Exclude Users or Devices

Copper Contributor

Hello Community Members,

 

we have some unsanctioned apps in MCAS and created a service user which still should have access to those domains.

 

Is it possible to excluse users or devices so that they wont be blocked when accessing the domains?

 

Thanks in advance 🙂

11 Replies

Hello,

In Settings cog - in the right upper corner under cloud discovery: exclude entities - add your users, IP, groups, devices.

"This list contains discovered users who are excluded from Cloud Discovery data in your organization. Exclusions apply only to new data."


Hello,

thank you. I can not choose any users, it says: No items to show. Also I can not see all of the devices, only some of them.

Any ideas?
The users and Devices from the Cloud Discovery data that is analysed should be there. If you go to Cloud Discovery Dashboard, do you see your user there? If not, can you use generate some traffic for that user?
I see them all, users and devices, on the Dashboard but not on the entities page.
The funny part is that the network protection is not enabled on the devices. As for my understanding Network Protection was a requirement so that MCAS can block apps on endpoints. Do you know the Event ID when a Domain gets blocked? Maybe I can see why it is still blocking.
I did add the user and device to the exclude entities list but the domains are still blocked. Any other ideas?

@Ugur_Koc 

 

is there any way to perform this? Why is this feature not added from get-go? such a pain and will cause the product not to be used now...

The only option available to override MCAS unsanctioned apps, is to create custom network indicators in MDE.
This override can only be assigned to MDE device groups though, so if you want to limit this to specific users, these users will need to have personally assigned devices (as in devices not shared with other users).
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/web-protection-overview?vi...
thanks for the reply - I'll give it a go.

Such a shame there isn't an exclusion area in Cloud Security.. makes me wonder if anyone trialed or feedback was even conducted with real world business operations in mind.

Yes, I am pretty sure it is a functionality many people want.

In this case, MCAS does not have forward proxy functionality in itself, so it only supplies list of unsanctioned Apps(URLs), and it is then up to the solution that does the blocking (MDE, SWGs etc) to manage the targets and actions to take (to block or warn, who or what to target/override).

MDE does not have any functionality to target specific users, only device groups, so targeted overrides is quite limited at the moment.
If more complex policy management is a must, you would have to look at SWGs such as Zscaler Internet Access, which also works with MCAS cloud discovery and can do automatic blocking.

thank you for the detailed reply. I dont want to have to use a third party solution - really wanted to keep it all under wraps with MS. However, as I feel like Cloud security doesnt perform to the degree i want - seems i'll either drop the Cloud security feature entirely or use a third party at this point unfortunately.