SOLVED

Unsanction SharePoint Subdomain

%3CLINGO-SUB%20id%3D%22lingo-sub-253490%22%20slang%3D%22en-US%22%3EUnsanction%20SharePoint%20Subdomain%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-253490%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EI%20have%20been%20watching%20the%20Microsoft%20Cloud%20App%20Security%20deep%20dive%3A%20Learn%20how%20to%20deploy%20and%20manage%20-%20BRK3008%20session%20from%20Ignite%20last%20year%20and%20the%20presenter%20says%20that%20you%20can%20unsanction%20subdomains%20in%20SharePoint.%20I%20have%20this%20requirement%20and%20wondered%20if%20anyone%20could%20advise%20me%20on%20how%20to%20achieve%20this%20as%20I%20only%20want%20to%20allow%20access%20to%20the%20corporate%20SharePoint%20online%20and%20not%20any%20other%20tenants.%20I%20can%20see%20in%20my%20discovered%20apps%20that%20I%20have%20two%20subdomains%20but%20there%20is%20not%20option%20(three%20dots)%20to%20unsanction%20one%20of%20them.%20Also%2C%20because%20SharePoint%20is%20a%20connected%20app%20it%20has%20automatically%20sanctioned%20it%20and%20there%20doesn't%20seem%20to%20be%20a%20way%20of%20unsanctioning%20the%20SharePoint%20online%20tenant%20I%20want%20to%20restrict.%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3EStuart%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-253490%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EApp%20Connectors%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECloud%20Discovery%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-259353%22%20slang%3D%22en-US%22%3ERe%3A%20Unsanction%20SharePoint%20Subdomain%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-259353%22%20slang%3D%22en-US%22%3EOkay%20Stuart%2C%20thanks%20for%20providing%20this%20details.%20I%20will%20keep%20that%20in%20mind%20as%20part%20of%20the%20product's%20future%20plans.%3CBR%20%2F%3EIn%20the%20meantime%2C%20as%20a%20workaround%20I'd%20suggest%20to%20modify%20the%20block%20script%2C%20to%20also%20include%20the%20sub-domains%20that%20are%20used%20by%20the%20instances%20you%20wish%20to%20unsanction%20and%20block%20based%20on%20what%20is%20being%20discovered%20by%20MCAS.%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%2C%3CBR%20%2F%3EDanny.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-258658%22%20slang%3D%22en-US%22%3ERe%3A%20Unsanction%20SharePoint%20Subdomain%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-258658%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Danny%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20scenario%20is%20that%20we%20have%20a%20corporate%20SharePoint%20Online%20domain%20that%20I%20want%20my%20users%20to%20be%20able%20to%20use%2C%20so%20I%20want%20this%20sanctioned.%20I%20then%20see%20that%20there%20are%20a%20couple%20of%20other%20subdomains%20which%20I%20believe%20are%20being%20accessed%20by%20other%20people%20in%20the%20organisation.%20I%20don't%20want%20these%20sanctioned.%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20create%20a%20blocking%20script%20it%20seems%20that%20I%20have%20to%20sanction%20SharePoint%20Online%20domains%2C%20which%20is%20what%20I'm%20trying%20to%20avoid.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKind%20regards%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EStuart%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-256843%22%20slang%3D%22en-US%22%3ERe%3A%20Unsanction%20SharePoint%20Subdomain%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-256843%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Stuart%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECloud%20Discovery%20currently%20allows%20you%20to%20mark%20cloud%20apps%20as%20unsanctioned%20while%26nbsp%3Bper%20your%20question%20it%20is%20not%20supported%20for%20specific%20sub-domains.%3C%2FP%3E%0A%3CP%3ECould%20you%20please%20provide%20some%20more%20details%20on%20your%26nbsp%3Bscenario%3F%20Are%20you%20looking%20for%20marking%20these%20Sharepoint%20instances%20as%20unsanctioned%20in%20MCAS%20portal%20or%20are%20there%20additional%20use%20cases%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%0A%3CP%3EDanny.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi,

I have been watching the Microsoft Cloud App Security deep dive: Learn how to deploy and manage - BRK3008 session from Ignite last year and the presenter says that you can unsanction subdomains in SharePoint. I have this requirement and wondered if anyone could advise me on how to achieve this as I only want to allow access to the corporate SharePoint online and not any other tenants. I can see in my discovered apps that I have two subdomains but there is not option (three dots) to unsanction one of them. Also, because SharePoint is a connected app it has automatically sanctioned it and there doesn't seem to be a way of unsanctioning the SharePoint online tenant I want to restrict.

Thanks,

Stuart

3 Replies
Highlighted

Hi Stuart,

 

Cloud Discovery currently allows you to mark cloud apps as unsanctioned while per your question it is not supported for specific sub-domains.

Could you please provide some more details on your scenario? Are you looking for marking these Sharepoint instances as unsanctioned in MCAS portal or are there additional use cases?

 

Thanks,

Danny.

Highlighted

Hi Danny,

 

My scenario is that we have a corporate SharePoint Online domain that I want my users to be able to use, so I want this sanctioned. I then see that there are a couple of other subdomains which I believe are being accessed by other people in the organisation. I don't want these sanctioned. 

If I create a blocking script it seems that I have to sanction SharePoint Online domains, which is what I'm trying to avoid.

 

Kind regards,

 

Stuart

Highlighted
Best Response confirmed by stuart townsend (Occasional Contributor)
Solution
Okay Stuart, thanks for providing this details. I will keep that in mind as part of the product's future plans.
In the meantime, as a workaround I'd suggest to modify the block script, to also include the sub-domains that are used by the instances you wish to unsanction and block based on what is being discovered by MCAS.

Thanks,
Danny.