EMS E3 CAS Discovery Functionality

%3CLINGO-SUB%20id%3D%22lingo-sub-168928%22%20slang%3D%22en-US%22%3EEMS%20E3%20CAS%20Discovery%20Functionality%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-168928%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EWhen%20I%20look%20at%20the%20O365%20EM%2BS%20E3%20license%20setting%20in%20the%20O365%20Admin%20Center%2C%20it%20shows%20Cloud%20App%20Security%20Discovery%20as%20an%20option.%20This%20page%26nbsp%3B%3C%2FSPAN%3E%3CA%20class%3D%22linkified%22%20title%3D%22https%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Fget-ready-for-office-365-cloud-app-security-d9ee4d67-f2b3-42b4-9c9e-c4529904990a%3Fui%3Den-US%26amp%3Brs%3Den-US%26amp%3Bad%3DUS%22%20href%3D%22https%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Fget-ready-for-office-365-cloud-app-security-d9ee4d67-f2b3-42b4-9c9e-c4529904990a%3Fui%3Den-US%26amp%3Brs%3Den-US%26amp%3Bad%3DUS%22%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%22%3Ehttps%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Fget-ready-for-office-365-cloud-app-security-d9ee4d67-f2b3-42b4-9c9e-c4529904990a%3Fui%3Den-US%26amp%3Brs%3Den-US%26amp%3Bad%3DUS%3C%2FA%3E%3CSPAN%3E%26nbsp%3Bclearly%20states%20that%20we%20need%20E5%20to%20get%20CAS%2C%20but%20does%20not%20mention%20Cloud%20App%20Security%20Discovery.%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%3ECan%20someone%20please%20provide%20me%20the%20definitive%20answer%20about%20what%20is%20actually%20possible%20with%20EMS%20E3%20regarding%20CAS.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-168928%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECloud%20Discovery%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-174192%22%20slang%3D%22en-US%22%3ERe%3A%20EMS%20E3%20CAS%20Discovery%20Functionality%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-174192%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%2C%20after%20rereading%20those%2C%20I'm%20still%20confused%20because%20of%20the%20behavior%20I%20have%20seen%20in%20my%20customers%20tenant.%20They%20have%20EMS%20E3%20(CAD)%20and%20according%20to%20the%20Setup%20Steps%2C%20web%20traffic%20logs%20must%20be%20uploaded%20so%20that%20there%20is%20something%20to%20analyze.%20When%20I%20look%20in%20the%20portal%20on%20the%20Investigate%2C%20Users%20and%20Accounts%20page%2C%20it%20shows%20some%20users%20but%20log%20data%20has%20never%20been%20uploaded%20so%20I%20can't%20figure%20out%20why%20data%20is%20showing.%20This%20is%20not%20consistent%20with%20the%20description%20of%20how%20CAD%20is%20supposed%20to%20work.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt%20seems%20as%20if%20some%20activity%20analyses%20are%20being%20performed%26nbsp%3Bdirectly%20against%20O365%20network%20traffic%2C%20but%20this%20is%20not%20mentioned%20in%20any%20of%20the%20documentation%20that%20I%20can%20find.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-174156%22%20slang%3D%22en-US%22%3ERe%3A%20EMS%20E3%20CAS%20Discovery%20Functionality%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-174156%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Dean%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20understand%20why%20it%20might%20be%20confusing.%20Let%20me%20try%20to%20clarify%20that.%3C%2FP%3E%0A%3CP%3ECloud%20App%20Security%20powers%203%20different%20Discovery%20solution%20using%20the%20same%20engine.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EDiscovery%20in%20MCAS%20(EMS%20E5)%20-%26nbsp%3B%3C%2FSTRONG%3EThe%20full%20blown%20Shadow%20IT%20Discovery%20solution.%20Documented%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fset-up-cloud-discovery%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fset-up-cloud-discovery%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EDiscovery%20in%20AAD%20(EMS%20E3)%20-%20%3C%2FSTRONG%3Eknown%20as%20CAD.%26nbsp%3BSimilar%20functionality%20to%20MCAS%20but%20doesn't%20include%20risk%20assessment%20and%20anomaly%20detection%20in%20discovered%20usage.%20Documented%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fcloudappdiscovery-get-started%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fcloudappdiscovery-get-started%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20see%20the%20comparison%20between%20Discovery%20in%20AAD%20CAD%20and%20MCAS%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Feditions-cloud-app-security-aad%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Feditions-cloud-app-security-aad%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20you%20activate%20CAS%20Discovery%20(in%20the%20screenshot%20you%20attached%20in%20the%20pervious%20message)%2C%20you%20enable%26nbsp%3BCAD.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EDiscovery%20in%20OCAS%20(Office365%20E5)%20-%26nbsp%3B%3C%2FSTRONG%3ECovers%20only%20c%3CSPAN%3Eloud%20apps%20with%20similar%20functionality%20to%20Office%20365.%20Does%20not%20include%20risk%20assessment%20and%20anomaly%20detection%20in%20discovered%20usage%2C%20automated%20upload%2C%20and%20more%20features.%20Documented%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Foverview-of-office-365-cloud-app-security-81f0ee9a-9645-45ab-ba56-de9cbccab475%3Fui%3Den-US%26amp%3Brs%3Den-US%26amp%3Bad%3DUS%23dashboard%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Foverview-of-office-365-cloud-app-security-81f0ee9a-9645-45ab-ba56-de9cbccab475%3Fui%3Den-US%26amp%3Brs%3Den-US%26amp%3Bad%3DUS%23dashboard%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EYou%20can%20see%20the%20comparison%20between%20Discovery%20in%26nbsp%3BMCAS%20and%20OCAS%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Feditions-cloud-app-security-o365%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Feditions-cloud-app-security-o365%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-169313%22%20slang%3D%22en-US%22%3ERe%3A%20EMS%20E3%20CAS%20Discovery%20Functionality%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-169313%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%2C%20I%20understand%20that%20the%20announcement%20was%20made%20and%20I%20have%20seen%20the%20presentations%2C%20but%20what%20I%20don't%20understand%20is%20what%20that%20functionality%20includes.%20I%20can't%20find%20any%20documentation%20that%20describes%20this.%26nbsp%3B%20Here%20is%20another%20example%20of%20information%20that%20causes%20confusion%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fcloud-platform%2Fenterprise-mobility-security-pricing%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fcloud-platform%2Fenterprise-mobility-security-pricing%3C%2FA%3E.%20It%20clearly%20shows%20that%20CAS%20is%20not%20included%20in%20EMS%20E3.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlso%2C%20the%20instructions%20at%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Foverview-of-office-365-cloud-app-security-81f0ee9a-9645-45ab-ba56-de9cbccab475%3Fui%3Den-US%26amp%3Brs%3Den-US%26amp%3Bad%3DUS%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2Foverview-of-office-365-cloud-app-security-81f0ee9a-9645-45ab-ba56-de9cbccab475%3Fui%3Den-US%26amp%3Brs%3Den-US%26amp%3Bad%3DUS%3C%2FA%3E%20clearly%20state%20than%20an%20E5%20is%20needed%20(there%20is%20no%20mention%20of%20what%20can%20be%20done%20with%20just%20the%20E3)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20add%20a%20little%20more%20detail%2C%20here%20is%20what%20I%20am%20seeing.%20I%20am%20trying%20to%20figure%20out%20exactly%20what%20happens%20when%20the%20CAS%20Discover%20setting%20is%20activate%20or%20deactivated.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F30056i65D8335CD5ED05F9%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22e3casd.png%22%20title%3D%22e3casd.png%22%20%2F%3E%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F37951%22%20target%3D%22_blank%22%3E%40Niv%20Goldenberg%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F44888%22%20target%3D%22_blank%22%3E%40Ryan%20Heffernan%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F2864%22%20target%3D%22_blank%22%3E%40Nicholas%20DiCola%20(SECURITY%20JEDI)%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-169281%22%20slang%3D%22en-US%22%3ERe%3A%20EMS%20E3%20CAS%20Discovery%20Functionality%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-169281%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fcloudblogs.microsoft.com%2Fenterprisemobility%2F2017%2F09%2F27%2Fwhats-new-in-microsoft-cloud-app-security-ignite-2017%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcloudblogs.microsoft.com%2Fenterprisemobility%2F2017%2F09%2F27%2Fwhats-new-in-microsoft-cloud-app-security-ignite-2017%2F%3C%2FA%3E%3C%2FP%3E%0A%3CP%3ECloud%20App%20Security%20Discovery%20as%20part%20of%20EMS%20E3%20was%20announced%20at%20Ignite.%26nbsp%3B%20You%20get%20the%20discovery%20features%20of%20CAS%20as%20part%20of%20your%20EMS%20E3%20License.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-909734%22%20slang%3D%22en-US%22%3ERe%3A%20EMS%20E3%20CAS%20Discovery%20Functionality%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-909734%22%20slang%3D%22en-US%22%3EI%20also%20have%20same%20question%2C%20but%20I%20will%20keep%20it%20straight%20forward.%20We%20have%20EMSE3%20assigned%20for%20all%20users.%20Are%20we%20allowed%20to%20add%20O365%20App%20under%20connect%20apps%20section%20in%20Cloud%20app%20security%20portal%20%3F%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%3CBR%20%2F%3EKangalaz%3C%2FLINGO-BODY%3E
Respected Contributor

When I look at the O365 EM+S E3 license setting in the O365 Admin Center, it shows Cloud App Security Discovery as an option. This page https://support.office.com/en-us/article/get-ready-for-office-365-cloud-app-security-d9ee4d67-f2b3-4... clearly states that we need E5 to get CAS, but does not mention Cloud App Security Discovery.

Can someone please provide me the definitive answer about what is actually possible with EMS E3 regarding CAS.

5 Replies

Hi

https://cloudblogs.microsoft.com/enterprisemobility/2017/09/27/whats-new-in-microsoft-cloud-app-secu...

Cloud App Security Discovery as part of EMS E3 was announced at Ignite.  You get the discovery features of CAS as part of your EMS E3 License.

Thanks, I understand that the announcement was made and I have seen the presentations, but what I don't understand is what that functionality includes. I can't find any documentation that describes this.  Here is another example of information that causes confusion https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security-pricing. It clearly shows that CAS is not included in EMS E3.

 

Also, the instructions at https://support.office.com/en-us/article/overview-of-office-365-cloud-app-security-81f0ee9a-9645-45a... clearly state than an E5 is needed (there is no mention of what can be done with just the E3)

 

To add a little more detail, here is what I am seeing. I am trying to figure out exactly what happens when the CAS Discover setting is activate or deactivated.

 

 e3casd.png@Niv Goldenberg @Ryan Heffernan @Nicholas DiCola (SECURITY JEDI)

Hi Dean,

 

I understand why it might be confusing. Let me try to clarify that.

Cloud App Security powers 3 different Discovery solution using the same engine.

 

Discovery in MCAS (EMS E5) - The full blown Shadow IT Discovery solution. Documented here: https://docs.microsoft.com/en-us/cloud-app-security/set-up-cloud-discovery

 

Discovery in AAD (EMS E3) - known as CAD. Similar functionality to MCAS but doesn't include risk assessment and anomaly detection in discovered usage. Documented here: https://docs.microsoft.com/en-us/azure/active-directory/cloudappdiscovery-get-started

 

You can see the comparison between Discovery in AAD CAD and MCAS here: https://docs.microsoft.com/en-us/cloud-app-security/editions-cloud-app-security-aad

 

When you activate CAS Discovery (in the screenshot you attached in the pervious message), you enable CAD.

 

 

Discovery in OCAS (Office365 E5) - Covers only cloud apps with similar functionality to Office 365. Does not include risk assessment and anomaly detection in discovered usage, automated upload, and more features. Documented here: https://support.office.com/en-us/article/overview-of-office-365-cloud-app-security-81f0ee9a-9645-45a...

 

You can see the comparison between Discovery in MCAS and OCAS here: https://docs.microsoft.com/en-us/cloud-app-security/editions-cloud-app-security-o365

 

 

 

Thanks, after rereading those, I'm still confused because of the behavior I have seen in my customers tenant. They have EMS E3 (CAD) and according to the Setup Steps, web traffic logs must be uploaded so that there is something to analyze. When I look in the portal on the Investigate, Users and Accounts page, it shows some users but log data has never been uploaded so I can't figure out why data is showing. This is not consistent with the description of how CAD is supposed to work. 

 

It seems as if some activity analyses are being performed directly against O365 network traffic, but this is not mentioned in any of the documentation that I can find. 

I also have same question, but I will keep it straight forward. We have EMSE3 assigned for all users. Are we allowed to add O365 App under connect apps section in Cloud app security portal ?

Thanks
Kangalaz