Feb 20 2019 01:37 PM
Feb 20 2019 01:37 PM
I am new to CAS, and am in a department of a larger higher ed institution. Central IT has no experience in the Security/Compliance and CAS areas, so I'm doing the research to get my department up and running (we are all A5 licensed in my dept). I'm hoping the community can help with two questions:
(1) What is the best practice for the kind of group to create if you want to use it in CAS? My choices are Security or Office, and Synced vs. Assigned (we have a hybrid environment).
(2) How do you assign a Group Admin role over a group in CAS? I can't find this answer in Microsoft docs. I assume that the choice in (1) is important to achieve (2).
Feb 26 2019 12:34 AM
I would recommend to use Azure AD security group. This group can be synchronized from your on-prem AD or created in Azure AD. If you want to manage its membership dynamically, create an Azure AD security group with dynamic membership.
Once you have your group in Azure AD, you have to import it into Cloud App Security, as explained here: https://docs.microsoft.com/en-us/cloud-app-security/user-groups
After the group has been imported in MCAS, you can then use it to assign Group admin permission to the relevant admins. This is explained here: https://docs.microsoft.com/en-us/cloud-app-security/manage-admins#add-additional-admins
Group admin: Has permissions to all of the data in Microsoft Cloud App Security that deals exclusively with the specific group selected here. For example, if you give a user admin permission to the group "Germany - all users", the admin can view and modify information in Microsoft Cloud App Security only for that user group:
Hope it helps !
Feb 27 2019 01:56 PM
Thank you for the response, Sebastien. I see the issue now - our Azure GA (also a Security Administrator) does not have the choice of "Manage Admin Access" in the gear drop-down. Only Settings, Governance log, Security extensions, Exported reports, Scoped deployment, IP address ranges and User groups.
I had our GA assign himself an A5 license just in case (rest of campus is currently A1), but that didn't change the drop-down choices. Might you have an idea how to proceed on this?
Feb 27 2019 02:02 PM
Why are you combining Global Admin with Security Admin ?
Could you remove that account from the Security Admin, log off and try again ?
I suspect a permission mismatch.
Mar 05 2019 09:59 AM
After quite a bit more work, we have determined that delegating permissions to imported groups is not a feature of Office Cloud App Security, and only a feature of Microsoft Cloud App Security. It's not specifically called out here https://docs.microsoft.com/en-us/cloud-app-security/editions-cloud-app-security-o365, but we assume based on other feature items that we will not have this available in OCAS.