Forum Discussion

CrestonV's avatar
CrestonV
Copper Contributor
Jan 16, 2025

Using Microsoft Defender for Cloud Apps to block apps on managed devices.

Greetings,   I have been tasked to work with Microsoft Defender for cloud apps and to block the usage of the Firefox browser on all endpoints within my estate apart from a few users who require it....
Defender for Cloud Apps
microsoft defender for cloud
DylanInfosec's avatar
DylanInfosec
Iron Contributor
Jan 19, 2025

HiCrestonV ,

the unsanctioned tagging works in conjunction with MDE to enforce web app blocking by leveraging Network Protections custom indicators list. This occurs by MDCA automatically adding the domains/urls to the list upon tagging an app unsanctioned.

 

I recommend confirming that you have custom indicators enabled and are Enforcing App Access, here.

Finally, also doesn’t hurt to check you have the integration between MDE and MDCA turned on in Advanced Features, see here.

 

Let me know if this helps or if you still experience the issue.

Best regards,

Dylan

CrestonV's avatar
CrestonV
Copper Contributor
Jan 21, 2025

Hi DylanInfosec 

 

Thanks for your reply on my post.

 

I can confirm both Custom indicators and MDE and MDCA integration are switched on and working as they should. I can also see the urls that have been added automatically to custom indicators are populated with the unsanctioned apps. 

 

Yet we are not able to fully block a installed application. We continue to receive a notification from windows security of the block on the (Mozilla firefox) installed application on our endpoints and we also get alerts and incidents of users trying to access the installed app on our Defender for endpoint admin console but the users are still able to continue using the application.

We wanted to know if its possible to completely block the app usage and not be able to interact or open the app.

I look forward to hearing back from you.

 

Kind regards,

Creston Vaz

 

  • DylanInfosec's avatar
    DylanInfosec
    Iron Contributor
    Jan 22, 2025

    Doh, my apologies, I think I may have had a few similar posts up at the same time hence my response not being to direct in response to your question. 

    As you stated, Defender for Cloud Apps does integrate but to block Cloud Apps and not to prevent Mozilla Firefox, a desktop application from opening. You will have to utilize something like Defender Application Control. You could also try Custom indicators by File hash and/or Certificate. These can then be assigned to specified Device Groups to block access to those Device Groups specified and allow others to use these applications. 

    This will be a game of whack-a-mole though and you might consider a different approach down the line such as allowing Firefox but managing the browser settings via Intune.

     

    Best regards,

    Dylan

Resources