MDATP Integration - Unsanctioned Apps - Allow for some users?

%3CLINGO-SUB%20id%3D%22lingo-sub-1070091%22%20slang%3D%22en-US%22%3EMDATP%20Integration%20-%20Unsanctioned%20Apps%20-%20Allow%20for%20some%20users%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1070091%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20reviewed%20the%20documentation%26nbsp%3B%40%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fgovernance-discovery%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fgovernance-discovery%3C%2FA%3E%26nbsp%3Bin%20relation%20to%20blocking%20unsanctioned%20apps%20-%20specifically%20using%20MDATP%20on%20Win10%20endpoints.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20documentation%20doesn't%20mention%20anything%20about%20governance%20when%20using%20MDATP%20-%20Is%20the%20functionality%20similar%20to%20the%20integration%20with%20Zscaler%20and%20iBoss%2C%20where%20once%20an%20app%20is%20tagged%20as%20unsanctioned%20it%20is%20blocked%20on%20the%20endpoint%20for%20all%20users%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20any%20way%20to%20provide%20greater%20granularity%20to%20the%20process%20-%20ie%20allow%20an%20app%20for%20some%20users%20and%20not%20for%20others%20or%20is%20it%20a%20binary%20choice%20for%20the%20entire%20organisation%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3EPaul%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1070091%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECloud%20Discovery%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1071648%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20Integration%20-%20Unsanctioned%20Apps%20-%20Allow%20for%20some%20users%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1071648%22%20slang%3D%22en-US%22%3EThat's%20the%20reason%20I've%20put%20on%20hold%20Cloud%20App%20Security%20project%20because%20of%20no%20simple%20way%20to%20control%20the%20Cloud%20apps%20via%20ATP.%20All%20I%20can%20do%20is%20to%20%22discover%20the%20Shadow%20IT%22%20but%20I%20have%20almost%20no%20control%20over%20it.%20I%20don't%20use%20expensive%20firewalls%2C%20I'm%20cloud-only%20and%20so%20my%20customers.%20Yes%2C%20I%20know%20about%20Conditional%20Access%20and%203rd%20party%20integration%20but%20I%20couldn't%20find%20anything%20to%20simply%20click%203%20dots%20and%20select%20%22block%22%20after%20I%20received%20the%20alert.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1072722%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20Integration%20-%20Unsanctioned%20Apps%20-%20Allow%20for%20some%20users%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1072722%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F414254%22%20target%3D%22_blank%22%3E%40PJR_CDF%3C%2FA%3E%26nbsp%3Bwhen%20you%20create%20a%20Policy%20in%20MCAS%2C%20you%20can%20apply%20a%20Filter%20so%20that%20the%20scope%20of%20the%20policy%20is%20limited%20to%20a%20Group%20of%20users%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1073541%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20Integration%20-%20Unsanctioned%20Apps%20-%20Allow%20for%20some%20users%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1073541%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1096%22%20target%3D%22_blank%22%3E%40Dean%20Gross%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can%20see%20how%20you%20can%20scope%2Ffilter%20some%20policy%20types%20to%20specific%20users%20and%20groups%2C%20but%20the%20exact%20scenario%20I%20am%20looking%20for%20as%20an%20example%20is%2C%20say%20I%20have%20a%20group%20of%20users%20I%20want%20to%20allow%20access%20to%20Jira%20for%20and%20block%20for%20all%20other%20users.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20tag%20Jira%20as%20an%20unsanctioned%20app%20in%20the%20Cloud%20app%20catalog%2C%20I%20assume%20this%20blocks%20it%20for%20all%20users.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20can%20I%20create%20a%20policy%20to%20block%20for%20all%20users%20except%20a%20specific%20group%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20search%20the%20cloud%20app%20catalog%20for%20atlassian%20Jira%20and%20choose%20%22create%20policy%20from%20search%22%20to%20scope%20the%20policy%20to%20Jira%20specifically%2C%20the%20criteria%20you%20can%20choose%20from%20to%20build%20your%20filter%20within%20the%20policy%20doesn't%20include%20the%20ability%20to%20add%20user%20or%20group%20scoping%20filters%20as%20shown%20in%20the%20attached%20screen%20grab.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20cant%20see%20that%20scoping%20sanctioned%20and%20unsanctioned%20apps%20per%20user%2Fgroup%20is%20possible%20in%20this%20manner%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20create%20an%20access%20control%20policy%20I%20can%20scope%20the%20policy%20to%20specific%20users%20but%20the%20apps%20I%20can%20choose%20from%20are%20only%20the%20apps%20I%20have%20onboarded%20to%20Azure%20AD%2C%20not%20the%20entire%20list%20of%20apps%20from%20the%20cloud%20app%20catalog.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPaul%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1074623%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20Integration%20-%20Unsanctioned%20Apps%20-%20Allow%20for%20some%20users%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1074623%22%20slang%3D%22en-US%22%3EI%20think%20that%20a%20better%20approach%20would%20be%20to%20register%20Atlassian%20Cloud%20in%20Azure%20AD%20as%20an%20enterprise%20app%20and%20then%20use%20the%20Entitlement%20feature%20to%20grant%20the%20users%20access%2C%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fsaas-apps%2Fatlassian-cloud-tutorial%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fsaas-apps%2Fatlassian-cloud-tutorial%3C%2FA%3E%20and%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fgovernance%2Fentitlement-management-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fgovernance%2Fentitlement-management-overview%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1075918%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20Integration%20-%20Unsanctioned%20Apps%20-%20Allow%20for%20some%20users%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1075918%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1096%22%20target%3D%22_blank%22%3E%40Dean%20Gross%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20I%20had%20finished%20writing%20out%20my%20example%20I%20came%20to%20a%20similar%20conclusion%20but%20wasnt%20sure%20of%20the%20control%20measure.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20well%20as%20entitlement%20packages%2C%20once%20the%20app%20is%20onboarded%20to%20Azure%20AD%2C%20can%20I%20then%20use%20an%20MCAS%20access%20control%20policy%20to%20apply%20granular%20access%20control%20to%20the%20app%20(as%20access%20control%20policies%20allow%20me%20to%20specify%20groups%20of%20users%20in%20the%20filtering%20criteria)%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPaul%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1076039%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20Integration%20-%20Unsanctioned%20Apps%20-%20Allow%20for%20some%20users%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1076039%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1096%22%20target%3D%22_blank%22%3E%40Dean%20Gross%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOnce%20an%20app%20has%20been%20onboarded%2Fregistered%20in%20Azure%20AD%20I%20could%20use%20a%20Conditional%20Access%20App%20Control%20policy%20to%20control%20access%20but%26nbsp%3BI%20guess%20that%20would%20only%20work%20if%20the%20user%20was%20attempting%20to%20login%20to%20the%20app%20using%20their%20Azure%20AD%20credentials%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20think%20the%20sanction%2Funsanctioned%20function%20of%20MCAS%20is%20more%20applicable%20in%20scenarios%20where%20the%20decision%20of%20if%20an%20app%20allowed%20is%20more%20black%20and%20white%2C%20whereas%26nbsp%3Bthe%20scenarios%20I%20am%20imagining%20are%20the%20ones%20that%20are%20more%20grey%20with%20%3CEM%3Esome%26nbsp%3B%3C%2FEM%3Eusers%20needing%20access%20and%20others%20not%20(ie%20Twitter%20accessible%20just%20for%20users%20in%20Marketing%20and%20not%20visible%20or%20accessible%20in%20any%20way%20for%20other%20users).%20These%20perhaps%20also%20stray%20a%20little%20into%20more%20traditional%20firewall%20%2F%20access%20control%20%2F%20web%20filter%20type%20solutions%20as%20well.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20taking%20the%20time%20with%20your%20suggestions%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Fsmile_40x40.gif%22%20alt%3D%22%3Asmile%3A%22%20title%3D%22%3Asmile%3A%22%20%2F%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPaul%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1077049%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20Integration%20-%20Unsanctioned%20Apps%20-%20Allow%20for%20some%20users%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1077049%22%20slang%3D%22en-US%22%3EIf%20they%20are%20not%20using%20their%20AAD%20cred%2C%20what%20would%20they%20be%20using%3F%3CBR%20%2F%3EI%20agree%20that%20the%20Sanctioning%20concept%20is%20a%20black%2Fwhite%20approach%2C%20it's%20great%20for%20blocking%20a%20bunch%20of%20risk%20apps%2C%20but%20not%20for%20every%20scenario.%20One%20of%20our%20big%20challenges%20is%20understanding%20the%20strengths%2Fweaknesses%20of%20each%20tool%20and%20figuring%20out%20how%20to%20configure%20them%20to%20achieve%20a%20goal.%3CBR%20%2F%3EWith%20Intune%2C%20AAD%20Control%20Policies%2C%20Microsoft%20Defender%20ATP%2C%20Windows%20Device%20Guard%2C%20and%20MCAS%2C%20we%20have%20a%20lot%20of%20options%20%3A)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1077908%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20Integration%20-%20Unsanctioned%20Apps%20-%20Allow%20for%20some%20users%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1077908%22%20slang%3D%22en-US%22%3EPlease%20note%20that%20this%20is%20applicable%20only%20for%20app%20discovery%20alerts%2C%20and%20not%20for%20the%20controls%20provided%20by%20ATP%2C%20Danny.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1077913%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20Integration%20-%20Unsanctioned%20Apps%20-%20Allow%20for%20some%20users%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1077913%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F414254%22%20target%3D%22_blank%22%3E%40PJR_CDF%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F387901%22%20target%3D%22_blank%22%3E%40Opti-IT%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1096%22%20target%3D%22_blank%22%3E%40Dean%20Gross%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20feature%20for%20blocking%20MCAS%20unsanctioned%20apps%20by%20leveraging%20MDATP%20is%20now%20in%20public%20preview%20and%20can%20be%20easily%20enabled%20in%20your%20tenants.%20In%20the%20following%20docs%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fwdatp-integration%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Elink%3C%2FA%3E%2C%20you'll%20find%20more%20details%20about%20it.%20Please%20contact%20me%20directly%20with%20any%20question%20you%20might%20have.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERe%20scope%20of%20control%2C%20currently%20an%20app%20will%20be%20blocked%20globally%2C%20down%20the%20road%20we%20will%20be%20adding%20more%20granular%20controls%2C%20to%20create%20a%20more%20focused%20blocking%20policies.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%0A%3CP%3EDanny.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1086429%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20Integration%20-%20Unsanctioned%20Apps%20-%20Allow%20for%20some%20users%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1086429%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F112613%22%20target%3D%22_blank%22%3E%40Danny%20Kadyshevitch%3C%2FA%3E%2C%3C%2FP%3E%3CP%3EYou%20said%20%22down%20the%20road%20we%20will%20be%20adding%20more%20granular%20controls%22.%20Is%20there%20a%20public%20roadmap%20for%20this%20feature%3F%20I%20do%20not%20see%20anything%20in%20the%20Microsoft%20365%20Roadmap%20outside%20of%20the%20existing%20unsanctioned%20app%20filtering.%20Any%20information%20would%20be%20appreciated.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3EBill%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1094405%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20Integration%20-%20Unsanctioned%20Apps%20-%20Allow%20for%20some%20users%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1094405%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F163519%22%20target%3D%22_blank%22%3E%40Bill%20Brennan%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20feature%20is%20included%20in%20our%20Q1CY20%20roadmap%20which%20was%20not%20yet%20published.%3C%2FP%3E%0A%3CP%3EI%20will%20be%20able%20to%20provide%20more%20details%20on%20timelines%20soon.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%0A%3CP%3EDanny.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1126836%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20Integration%20-%20Unsanctioned%20Apps%20-%20Allow%20for%20some%20users%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1126836%22%20slang%3D%22en-US%22%3EI%20did%20the%20tests%2C%20it's%20working%2C%20wow%2C%20respect.%20Thank%20you.%3C%2FLINGO-BODY%3E
Highlighted
Contributor

Hi,

 

I've reviewed the documentation @ https://docs.microsoft.com/en-us/cloud-app-security/governance-discovery in relation to blocking unsanctioned apps - specifically using MDATP on Win10 endpoints.

 

The documentation doesn't mention anything about governance when using MDATP - Is the functionality similar to the integration with Zscaler and iBoss, where once an app is tagged as unsanctioned it is blocked on the endpoint for all users?

 

Is there any way to provide greater granularity to the process - ie allow an app for some users and not for others or is it a binary choice for the entire organisation?

 

Thanks

Paul

11 Replies
Highlighted
That's the reason I've put on hold Cloud App Security project because of no simple way to control the Cloud apps via ATP. All I can do is to "discover the Shadow IT" but I have almost no control over it. I don't use expensive firewalls, I'm cloud-only and so my customers. Yes, I know about Conditional Access and 3rd party integration but I couldn't find anything to simply click 3 dots and select "block" after I received the alert.
Highlighted

@PJR_CDF when you create a Policy in MCAS, you can apply a Filter so that the scope of the policy is limited to a Group of users

Highlighted

Thanks @Dean Gross 

 

I can see how you can scope/filter some policy types to specific users and groups, but the exact scenario I am looking for as an example is, say I have a group of users I want to allow access to Jira for and block for all other users.

 

If I tag Jira as an unsanctioned app in the Cloud app catalog, I assume this blocks it for all users.

 

How can I create a policy to block for all users except a specific group?

 

If I search the cloud app catalog for atlassian Jira and choose "create policy from search" to scope the policy to Jira specifically, the criteria you can choose from to build your filter within the policy doesn't include the ability to add user or group scoping filters as shown in the attached screen grab.

 

I cant see that scoping sanctioned and unsanctioned apps per user/group is possible in this manner

 

If I create an access control policy I can scope the policy to specific users but the apps I can choose from are only the apps I have onboarded to Azure AD, not the entire list of apps from the cloud app catalog.

 

Thanks

 

Paul

Highlighted
I think that a better approach would be to register Atlassian Cloud in Azure AD as an enterprise app and then use the Entitlement feature to grant the users access, see https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/atlassian-cloud-tutorial and https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-overview
Highlighted

Hi @Dean Gross

 

Once an app has been onboarded/registered in Azure AD I could use a Conditional Access App Control policy to control access but I guess that would only work if the user was attempting to login to the app using their Azure AD credentials?

 

I think the sanction/unsanctioned function of MCAS is more applicable in scenarios where the decision of if an app allowed is more black and white, whereas the scenarios I am imagining are the ones that are more grey with some users needing access and others not (ie Twitter accessible just for users in Marketing and not visible or accessible in any way for other users). These perhaps also stray a little into more traditional firewall / access control / web filter type solutions as well. 

 

Thanks for taking the time with your suggestions :smile:

 

Paul

Highlighted
If they are not using their AAD cred, what would they be using?
I agree that the Sanctioning concept is a black/white approach, it's great for blocking a bunch of risk apps, but not for every scenario. One of our big challenges is understanding the strengths/weaknesses of each tool and figuring out how to configure them to achieve a goal.
With Intune, AAD Control Policies, Microsoft Defender ATP, Windows Device Guard, and MCAS, we have a lot of options :)
Highlighted
Please note that this is applicable only for app discovery alerts, and not for the controls provided by ATP, Danny.
Highlighted

Hi @PJR_CDF @Opti-IT @Dean Gross,

 

The feature for blocking MCAS unsanctioned apps by leveraging MDATP is now in public preview and can be easily enabled in your tenants. In the following docs link, you'll find more details about it. Please contact me directly with any question you might have.

 

Re scope of control, currently an app will be blocked globally, down the road we will be adding more granular controls, to create a more focused blocking policies.

 

Thanks,

Danny.

Highlighted

@Danny Kadyshevitch,

You said "down the road we will be adding more granular controls". Is there a public roadmap for this feature? I do not see anything in the Microsoft 365 Roadmap outside of the existing unsanctioned app filtering. Any information would be appreciated.

 

Thanks,

Bill

Highlighted

Hi @Bill Brennan,

 

This feature is included in our Q1CY20 roadmap which was not yet published.

I will be able to provide more details on timelines soon.

 

Thanks,

Danny.

Highlighted
I did the tests, it's working, wow, respect. Thank you.