Mar 07 2018 10:52 AM
When I look at the O365 EM+S E3 license setting in the O365 Admin Center, it shows Cloud App Security Discovery as an option. This page https://support.office.com/en-us/article/get-ready-for-office-365-cloud-app-security-d9ee4d67-f2b3-4... clearly states that we need E5 to get CAS, but does not mention Cloud App Security Discovery.
Can someone please provide me the definitive answer about what is actually possible with EMS E3 regarding CAS.
Mar 08 2018 03:36 AM
Hi
Cloud App Security Discovery as part of EMS E3 was announced at Ignite. You get the discovery features of CAS as part of your EMS E3 License.
Mar 08 2018 05:31 AM - edited Mar 09 2018 04:05 PM
Mar 08 2018 05:31 AM - edited Mar 09 2018 04:05 PM
Thanks, I understand that the announcement was made and I have seen the presentations, but what I don't understand is what that functionality includes. I can't find any documentation that describes this. Here is another example of information that causes confusion https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security-pricing. It clearly shows that CAS is not included in EMS E3.
Also, the instructions at https://support.office.com/en-us/article/overview-of-office-365-cloud-app-security-81f0ee9a-9645-45a... clearly state than an E5 is needed (there is no mention of what can be done with just the E3)
To add a little more detail, here is what I am seeing. I am trying to figure out exactly what happens when the CAS Discover setting is activate or deactivated.
@Niv Goldenberg @Ryan Heffernan @Nicholas DiCola (SECURITY JEDI)
Mar 21 2018 09:29 AM
Hi Dean,
I understand why it might be confusing. Let me try to clarify that.
Cloud App Security powers 3 different Discovery solution using the same engine.
Discovery in MCAS (EMS E5) - The full blown Shadow IT Discovery solution. Documented here: https://docs.microsoft.com/en-us/cloud-app-security/set-up-cloud-discovery
Discovery in AAD (EMS E3) - known as CAD. Similar functionality to MCAS but doesn't include risk assessment and anomaly detection in discovered usage. Documented here: https://docs.microsoft.com/en-us/azure/active-directory/cloudappdiscovery-get-started
You can see the comparison between Discovery in AAD CAD and MCAS here: https://docs.microsoft.com/en-us/cloud-app-security/editions-cloud-app-security-aad
When you activate CAS Discovery (in the screenshot you attached in the pervious message), you enable CAD.
Discovery in OCAS (Office365 E5) - Covers only cloud apps with similar functionality to Office 365. Does not include risk assessment and anomaly detection in discovered usage, automated upload, and more features. Documented here: https://support.office.com/en-us/article/overview-of-office-365-cloud-app-security-81f0ee9a-9645-45a...
You can see the comparison between Discovery in MCAS and OCAS here: https://docs.microsoft.com/en-us/cloud-app-security/editions-cloud-app-security-o365
Mar 21 2018 10:28 AM
Thanks, after rereading those, I'm still confused because of the behavior I have seen in my customers tenant. They have EMS E3 (CAD) and according to the Setup Steps, web traffic logs must be uploaded so that there is something to analyze. When I look in the portal on the Investigate, Users and Accounts page, it shows some users but log data has never been uploaded so I can't figure out why data is showing. This is not consistent with the description of how CAD is supposed to work.
It seems as if some activity analyses are being performed directly against O365 network traffic, but this is not mentioned in any of the documentation that I can find.
Oct 11 2019 03:28 PM