Mar 12 2019 09:25 AM - edited Mar 12 2019 10:07 AM
Many people have registered for our webinar (https://aka.ms/MCASWebinar). We're thrilled to see such interest, but it also means we'll likely get a large volume of questions on the call, and it may not be possible to respond to every one in real time.
We will do our best to get your question answered directly on the call, and we'll have several dedicated team members just to respond to the questions; however, I wanted to provide an additional mechanism for any questions we're unable to get to.
This post will be used for any questions that didn't get addressed on the call. We'll be reviewing the transcript of questions after the call and we'll post answers here. This may take a day or two, so please check back soon.
If you were unable to attend the call, note that you can find the recordings here: https://aka.ms/MCASRecordings. Feel free to reply to this post with any questions you have.
Mar 12 2019 01:03 PM
When MCAS applies a label to a SharePoint document, it triggers a workflow (If configured inside the library). Would you alter MCAS in future to counter this (like a setting to suppress the workflow). In SP coding terms: SPItem.DisableWFEvents() --> SPItem.Update() --> SPItem.EnableWFEvents()
Mar 12 2019 01:05 PM
At what point MCAS would use MIP SDK to apply label in our tenant?
I heard that it would
Is that correct?
Mar 14 2019 06:25 AM - edited Mar 14 2019 06:28 AM
Q & A:
Thank you and a great session today.
Can I get a follow up from my Question in the Webinar:
I asked:
2nd: You stated "Flow has built in DLP capabilities and the ability to block specific connections which might answer the requirement" ..... but the Flow DLP does not provide any kind of connection Block? can you provide details or a contact who can provide more details on this?
to mu understanding the Flow DLP only limits the use of connectors with other connectors, it does not bock a connector from being used or connecting to data.
Mar 19 2019 10:19 AM - edited Mar 19 2019 10:20 AM
@Anandpb wrote:
When MCAS applies a label to a SharePoint document, it triggers a workflow (If configured inside the library). Would you alter MCAS in future to counter this (like a setting to suppress the workflow). In SP coding terms: SPItem.DisableWFEvents() --> SPItem.Update() --> SPItem.EnableWFEvents()
@Sebastien Molendijk: Is this something you can speak to?
Mar 19 2019 10:21 AM
@Tony McGranaghan wrote:
Q & A:
Thank you and a great session today.
Can I get a follow up from my Question in the Webinar:
I asked:
"when MCAS policy is in place...
@Yoann_David_Mallet: Can you address this?
Mar 19 2019 10:24 AM
@Anandpb wrote:
At what point MCAS would use MIP SDK to apply label in our tenant?
I heard that it would
- Enable logs push to AIP Analytics (Azure Logs DB)
- Label PDF files
Is that correct?
CC: @Rafael Dominguez and @Yoann_David_Mallet
Mar 19 2019 12:36 PM
When can we have an ability to initiate "Run this policy NOW ignoring all other MCAS queues". I currently see that all actions (like policy DLP search, labeling) are all queued in the back end & take their own time to complete. Or ability to set frequencies of MCAS jobs.
Use case being,
Also, assuming that each MCAS actions (search, match, label, remove, email...) has its own back end queue executed by dedicated service. As a tenant, can we set the frequencies at which each service runs. Like I want REMOVE service to run every minute & EMAIL_USER service to run in a relaxed way.
Mar 19 2019 01:34 PM - edited Mar 19 2019 01:57 PM
Mar 19 2019 01:34 PM - edited Mar 19 2019 01:57 PM
2nd: You stated "Flow has built in DLP capabilities and the ability to block specific connections which might answer the requirement" ..... but the Flow DLP does not provide any kind of connection Block? can you provide details or a contact who can provide more details on this?
to mu understanding the Flow DLP only limits the use of connectors with other connectors, it does not bock a connector from being used or connecting to data.
Hi, this is correct.
Sorry for the typo, as answering through the several hundreds of questions during the call I typed connections instead of connectors.
Mar 19 2019 01:37 PM
Can you please give me more details about this ?
What do you mean by triggering a workflow ? Are you talking about a workflow triggered by modification activities ?
Mar 20 2019 03:17 AM
Thank you @Sebastien Molendijk for you reply,
Sorry My mistake here I left out one on every important item in my first part, sorry.
If we have SSO set up to 3rd party Services/Apps via Enterprise application in Azure AD, and then have Conditional access set to enforce SSO, then when a connector is set up it would need to Authenticate Via SSO to AAD, would this then not enable MCAS to have control/Monitor capabilities on the connector usage in Flow?
For example if we set up SSO to Dropbox via Azure AD, then set conditional access to enforce this, so the only way any user can get access to Dropbox is if they are provided Access via AAD and use SSO.
Now when using Flow if that user tries to set up a Dropbox connector, at the authentication section at the beginning when creating the connector, will SSO not be enforced, so then authenticating the connector is Via AAD.
My Questions here:
Mar 20 2019 06:42 AM
Hi,
When we label a document (Present in a SP Library with workflows attached & versioning enabled), the related workflow gets initiated which would trigger a complex business process.
We have many site collections with many workflows and we cannot change each workflow to have a condition for "Modified By" == "SharePoint App".
We just need a way to ignore SP workflow triggering when the document is updated by MCAS account (SharePoint App)
Mar 21 2019 05:56 AM
Hi Hope this is where we still post question?
Great presentation today by @Gershon Levitz , thank you.
Q1:
In the area of OAuth Apps, and the manage OAuth Apps, when there is a policy say to get details on users that grant access/connection to to a 3rd party application, how is the user identified. Is it a requirement that access to the 3rd party app/service access is via AAD SSO, so the user can be linked and track the permission that they grant?
Q2:
In relation to all the details covered today, how would these controls and monitors work arounf connectors in PowerApps and Flow?
lets say in a direct action extreme case, a "Risky OAuth" policy is put in place for all permission access to Google, and if access given we take the action to revoke permission or suspend account, would this prevent a user from using a Google connector in flow?
Q3:
For APIs that do not use username password Authentication, via 3rd party or IdP like AAD to gain access to user their service, and use something like a API Key, for example th e"PagerDuty" connector in Flow, what can MCAS offer here and what details and actions would be given.
Thank you
Mar 21 2019 07:35 AM - edited Mar 21 2019 07:37 AM
@Sebastien MolendijkAlso after the MCAS webinar today on threat detection, the section on OAuth & and manage Oauth Apps, it outlined triggers and detection that have near real-time activity, where policies could be put in place that could take actions like revoke permissions and suspend user... can I get explained how this works in relation to you first replay where it stated that "MCAS:App Control (reverse proxy) only works for browser based sessions", ....... where today it seems to be presented for OAuth controls and actions/protection
Mar 22 2019 01:59 AM
We don't have this capability at the moment.
I'm interrested by your use case. Let me investigate this internally.
Best regards,
Sebastien
Mar 22 2019 02:09 AM
Thanks for the details.
I don't see how to do this at the MCAS side as it sends the instruction of applying the classification to SharePoint to.
The only solution I see is to have a specific exception configured at the workflow level, using a filter on the user account, as you said.
Why can't you modify the workflow ? I see this case as part of the workflow design phase.
Mar 22 2019 02:37 AM
Q1: This can be the AAD account, but not only. This could be on the SalesForce of G Suite account, for example, even if SSO is configured at the AAD level.
Q2: No, this is a different process. MCAS look at the delegated accesses granted at the AAD account (or corp Google account, etc) level, but doesn't look at the connections configured in Flow connections.
If the connection is passing through Flow, then MCAS consider the delegated access as coming from Flow and not from a 3rd party app.
Q3: Am I correct to think that your example is using Flow to access some data in O365/account, rather than having a delegated access to the service itself ?
If This is correct, then MCAS doesn't have visibility on this and would rely on the Flow admin center to get the details.
Mar 22 2019 02:40 AM
Can we maybe wait for next week App Control session so you have all the details regarding this technology ?
If this is still unclear, I'll be happy to go back to more detailed information.
Mar 22 2019 02:47 AM
Thank for the details.
Let me discuss this internally and see what would be possible for this use case.
Mar 28 2019 02:13 PM