Best practice for creating groups to be used in CAS

%3CLINGO-SUB%20id%3D%22lingo-sub-354255%22%20slang%3D%22en-US%22%3EBest%20practice%20for%20creating%20groups%20to%20be%20used%20in%20CAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-354255%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20new%20to%20CAS%2C%20and%20am%20in%20a%20department%20of%20a%20larger%20higher%20ed%20institution.%26nbsp%3B%20Central%20IT%20has%20no%20experience%20in%20the%20Security%2FCompliance%20and%20CAS%20areas%2C%20so%20I'm%20doing%20the%20research%20to%20get%20my%20department%20up%20and%20running%20(we%20are%20all%20A5%20licensed%20in%20my%20dept).%26nbsp%3B%20I'm%20hoping%20the%20community%20can%20help%20with%20two%20questions%3A%3C%2FP%3E%3CP%3E(1)%20What%20is%20the%20best%20practice%20for%20the%20kind%20of%20group%20to%20create%20if%20you%20want%20to%20use%20it%20in%20CAS%3F%26nbsp%3B%20My%20choices%20are%20Security%20or%20Office%2C%20and%20Synced%20vs.%20Assigned%20(we%20have%20a%20hybrid%20environment).%3C%2FP%3E%3CP%3E(2)%20How%20do%20you%20assign%20a%20Group%20Admin%20role%20over%20a%20group%20in%20CAS%3F%26nbsp%3B%20I%20can't%20find%20this%20answer%20in%20Microsoft%20docs.%26nbsp%3B%20I%20assume%20that%20the%20choice%20in%20(1)%20is%20important%20to%20achieve%20(2).%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3CP%3EMatt%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-354255%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-360609%22%20slang%3D%22en-US%22%3ERe%3A%20Best%20practice%20for%20creating%20groups%20to%20be%20used%20in%20CAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-360609%22%20slang%3D%22en-US%22%3E%3CP%3ESebastien%3A%3C%2FP%3E%3CP%3EAfter%20quite%20a%20bit%20more%20work%2C%20we%20have%20determined%20that%20delegating%20permissions%20to%20imported%20groups%20is%20not%20a%20feature%20of%20Office%20Cloud%20App%20Security%2C%20and%20only%20a%20feature%20of%20Microsoft%20Cloud%20App%20Security.%26nbsp%3B%20It's%20not%20specifically%20called%20out%20here%26nbsp%3B%3CFONT%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Feditions-cloud-app-security-o365%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Feditions-cloud-app-security-o365%3C%2FA%3E%3C%2FFONT%3E%2C%20but%20we%20assume%20based%20on%20other%20feature%20items%20that%20we%20will%20not%20have%20this%20available%20in%20OCAS.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3EMatt%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-357906%22%20slang%3D%22en-US%22%3ERe%3A%20Best%20practice%20for%20creating%20groups%20to%20be%20used%20in%20CAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-357906%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhy%20are%20you%20combining%20Global%20Admin%20with%20Security%20Admin%20%3F%3C%2FP%3E%0A%3CP%3ECould%20you%20remove%20that%20account%20from%20the%20Security%20Admin%2C%20log%20off%20and%20try%20again%20%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20suspect%20a%20permission%20mismatch.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-357905%22%20slang%3D%22en-US%22%3ERe%3A%20Best%20practice%20for%20creating%20groups%20to%20be%20used%20in%20CAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-357905%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20for%20the%20response%2C%20Sebastien.%26nbsp%3B%20I%20see%20the%20issue%20now%20-%20our%20Azure%20GA%20(also%20a%20Security%20Administrator)%20does%20not%20have%20the%20choice%20of%20%22Manage%20Admin%20Access%22%20in%20the%20gear%20drop-down.%26nbsp%3B%20Only%20Settings%2C%20Governance%20log%2C%20Security%20extensions%2C%20Exported%20reports%2C%20Scoped%20deployment%2C%20IP%20address%20ranges%20and%20User%20groups.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20had%20our%20GA%20assign%20himself%20an%20A5%20license%20just%20in%20case%20(rest%20of%20campus%20is%20currently%20A1)%2C%20but%20that%20didn't%20change%20the%20drop-down%20choices.%26nbsp%3B%20Might%20you%20have%20an%20idea%20how%20to%20proceed%20on%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMatt%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-356745%22%20slang%3D%22en-US%22%3ERe%3A%20Best%20practice%20for%20creating%20groups%20to%20be%20used%20in%20CAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-356745%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Matt%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20would%20recommend%20to%20use%20Azure%20AD%20security%20group.%20This%20group%20can%20be%20synchronized%20from%20your%20on-prem%20AD%20or%20created%20in%20Azure%20AD.%20If%20you%20want%20to%20manage%20its%20membership%20dynamically%2C%20create%20an%20Azure%20AD%20security%20group%20with%20dynamic%20membership.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOnce%20you%20have%20your%20group%20in%20Azure%20AD%2C%20you%20have%20to%20import%20it%20into%20Cloud%20App%20Security%2C%20as%20explained%20here%3A%26nbsp%3B%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fuser-groups%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fuser-groups%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EAfter%20the%20group%20has%20been%20imported%20in%20MCAS%2C%20you%20can%20then%20use%20it%20to%20assign%20%3CSTRONG%3EGroup%20admin%3C%2FSTRONG%3E%20permission%20to%20the%20relevant%20admins.%20This%20is%20explained%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fmanage-admins%23add-additional-admins%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fmanage-admins%23add-additional-admins%3C%2FA%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22box-sizing%3A%20inherit%3B%20margin-top%3A%201rem%3B%20margin-bottom%3A%200px%3B%20color%3A%20%23000000%3B%20font-family%3A%20'Segoe%20UI'%2C%20SegoeUI%2C%20'Segoe%20WP'%2C%20'Helvetica%20Neue'%2C%20Helvetica%2C%20Tahoma%2C%20Arial%2C%20sans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant-ligatures%3A%20normal%3B%20font-variant-caps%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20white-space%3A%20normal%3B%20widows%3A%202%3B%20word-spacing%3A%200px%3B%20-webkit-text-stroke-width%3A%200px%3B%20background-color%3A%20%23ffffff%3B%20text-decoration-style%3A%20initial%3B%20text-decoration-color%3A%20initial%3B%22%3E%3CSTRONG%20style%3D%22font-weight%3A%20600%3B%20box-sizing%3A%20inherit%3B%22%3EGroup%20admin%3A%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3EHas%20permissions%20to%20all%20of%20the%20data%20in%20Microsoft%20Cloud%20App%20Security%20that%20deals%20exclusively%20with%20the%20specific%20group%20selected%20here.%20For%20example%2C%20if%20you%20give%20a%20user%20admin%20permission%20to%20the%20group%20%22Germany%20-%20all%20users%22%2C%20the%20admin%20can%20view%20and%20modify%20information%20in%20Microsoft%20Cloud%20App%20Security%20only%20for%20that%20user%20group%3A%3C%2FP%3E%0A%3CUL%20style%3D%22margin%3A%200px%200px%200px%2020px%3B%20padding%3A%200px%3B%20box-sizing%3A%20inherit%3B%20color%3A%20%23000000%3B%20font-family%3A%20'Segoe%20UI'%2C%20SegoeUI%2C%20'Segoe%20WP'%2C%20'Helvetica%20Neue'%2C%20Helvetica%2C%20Tahoma%2C%20Arial%2C%20sans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant-ligatures%3A%20normal%3B%20font-variant-caps%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20white-space%3A%20normal%3B%20widows%3A%202%3B%20word-spacing%3A%200px%3B%20-webkit-text-stroke-width%3A%200px%3B%20background-color%3A%20%23ffffff%3B%20text-decoration-style%3A%20initial%3B%20text-decoration-color%3A%20initial%3B%22%3E%0A%3CLI%20style%3D%22box-sizing%3A%20inherit%3B%20list-style%3A%20circle%20outside%20none%3B%22%3EActivities%20page%20-%20Only%20activities%20about%20the%20users%20in%20the%20group%3C%2FLI%3E%0A%3CLI%20style%3D%22box-sizing%3A%20inherit%3B%20list-style%3A%20circle%20outside%20none%3B%22%3EAlerts%20-%20Only%20alerts%20relating%20to%20the%20users%20in%20the%20group%3C%2FLI%3E%0A%3CLI%20style%3D%22box-sizing%3A%20inherit%3B%20list-style%3A%20circle%20outside%20none%3B%22%3EPolicies%20-%20Can%20view%20all%20policies%20and%20can%20edit%20or%20create%20only%20policies%20that%20deal%20exclusively%20with%20users%20in%20the%20group%3C%2FLI%3E%0A%3CLI%20style%3D%22box-sizing%3A%20inherit%3B%20list-style%3A%20circle%20outside%20none%3B%22%3EAccounts%20page%20-%20Only%20accounts%20for%20the%20specific%20users%20in%20the%20group%3C%2FLI%3E%0A%3CLI%20style%3D%22box-sizing%3A%20inherit%3B%20list-style%3A%20circle%20outside%20none%3B%22%3EApp%20permissions%20%E2%80%93%20No%20permissions%3C%2FLI%3E%0A%3CLI%20style%3D%22box-sizing%3A%20inherit%3B%20list-style%3A%20circle%20outside%20none%3B%22%3EFiles%20page%20%E2%80%93%20No%20permissions%3C%2FLI%3E%0A%3CLI%20style%3D%22box-sizing%3A%20inherit%3B%20list-style%3A%20circle%20outside%20none%3B%22%3EConditional%20Access%20App%20Control%20-%20No%20permissions%3C%2FLI%3E%0A%3CLI%20style%3D%22box-sizing%3A%20inherit%3B%20list-style%3A%20circle%20outside%20none%3B%22%3ECloud%20Discovery%20activity%20-%20No%20permissions%3C%2FLI%3E%0A%3CLI%20style%3D%22box-sizing%3A%20inherit%3B%20list-style%3A%20circle%20outside%20none%3B%22%3ESecurity%20extensions%20-%20Permissions%20only%20for%20API%20token%20with%20users%20in%20the%20group%3C%2FLI%3E%0A%3CLI%20style%3D%22box-sizing%3A%20inherit%3B%20list-style%3A%20circle%20outside%20none%3B%22%3EGovernance%20actions%20-%20Only%20for%20the%20specific%20users%20in%20the%20group%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHope%20it%20helps%20!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBest%20regards%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESebastien%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

I am new to CAS, and am in a department of a larger higher ed institution.  Central IT has no experience in the Security/Compliance and CAS areas, so I'm doing the research to get my department up and running (we are all A5 licensed in my dept).  I'm hoping the community can help with two questions:

(1) What is the best practice for the kind of group to create if you want to use it in CAS?  My choices are Security or Office, and Synced vs. Assigned (we have a hybrid environment).

(2) How do you assign a Group Admin role over a group in CAS?  I can't find this answer in Microsoft docs.  I assume that the choice in (1) is important to achieve (2).

Thanks!

Matt

4 Replies

Hi Matt,

 

I would recommend to use Azure AD security group. This group can be synchronized from your on-prem AD or created in Azure AD. If you want to manage its membership dynamically, create an Azure AD security group with dynamic membership.

 

Once you have your group in Azure AD, you have to import it into Cloud App Security, as explained here: https://docs.microsoft.com/en-us/cloud-app-security/user-groups

 

After the group has been imported in MCAS, you can then use it to assign Group admin permission to the relevant admins. This is explained here: https://docs.microsoft.com/en-us/cloud-app-security/manage-admins#add-additional-admins

 

Group admin: Has permissions to all of the data in Microsoft Cloud App Security that deals exclusively with the specific group selected here. For example, if you give a user admin permission to the group "Germany - all users", the admin can view and modify information in Microsoft Cloud App Security only for that user group:

  • Activities page - Only activities about the users in the group
  • Alerts - Only alerts relating to the users in the group
  • Policies - Can view all policies and can edit or create only policies that deal exclusively with users in the group
  • Accounts page - Only accounts for the specific users in the group
  • App permissions – No permissions
  • Files page – No permissions
  • Conditional Access App Control - No permissions
  • Cloud Discovery activity - No permissions
  • Security extensions - Permissions only for API token with users in the group
  • Governance actions - Only for the specific users in the group

 

Hope it helps !

 

Best regards,

 

Sebastien

 

Thank you for the response, Sebastien.  I see the issue now - our Azure GA (also a Security Administrator) does not have the choice of "Manage Admin Access" in the gear drop-down.  Only Settings, Governance log, Security extensions, Exported reports, Scoped deployment, IP address ranges and User groups.

 

I had our GA assign himself an A5 license just in case (rest of campus is currently A1), but that didn't change the drop-down choices.  Might you have an idea how to proceed on this?

 

Matt

Hi,

 

Why are you combining Global Admin with Security Admin ?

Could you remove that account from the Security Admin, log off and try again ?

 

I suspect a permission mismatch. 

Sebastien:

After quite a bit more work, we have determined that delegating permissions to imported groups is not a feature of Office Cloud App Security, and only a feature of Microsoft Cloud App Security.  It's not specifically called out here https://docs.microsoft.com/en-us/cloud-app-security/editions-cloud-app-security-o365, but we assume based on other feature items that we will not have this available in OCAS.

 

Thanks,

Matt