SOLVED

Show device name in activity overview

%3CLINGO-SUB%20id%3D%22lingo-sub-2192577%22%20slang%3D%22en-US%22%3EShow%20device%20name%20in%20activity%20overview%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2192577%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20it%20possible%20to%20show%20the%20device%20name%20or%20id%20in%20Cloud%20App%20Security%2C%20which%20performed%20an%20activity%3F%20We%20are%20using%20Intune%2C%20and%20would%20like%20to%20see%20if%20activitites%20performed%20by%20our%20users%20are%20from%20an%20Intune%20on-boarded%20device.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2192577%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Contributor

Is it possible to show the device name or id in Cloud App Security, which performed an activity? We are using Intune, and would like to see if activitites performed by our users are from an Intune on-boarded device.

8 Replies
Hey @Kiril - yes it is. The Device info is audited by AAD and sent to MCAS through either AAD integration or CAAC with a Conditional Access Policy configured in AAD. There are scenarios that AAD isn't able to collect the Device information (i.e. InPrivate window or some other known-issue). In this scenario, MCAS just assumes the machine is not Intune compliant if you have any policies configured to assess this.

@jurowley thank you! Two follow-up questions:

 

1) Where would I see, if the performed activity is from an intune compliant device. When I check the Device type of an Activity it displays generic information like "Windows 10" or "Android":

 

image.png

 

2) How do I know if the AAD integration is working, or where can I configure the AAD integration.

 

Thank you very much!

 

 

best response confirmed by Kiril Valev (Contributor)
Solution

@Kiril Valev Filter the Activity Log by "Microsoft Azure" application. It will show if the device is compliant in the "View Raw Data" JSON. 

 

jurowley_1-1615217176835.png

jurowley_2-1615217222918.png

 

 

jurowley_0-1615217006763.png

 

If you have no Activity Data from Microsoft Azure app in MCAS, then you need to onboard it with a Conditional Access Policy (CAP) in AAD. Just setting the CAP to "Monitor Only" will begin the data capture. 

That's not the only time we pull that API object; but, that's a scenario in which we do.
Just check any O365 / Azure audited activities "View Raw Data". I think they all will have that object. I just checked a random O365 Activity's Raw Data and it was there.
When I filter for the "Microsoft Azure" app I see only Log-on activities and only for my user. So, that's basically my Log-ons in the Azure Portal. No other user is shown here.

Checking the "raw data" of those activities and some other activities display the DeviceId:

"DeviceInfo": "DeviceId <GUID>;Windows 10;Chrome 88.0;",

However, not for all users. I will take a look at the CAP and create one, to see if that works. Thank you very much!
Yup - the best thing to do is just create a CAP for whatever application you really care about. For example, if you want to block downloads for any device not compliant using SPO, you would add a CAP for SPO and that would capture the auth information along with the Device info (unless the end-user uses like in-private browser).
When AAD authenticates a user to access a resource application, it attempts to gather the DeviceID info.
If you just want to collect all authentications to all resources, then just send the "Microsoft Azure" app through MCAS and it'll just capture all that auth data.
Thank you! New CAPs are created in the Azure Portal (Azure Active Directory -> Security -> Conditional Access), right? And are they any different from the Conditional Access in MCAS portal (Control -> Policies -> Conditional Access tab)?
Yes - the CAPs in AAD send the Session to MCAS. The Session Policies in MCAS can be used to control the Session as a proxy - altering the requests on behalf of the Client machine. This is how we can do things in real-time like block downloads for specific applications. You don't need to setup any Session Policies in MCAS in order for MCAS to ingest that new data. Once you setup the CAPs in AAD, you should start seeing that activity in the Investigate > Activities tab.

Here's an article on helping you with Session Policies: https://docs.microsoft.com/en-us/cloud-app-security/session-policy-aad