be done with Azure AD Conditional Access Policies.Alerts can be configured in CAS to filter on activity type such as logon and location.
2 Replies
Newlife Teams activity policies explained: https://janbakker.tech/2020/04/19/activity-policy-templates-for-teams-in-microsoft-cloud-app-security/
I saw John_Lewis did an awesome job already on answering your question.
If you have any more question, feel free to reach out. Hi Newlife, thank you for the questions. Please see my responses below:
Alert for adding GA or adding users to a security role
Yes, these activity types are supported “Add member to group/role”. In addition, with integrations with Azure ATP, we can detect suspicious additions to sensitive groups. Custom sensitive groups can be defined by admins.Another approach is to customize your filter to include the “Acitvity objects” “Activity object ID” equals the AAD group objectID from Azure AD. This can easily be added to any filter within the Activity Log by navigating to the activity and clicking the “Activity Objects”. Within those objects, there are icons to include the objects in the filter.
Alert for Adding external guests to Teams sites
We have MS Teams specific templates that will detect this activity. See below:
Access level change (Teams): Alerts when a team's access level is changed from private to public.
External user added (Teams): Alerts when an external user is added to a team.
Mass deletion (Teams): Alerts when a user deletes a large number of teams.Alert for adding user for specific group (Like domain admin)
Same as #1
Are live monitoring control only application based “web access” or include desktop client such as “desktop Teams, desktop outlook app”?
Conditional Access App Control can monitor and control the session in real time for web-based applications. We have access control policies which can be used to block the desktop and mobile clients.
https://docs.microsoft.com/en-us/cloud-app-security/proxy-intro-aad#access-controlsWhen will the enforcement occur following a monitoring alert? How much time? (without reverse proxy)
When using Conditional Access App Control, session controls are in real time. If you elect to monitor the session, no controls will be used. This provides an avenue to analyze user behavior to understand under what conditions session policies should be applied in the future. Without CaaC enabled, you can leverage API connected application that perform governance functionality in near real time.
They want to create alerts when someone upload or download files in Teams
We have activity filters that support upload/download file.
Specific alert if there is sensitive information in the file.
File policies support DLP functionality.
https://docs.microsoft.com/en-us/cloud-app-security/data-protection-policiesMCAS to block and protect download of sensitive data to unmanaged or risky devices: Can they do it with OCAS?
Only for Office Apps but the license requirements also include Azure AD P1.
https://docs.microsoft.com/en-us/cloud-app-security/proxy-intro-aadCan it apply only on web app or include desktop app?
Only web-based applications. You would need to use access policies to limit desktop and mobile applications to provide a comprehensive approach to securing those apps.Are all the built-in policies that we can see in the OCAS portal can be applied?
Yes
Blocking / alert for sharing files based on if the user is external or internal user.
That control should be handled with the native tools built into OD4B/Sharepoint https://docs.microsoft.com/en-us/sharepoint/external-sharing-overviewBlock and alert if the connection to O365 portal and O365 services was from other country then Israel.
This can be done with Azure AD Conditional Access Policies.Alerts can be configured in CAS to filter on activity type such as logon and location.
