Forum Discussion

mrognlie's avatar
mrognlie
Copper Contributor
Feb 20, 2019

Best practice for creating groups to be used in CAS

I am new to CAS, and am in a department of a larger higher ed institution.  Central IT has no experience in the Security/Compliance and CAS areas, so I'm doing the research to get my department up and running (we are all A5 licensed in my dept).  I'm hoping the community can help with two questions:

(1) What is the best practice for the kind of group to create if you want to use it in CAS?  My choices are Security or Office, and Synced vs. Assigned (we have a hybrid environment).

(2) How do you assign a Group Admin role over a group in CAS?  I can't find this answer in Microsoft docs.  I assume that the choice in (1) is important to achieve (2).

Thanks!

Matt

  • Hi Matt,

     

    I would recommend to use Azure AD security group. This group can be synchronized from your on-prem AD or created in Azure AD. If you want to manage its membership dynamically, create an Azure AD security group with dynamic membership.

     

    Once you have your group in Azure AD, you have to import it into Cloud App Security, as explained here: https://docs.microsoft.com/en-us/cloud-app-security/user-groups

     

    After the group has been imported in MCAS, you can then use it to assign Group admin permission to the relevant admins. This is explained here: https://docs.microsoft.com/en-us/cloud-app-security/manage-admins#add-additional-admins

     

    Group admin: Has permissions to all of the data in Microsoft Cloud App Security that deals exclusively with the specific group selected here. For example, if you give a user admin permission to the group "Germany - all users", the admin can view and modify information in Microsoft Cloud App Security only for that user group:

    • Activities page - Only activities about the users in the group
    • Alerts - Only alerts relating to the users in the group
    • Policies - Can view all policies and can edit or create only policies that deal exclusively with users in the group
    • Accounts page - Only accounts for the specific users in the group
    • App permissions – No permissions
    • Files page – No permissions
    • Conditional Access App Control - No permissions
    • Cloud Discovery activity - No permissions
    • Security extensions - Permissions only for API token with users in the group
    • Governance actions - Only for the specific users in the group

     

    Hope it helps !

     

    Best regards,

     

    Sebastien

     

    • mrognlie's avatar
      mrognlie
      Copper Contributor

      Thank you for the response, Sebastien.  I see the issue now - our Azure GA (also a Security Administrator) does not have the choice of "Manage Admin Access" in the gear drop-down.  Only Settings, Governance log, Security extensions, Exported reports, Scoped deployment, IP address ranges and User groups.

       

      I had our GA assign himself an A5 license just in case (rest of campus is currently A1), but that didn't change the drop-down choices.  Might you have an idea how to proceed on this?

       

      Matt

      • Sebastien Molendijk's avatar
        Sebastien Molendijk
        Icon for Microsoft rankMicrosoft

        Hi,

         

        Why are you combining Global Admin with Security Admin ?

        Could you remove that account from the Security Admin, log off and try again ?

         

        I suspect a permission mismatch. 

Resources