Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

MCAS Webinar Q&A

Microsoft

Many people have registered for our webinar (https://aka.ms/MCASWebinar). We're thrilled to see such interest, but it also means we'll likely get a large volume of questions on the call, and it may not be possible to respond to every one in real time.

 

We will do our best to get your question answered directly on the call, and we'll have several dedicated team members just to respond to the questions; however, I wanted to provide an additional mechanism for any questions we're unable to get to. 

 

This post will be used for any questions that didn't get addressed on the call. We'll be reviewing the transcript of questions after the call and we'll post answers here. This may take a day or two, so please check back soon. 

 

If you were unable to attend the call, note that you can find the recordings here: https://aka.ms/MCASRecordings. Feel free to reply to this post with any questions you have. 

31 Replies

When MCAS applies a label to a SharePoint document, it triggers a workflow (If configured inside the library). Would you alter MCAS in future to counter this (like a setting to suppress the workflow). In SP coding terms: SPItem.DisableWFEvents() --> SPItem.Update() --> SPItem.EnableWFEvents()

At what point MCAS would use MIP SDK to apply label in our tenant?

 

I heard that it would

  • Enable logs push to AIP Analytics (Azure Logs DB)
  • Label PDF files

Is that correct?

Q & A:

Thank you and a great session today.

Can I get a follow up from my Question in the Webinar:

I asked: 

"when MCAS policy is in place, soy for example we have a policy to only allow users to Read-Only access to BOX, and restrict upload/Download to Box. will this same rule/policy be followed when that user creates a connector in PowerApps or Flow to BOX. so making the connector to BOX only able to Read-only and restrict upload/Download to BOX too with in your PowerApp or Flow

reply from Moderator

No, the reverse proxy covers the users browser session and doesn't affect API connections. Flow has built in DLP capabilities and the ability to block specific connections which might answer the requirement
 
1st: I don't this my question was under stood correctly, as Setting up connectors to authenticate uses Browser sessions as does PowerApps and Flow. (and if flow data connection cannot be monitored in MCAS then does this not Bypass any security policies that we put in place using MCAS??) 

 

2nd: You stated "Flow has built in DLP capabilities and the ability to block specific connections which might answer the requirement" ..... but the Flow DLP does not provide any kind of connection Block? can you provide details or a contact who can provide more details on this? 

to mu understanding the Flow DLP only limits the use of connectors with other connectors, it does not bock a connector from being used or connecting to data.

@Anandpb 

 


@Anandpb wrote:

When MCAS applies a label to a SharePoint document, it triggers a workflow (If configured inside the library). Would you alter MCAS in future to counter this (like a setting to suppress the workflow). In SP coding terms: SPItem.DisableWFEvents() --> SPItem.Update() --> SPItem.EnableWFEvents()


 

@Sebastien Molendijk: Is this something you can speak to?

@Tony McGranaghan 

 


@Tony McGranaghan wrote:

Q & A:

Thank you and a great session today.

Can I get a follow up from my Question in the Webinar:

I asked: 

"when MCAS policy is in place...

@Yoann_David_Mallet: Can you address this? 

@Anandpb 

 


@Anandpb wrote:

At what point MCAS would use MIP SDK to apply label in our tenant?

 

I heard that it would

  • Enable logs push to AIP Analytics (Azure Logs DB)
  • Label PDF files

Is that correct?


CC: @Rafael Dominguez and @Yoann_David_Mallet 

@Ryan Heffernan 

When can we have an ability to initiate "Run this policy NOW ignoring all other MCAS queues". I currently see that all actions (like policy DLP search, labeling) are all queued in the back end & take their own time to complete. Or ability to set frequencies of MCAS jobs.

 

Use case being,

  • Current MCAS tenant has 50+ policies running
  • As an admin, I have detected a threat pattern which I want to nullify now
  • For this, I would create a policy & have some governance action.
  • But this policy & its actions are queued till the existing 50+ policies are done with their finds/actions
  • I just want to prioritize the new Threat Policy that I just created

Also, assuming that each MCAS actions (search, match, label, remove, email...) has its own back end queue executed by dedicated service. As a tenant, can we set the frequencies at which each service runs. Like I want REMOVE service to run every minute & EMAIL_USER service to run in a relaxed way.

@Tony McGranaghan 

 

1st: I don't this my question was under stood correctly, as Setting up connectors to authenticate uses Browser sessions as does PowerApps and Flow. (and if flow data connection cannot be monitored in MCAS then does this not Bypass any security policies that we put in place using MCAS??) 
 
App Control (reverse proxy) only works for browser based sessions, after the user authenthicated against the IdP, like Azure AD. The IdP is the one redirecting the user to MCAS instead of redirecting him/her to the app.
In the case of apps like Flow connecting to Box, the connections between the apps will use the apps API's, not any browser, and the user account used to create the connection doesn't authenticate against the IDP but the app uses an oauth token generated when the user created the connection, so we can't redirect to a limited session. 
MCAS will see the activities, like download or delete of the file, but can't prevent them in real time.
 

2nd: You stated "Flow has built in DLP capabilities and the ability to block specific connections which might answer the requirement" ..... but the Flow DLP does not provide any kind of connection Block? can you provide details or a contact who can provide more details on this? 

to mu understanding the Flow DLP only limits the use of connectors with other connectors, it does not bock a connector from being used or connecting to data.

 

Hi, this is correct.
Sorry for the typo, as answering through the several hundreds of questions during the call I typed connections instead of connectors.

@Anandpb 

 

Can you please give me more details about this ?

 

What do you mean by triggering a workflow ? Are you talking about a workflow triggered by modification activities ?

Thank you @Sebastien Molendijk for you reply,

Sorry My mistake here I left out one on every important item in my first part, sorry.

If we have SSO set up to 3rd party Services/Apps via Enterprise application in Azure AD, and then have Conditional access set to enforce SSO, then when a connector is set up it would need to Authenticate Via SSO to AAD, would this then not enable MCAS to have control/Monitor capabilities on the connector usage in Flow?

For example if we set up SSO to Dropbox via Azure AD, then set conditional access to enforce this, so the only way any user can get access to Dropbox is if they are provided Access via AAD and use SSO.

Now when using Flow if that user tries to set up a Dropbox connector, at the authentication section at the beginning when creating the connector, will SSO not be enforced, so then authenticating the connector is Via AAD.

My Questions here:

  1. Will SSO Via AAD using Conditional access, allow us to control the initial set up and authentication to create a connector? 
  2. When a connector is created via SSO to AAD what information/Controls can MCAS give us or what details can it log at initial connector setup 
  3. If MCAS cannot provide any visibility of API traffic/usage to connection from the tenant that use oauth tokenised  connections. what can provide a monitoring and control of this traffic in and out of out tenant
  4. MCAS will not monitor or give any control over any API calls

 

 

 

@Sebastien Molendijk 

Hi,

When we label a document (Present in a SP Library with workflows attached & versioning enabled), the related workflow gets initiated which would trigger a complex business process.

We have many site collections with many workflows and we cannot change each workflow to have a condition for "Modified By" == "SharePoint App".

We just need a way to ignore SP workflow triggering when the document is updated by MCAS account (SharePoint App)

@Ryan Heffernan 

Hi Hope this is where we still post question?

Great presentation today by @Gershon Levitz , thank you.

 

Q1:

In the area of OAuth Apps, and the manage OAuth Apps, when there is a policy say to get details on users that grant access/connection to to a 3rd party application, how is the user identified. Is it a requirement that access to the 3rd party app/service access is via AAD SSO, so the user can be linked and track the permission that they grant? 

 

Q2:

In relation to all the details covered today, how would these controls and monitors work arounf connectors in PowerApps and Flow?

lets say in a direct action extreme case, a "Risky OAuth" policy is put in place for all permission access to Google, and if access given we take the action to revoke permission or suspend account, would this prevent a user from using a Google connector in flow?

 

Q3:

For APIs that do not use username password Authentication, via 3rd party or IdP like AAD to gain access to user their service, and use something like a API Key, for example th e"PagerDuty" connector in Flow, what can MCAS offer here and what details and actions would be given.

 

Thank you

@Sebastien MolendijkAlso after the MCAS webinar today on threat detection, the section on OAuth & and manage Oauth Apps, it outlined triggers and detection that have near real-time activity, where policies could be put in place that could take actions like revoke permissions and suspend user... can I get explained how this works in relation to you first replay where it stated that "MCAS:App Control (reverse proxy) only works for browser based sessions", ....... where today it seems to be presented for OAuth controls and actions/protection

@Ananda Prasad Bandaru 

 

We don't have this capability at the moment. 

I'm interrested by your use case. Let me investigate this internally.

 

Best regards,

 

Sebastien

@Ananda Prasad Bandaru 

 

Thanks for the details.

I don't see how to do this at the MCAS side as it sends the instruction of applying the classification to SharePoint to. 

The only solution I see is to have a specific exception configured at the workflow level, using a filter on the user account, as you said.

 

Why can't you modify the workflow ? I see this case as part of the workflow design phase.

 

@Tony McGranaghan 

 

Q1: This can be the AAD account, but not only. This could be on the SalesForce of G Suite account, for example, even if SSO is configured at the AAD level. 

 

Q2: No, this is a different process. MCAS look at the delegated accesses granted at the AAD account (or corp Google account, etc) level, but doesn't look at the connections configured in Flow connections. 

If the connection is passing through Flow, then MCAS consider the delegated access as coming from Flow and not from a 3rd party app.

 

Q3: Am I correct to think that your example is using Flow to access some data in O365/account, rather than having a delegated access to the service itself ?

If This is correct, then MCAS doesn't have visibility on this and would rely on the Flow admin center to get the details.

@Tony McGranaghan 

Can we maybe wait for next week App Control session so you have all the details regarding this technology ?

 

If this is still unclear, I'll be happy to go back to more detailed information.

@Tony McGranaghan 

 

Thank for the details.

Let me discuss this internally and see what would be possible for this use case. 

True but we have 100 of workflows spread across enterprise and I believe the OOB SP workflows don't have this capability. (SP designer WF would have this).