cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Exclude Users or Devices

Ugur_Koc
Copper Contributor

‎Jul 06 2021 07:20 AM

‎Jul 06 2021 07:20 AM

Exclude Users or Devices

Hello Community Members,

 

we have some unsanctioned apps in MCAS and created a service user which still should have access to those domains.

 

Is it possible to excluse users or devices so that they wont be blocked when accessing the domains?

 

Thanks in advance :)

4,914 Views
0 Likes
11 Replies
Reply
11 Replies
LuizaT

‎Jul 06 2021 08:01 AM - edited ‎Jul 06 2021 08:02 AM

‎Jul 06 2021 08:01 AM - edited ‎Jul 06 2021 08:02 AM

Re: Exclude Users or Devices

Hello,

In Settings cog - in the right upper corner under cloud discovery: exclude entities - add your users, IP, groups, devices.

"This list contains discovered users who are excluded from Cloud Discovery data in your organization. Exclusions apply only to new data."


Preview file
75 KB
1 Like
Reply
Ugur_Koc

‎Jul 06 2021 08:10 AM

‎Jul 06 2021 08:10 AM

Re: Exclude Users or Devices

Hello,

thank you. I can not choose any users, it says: No items to show. Also I can not see all of the devices, only some of them.

Any ideas?
0 Likes
Reply
LuizaT

‎Jul 06 2021 08:26 AM

‎Jul 06 2021 08:26 AM

Re: Exclude Users or Devices

The users and Devices from the Cloud Discovery data that is analysed should be there. If you go to Cloud Discovery Dashboard, do you see your user there? If not, can you use generate some traffic for that user?
0 Likes
Reply
Ugur_Koc

‎Jul 06 2021 08:26 AM

‎Jul 06 2021 08:26 AM

Re: Exclude Users or Devices

I see them all, users and devices, on the Dashboard but not on the entities page.
0 Likes
Reply
Ugur_Koc

‎Jul 06 2021 08:31 AM

‎Jul 06 2021 08:31 AM

Re: Exclude Users or Devices

The funny part is that the network protection is not enabled on the devices. As for my understanding Network Protection was a requirement so that MCAS can block apps on endpoints. Do you know the Event ID when a Domain gets blocked? Maybe I can see why it is still blocking.
0 Likes
Reply
Ugur_Koc

‎Jul 06 2021 10:40 AM

‎Jul 06 2021 10:40 AM

Re: Exclude Users or Devices

I did add the user and device to the exclude entities list but the domains are still blocked. Any other ideas?
0 Likes
Reply
SuperNotDuper

‎Oct 20 2021 10:04 PM

‎Oct 20 2021 10:04 PM

Re: Exclude Users or Devices

@Ugur_Koc 

 

is there any way to perform this? Why is this feature not added from get-go? such a pain and will cause the product not to be used now...

0 Likes
Reply
Jonhed

‎Oct 26 2021 10:19 AM

‎Oct 26 2021 10:19 AM

Re: Exclude Users or Devices

The only option available to override MCAS unsanctioned apps, is to create custom network indicators in MDE.
This override can only be assigned to MDE device groups though, so if you want to limit this to specific users, these users will need to have personally assigned devices (as in devices not shared with other users).
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/web-protection-overview?vi...
0 Likes
Reply
SuperNotDuper

‎Oct 26 2021 04:57 PM

‎Oct 26 2021 04:57 PM

Re: Exclude Users or Devices

thanks for the reply - I'll give it a go.

Such a shame there isn't an exclusion area in Cloud Security.. makes me wonder if anyone trialed or feedback was even conducted with real world business operations in mind.
0 Likes
Reply
Jonhed

‎Oct 26 2021 05:47 PM - edited ‎Oct 26 2021 05:53 PM

‎Oct 26 2021 05:47 PM - edited ‎Oct 26 2021 05:53 PM

Re: Exclude Users or Devices

Yes, I am pretty sure it is a functionality many people want.

In this case, MCAS does not have forward proxy functionality in itself, so it only supplies list of unsanctioned Apps(URLs), and it is then up to the solution that does the blocking (MDE, SWGs etc) to manage the targets and actions to take (to block or warn, who or what to target/override).

MDE does not have any functionality to target specific users, only device groups, so targeted overrides is quite limited at the moment.
If more complex policy management is a must, you would have to look at SWGs such as Zscaler Internet Access, which also works with MCAS cloud discovery and can do automatic blocking.

0 Likes
Reply
SuperNotDuper

‎Oct 26 2021 06:02 PM

‎Oct 26 2021 06:02 PM

Re: Exclude Users or Devices

thank you for the detailed reply. I dont want to have to use a third party solution - really wanted to keep it all under wraps with MS. However, as I feel like Cloud security doesnt perform to the degree i want - seems i'll either drop the Cloud security feature entirely or use a third party at this point unfortunately.
0 Likes
Reply