Microsoft ATP missing in CAS settings

Copper Contributor

We integrated MS Defender ATP with CAS and data is showing in Cloud Discovery Dashboard and logs are uploaded fine. But in CAS/Settings/Cloud Discovery there's no entry for "Microsoft Defender ATP" where are can switch on blocking unsanctioned apps. Also, in Settings all System settings, like "Organization details", "Mail settings" are missing. Searching the web didn't give me any clue

19 Replies

@MCJM1 

 

Hi, in CAS, go to the Cog wheel and click settings;

 

Screenshot 2020-04-22 at 17.00.02.png

 

Then, go to Microsoft Defender ATP, and you can block unsanctioned apps as below.

Screenshot 2020-04-22 at 17.00.11.png

@MCJM1 

 

As for mail settings, you don't see these under Settings > System > Mail settings as below?

 

Screenshot 2020-04-22 at 17.21.46.png

@PeterRising I know I should find that option there, but the issue is that the option doesn’t exist there. Also, the other settings I mentioned are missing.

@MCJM1 

 

Oh my apologies, I thought you were looking where to find these settings.

 

OK, may I ask when you enabled the integration from the Defender ATP portal?  Also, what licensing do you have in M365 please?

@PeterRising 

I enabled integration several months ago, but only recently I wanted to block unsanctioned apps and discovered the options weren’t available anymore. I’m sure it was there before. All users have Office365 E3, ATP, CAS and EMS-licenses. That must be sufficient. Unfortunately I don’t know when the options disappeared.

@MCJM1 

 

Interesting, so the options were available at one point then?  Have you had any licence changes in that time?  Is your EM+S E3 or E5?  If you have EM+S E3 plus the CAS add-on, or EM+S E5, you should be able to leverage all of the features of MCAS.

 

I'd recommend opening a support ticket with Microsoft and get them to check this out for you.

@PeterRising 

we indeed have EM+S and CAS addons, so it should be sufficient. I already opened a case with Microsoft, but after 4 transfers to other support teams I still didn’t get any serious response. I guess I have to be patient a little more 🙂

Anyhow, thanks for your responses!

@MCJM1 

 

Frustrating.  I'll see if I can find out anything more for you and feedback if i do. Let me know how you get on.  Good luck!

@MCJM1 

 

Oh one final thing.  Am guessing you are either a Global Admin or a Security Admin?

@PeterRising 

sure, I’m global admin. 

@MCJM1 

 

One other thought - have you tried logging in with a different Global Admin account?  I recently had an issue where some of the options in O365 ATP disappeared for me in the Security and Compliance Center.  I logged in with another GA account and they were all there.  Not long afterwards, they randomly reappeared in my own GA account.

@PeterRising 

Hi peter, I already tried that, but it didn't work. But in searching for a solution I noticed something: there are two versions of CAS: "Microsoft Cloud App Security" and "Office365 Cloud App Security". We are using the latter:

CAS.JPG

But based on our licenses we are entitled for MCAS. I now investigating how we can "upgrade" to Microsoft Cloud App Security.

Maybe that will solve the issue.

@MCJM1 

 

Yes there are indeed two flavours of CAS which are MCAS and OCAS.  OCAS comes with O365 E5, and MCAS comes with EM+S E5, and to the best of my knowledge it also comes with the licensing that you have of EM+S E3 with the CAS add-on.

 

To prove this theory, I recommend you see if you can get an EM+S E5 trial and apply it to your GA account.  See if that makes a difference maybe?

@MCJM1 

 

Yeah, unless i'm missing something very obvious, the CAS add-on is only available as MCAS as shown below;

 

Screenshot 2020-04-23 at 09.53.32.png

So if it is this add-on that you have, then MCAS is what you should be getting, not OCAS

@MCJM1 

 

This confirms it.  EM+S E3 plus standalone CAS gets you the full MCAS features and not just the subset that comes with OCAS.

 

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2NXYO

@PeterRising 

Things are getting clearer: We have EMS E3, O365 E3 and Office365 Cloud App Security licenses. So it seems to be correct that we're using OCAS. But still: Microsoft ATP is integrated in our OCAS, so it should be possible to block apps. I will contact our license-supplier to check what to expect with the licenses they sold us:-)

@MCJM1 

 

Licensing is such a minefield.  There really are too many different ways to get CAS and it's really difficult keeping up.  Hope you manage to get somewhere with this but it sounds like you are on the right track!

@PeterRising According to our license-specialist OCAS-licenses are retired per Februari 1st and all users should upgrade to MCAS as soon as their subscription end:

 

How are existing Office 365 Cloud App Security customers impacted

On February 1, 2019, the Office 365 Cloud App Security USL standalone SKU was retired, and new customer subscriptions will no longer be available as a standalone. Office 365 CAS will continue to be included with Office 365 E5 and Microsoft Cloud App Security.

Existing customers will see no changes for the remainder of their current enrollment term and may continue to add new Office 365 Cloud App Security standalone USLs.

Customers with enrollments expiring on or before June 30, 2019 will have the option to renew Office 365 Cloud App Security standalone for one more term.

Customers with Office 365 Cloud App Security standalone enrollments expiring after June 30, 2019, will need to move to Microsoft Cloud App Security at renewal to maintain the service

 

In the meantime nothing should change in an existing environment. Apparently we now have a mixed environment: partly MCAS but with the limitations of OCAS. They couldn't tell me whether this is correct. Our subscription ends on July 1st, so after date we will have MCAS-licenses. I hope everything will then work as expected.

@MCJM1 

 

That is pretty annoying that you have to wait until July 1st to find out.   Licensing is always such a minefield.