cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Activity policies require conditional access

xtlf
Brass Contributor

‎Sep 18 2023 02:44 AM

‎Sep 18 2023 02:44 AM

Activity policies require conditional access

Hello, I need one clarification please.

According to documentation:

 

Activity policies allow you to enforce a wide range of automated processes using the app provider's APIs. These policies enable you to monitor specific activities carried out by various users, or follow unexpectedly high rates of a certain type of activity.

 

My understanding is that an activity polocy works with the Apps connectors.

So if I connect the M365 connector, and I setup a mass download policy, I expect to have alerts once any user that matches the filters will generate one or more alerts.

 

In all my tests tenants unortunatly none of the action policies works unless there is also a conditional access polocy setup in AAD.

Is that expected ? So I need also conditional access to have this kind of monitoring ?

306 Views
0 Likes
3 Replies
Reply
3 Replies
Keith_Fleming

‎Sep 18 2023 06:15 AM

‎Sep 18 2023 06:15 AM

Re: Activity policies require conditional access

Hi @xtlf, activities policies should trigger anytime the conditions are met, it does not require proxy.  Some activities may only be relevant for proxy so it can be helpful to double check the filters that were configured.

 

You can also do something similar with advanced hunting and custom detections on the CloudAppEvents table.

0 Likes
Reply
xtlf

‎Sep 18 2023 06:52 AM

‎Sep 18 2023 06:52 AM

Re: Activity policies require conditional access

Hi @Keith_Flemingthank you, I'm using a very simple policy, I took the existing template about the mass download by a single user:

 

xtlf_0-1695045057358.png

I basically removed any filter and limit the donwload to "2" in order to be very simple to start the alert.

I tried also with different options. 

So it must be triggered anytime a user download two files in less than one minute.

The M365 connector works fine (it's green and I see other information comming from the connector)

0 Likes
Reply
Keith_Fleming

‎Sep 18 2023 07:43 AM

‎Sep 18 2023 07:43 AM

Re: Activity policies require conditional access

@xtlf got it, yes with that I would expect it to trigger if there are 2 download activities within 1 minute. If your not seeing this I would recommend opening a ticket so we can investigate it.

0 Likes
Reply