Apr 22 2020 01:40 AM - edited Apr 22 2020 01:41 AM
Hi Community,
One of our customer raised the below queries:
This documentation differentiates things, however, partner is looking for the answers for below specific scenarios.
2. Is monitoring Live? If not what is the delay?
According to this documentation, Conditional Access App Control enables user app access and sessions to be monitored and controlled in real time based on access and session policies.
3. When will the enforcement occur following a monitoring alert? How much time?
According to this documentation, it uses aa reverse proxy architecture and is uniquely integrated with Azure AD Conditional Access. Azure AD Conditional Access allows you to enforce access controls on your organization’s apps based on certain conditions as soon as the policy is enabled.
4. Blocking of upload to Teams site and alerting for sensitive data as opposed to other types of documents.
5. Blocking share options for sensitive data
According to this documentation, they can use MCAS to Block and protect download of sensitive data to unmanaged or risky devices.
According to this documentation, it Monitor user sessions for compliance, Risky users are monitored when they sign into apps and their actions are logged from within the session. You can investigate and analyze user behavior to understand where, and under what conditions, session policies should be applied in the future.
7. Alerting and blocking multiple sign in attempts
According to this documentation, you can create anomaly policies to get instantaneous behavioral analytics and anomaly detection and then block the appropriate activity.
8. Blocking options in Teams/SharePoint for sharing options from internal vs external users
9. Blocking or alerting on user connection to O365 portal/O365 services from outside Israel
Any pointers would be of great help. Many thanks!
Apr 24 2020 01:22 PM
SolutionHi @Newlife, thank you for the questions. Please see my responses below:
Alert for adding GA or adding users to a security role
Yes, these activity types are supported “Add member to group/role”. In addition, with integrations with Azure ATP, we can detect suspicious additions to sensitive groups. Custom sensitive groups can be defined by admins.
Another approach is to customize your filter to include the “Acitvity objects” “Activity object ID” equals the AAD group objectID from Azure AD. This can easily be added to any filter within the Activity Log by navigating to the activity and clicking the “Activity Objects”. Within those objects, there are icons to include the objects in the filter.
Alert for Adding external guests to Teams sites
We have MS Teams specific templates that will detect this activity. See below:
Access level change (Teams): Alerts when a team's access level is changed from private to public.
External user added (Teams): Alerts when an external user is added to a team.
Mass deletion (Teams): Alerts when a user deletes a large number of teams.
Alert for adding user for specific group (Like domain admin)
Same as #1
Are live monitoring control only application based “web access” or include desktop client such as “desktop Teams, desktop outlook app”?
Conditional Access App Control can monitor and control the session in real time for web-based applications. We have access control policies which can be used to block the desktop and mobile clients.
https://docs.microsoft.com/en-us/cloud-app-security/proxy-intro-aad#access-controls
When will the enforcement occur following a monitoring alert? How much time? (without reverse proxy)
When using Conditional Access App Control, session controls are in real time. If you elect to monitor the session, no controls will be used. This provides an avenue to analyze user behavior to understand under what conditions session policies should be applied in the future. Without CaaC enabled, you can leverage API connected application that perform governance functionality in near real time.
They want to create alerts when someone upload or download files in Teams
We have activity filters that support upload/download file.
Specific alert if there is sensitive information in the file.
File policies support DLP functionality.
https://docs.microsoft.com/en-us/cloud-app-security/data-protection-policies
MCAS to block and protect download of sensitive data to unmanaged or risky devices: Can they do it with OCAS?
Only for Office Apps but the license requirements also include Azure AD P1.
https://docs.microsoft.com/en-us/cloud-app-security/proxy-intro-aad
Can it apply only on web app or include desktop app?
Only web-based applications. You would need to use access policies to limit desktop and mobile applications to provide a comprehensive approach to securing those apps.
Are all the built-in policies that we can see in the OCAS portal can be applied?
Yes
Blocking / alert for sharing files based on if the user is external or internal user.
That control should be handled with the native tools built into OD4B/Sharepoint https://docs.microsoft.com/en-us/sharepoint/external-sharing-overview
Block and alert if the connection to O365 portal and O365 services was from other country then Israel.
This can be done with Azure AD Conditional Access Policies.
Alerts can be configured in CAS to filter on activity type such as logon and location.
Apr 30 2020 02:35 AM - edited Apr 30 2020 02:36 AM
@Newlife Teams activity policies explained: https://janbakker.tech/2020/04/19/activity-policy-templates-for-teams-in-microsoft-cloud-app-securit...
I saw @John_Lewis did an awesome job already on answering your question. If you have any more question, feel free to reach out.
Apr 24 2020 01:22 PM
SolutionHi @Newlife, thank you for the questions. Please see my responses below:
Alert for adding GA or adding users to a security role
Yes, these activity types are supported “Add member to group/role”. In addition, with integrations with Azure ATP, we can detect suspicious additions to sensitive groups. Custom sensitive groups can be defined by admins.
Another approach is to customize your filter to include the “Acitvity objects” “Activity object ID” equals the AAD group objectID from Azure AD. This can easily be added to any filter within the Activity Log by navigating to the activity and clicking the “Activity Objects”. Within those objects, there are icons to include the objects in the filter.
Alert for Adding external guests to Teams sites
We have MS Teams specific templates that will detect this activity. See below:
Access level change (Teams): Alerts when a team's access level is changed from private to public.
External user added (Teams): Alerts when an external user is added to a team.
Mass deletion (Teams): Alerts when a user deletes a large number of teams.
Alert for adding user for specific group (Like domain admin)
Same as #1
Are live monitoring control only application based “web access” or include desktop client such as “desktop Teams, desktop outlook app”?
Conditional Access App Control can monitor and control the session in real time for web-based applications. We have access control policies which can be used to block the desktop and mobile clients.
https://docs.microsoft.com/en-us/cloud-app-security/proxy-intro-aad#access-controls
When will the enforcement occur following a monitoring alert? How much time? (without reverse proxy)
When using Conditional Access App Control, session controls are in real time. If you elect to monitor the session, no controls will be used. This provides an avenue to analyze user behavior to understand under what conditions session policies should be applied in the future. Without CaaC enabled, you can leverage API connected application that perform governance functionality in near real time.
They want to create alerts when someone upload or download files in Teams
We have activity filters that support upload/download file.
Specific alert if there is sensitive information in the file.
File policies support DLP functionality.
https://docs.microsoft.com/en-us/cloud-app-security/data-protection-policies
MCAS to block and protect download of sensitive data to unmanaged or risky devices: Can they do it with OCAS?
Only for Office Apps but the license requirements also include Azure AD P1.
https://docs.microsoft.com/en-us/cloud-app-security/proxy-intro-aad
Can it apply only on web app or include desktop app?
Only web-based applications. You would need to use access policies to limit desktop and mobile applications to provide a comprehensive approach to securing those apps.
Are all the built-in policies that we can see in the OCAS portal can be applied?
Yes
Blocking / alert for sharing files based on if the user is external or internal user.
That control should be handled with the native tools built into OD4B/Sharepoint https://docs.microsoft.com/en-us/sharepoint/external-sharing-overview
Block and alert if the connection to O365 portal and O365 services was from other country then Israel.
This can be done with Azure AD Conditional Access Policies.
Alerts can be configured in CAS to filter on activity type such as logon and location.