Microsoft Secure Tech Accelerator
Apr 13 2023, 07:00 AM - 12:00 PM (PDT)
Microsoft Tech Community

Custom Cloud App Security Policies


Just wanted to start a conversation on what custom CAS policies you find most useful. There are plenty of activities to monitor, which ones have you considered worth while to monitor?


To kick it off, we have MFA. Since there isn't a supported policy to monitor failed MFA results, aka, an adversary got the password right, but they're failing at the MFA screen, I made my own. Whether it's actually encompassing everything I want it to or not, is up for debate.


Activity Type - Equals - Failed log on: DeviceAuth:reprocessTls + OrgIdWsFederation:federation + Login: reprocess


What custom CAS rules have you guys made?

0 Replies