First published on CloudBlogs on Nov 13, 2017 by Microsoft Cloud App Security Team
At Microsoft Ignite 2017, we announced the upcoming public preview of Conditional Access App Control . We are very excited that the time has arrived, and this feature is now in public preview! In this blog, we’ll dive deeper into the functional implementation of the feature and explain key productivity use-case scenarios. Our goal is to provide you detailed information to help you secure your cloud app data and perform real-time monitoring. Let’s get started!
Azure Active Directory (Azure AD) conditional access and Microsoft Cloud App Security Conditional Acess App Control work hand in hand to provide real-time monitoring and session control for cloud apps. In-session controls start with an Azure AD conditional access policy . In Azure AD, IT admins build a conditional access policy to define who (users or groups of users) and what applications should be routed toMicrosoft Cloud App Security, forming a set of conditions that can include user sign-in risk. In public preview, these policies apply to SAML-based app logins. After you select use of Cloud App Security Conditional Access App Control as a session control in the Azure AD console, the conditional access engine evaluates each user’s sign-in to determine if there is a policy in place for the spec set of conditions the user is coming from. If so, Azure AD sends that information to Microsoft Cloud App Security and, based on the filters set in the Conditional Access App Control session policy, the appropriate actions are taken on the user activities.
Conditional Access App Control session policies help you to control and limit the user activities in the session itself. To do this, you define additional conditions for the session through filters, then you define the types of control (e.g. block download) you would like to implement based on these conditions. Filters . You can create activity or file filters. Here are some commonly used filters to create granular and effective session policies:
Actions . Once you’ve defined the filters for the policy, which establish the parameters that will be evaluated, you can now determine the actions or controls. You can select to allow, block, or protect access to a document:
To keep the user within the session, all the relevant app URLs, Java scripts, and cookies within the session are replaced with unique URLs. For example, if the app returns a page with links whose domains end with myapp.com, with the link will appear as: myapp.com.us.cas.ms. As a result, events within the session can be monitored and when a download event is triggered, your desired control action will be implemented by either blocking the download or protecting the file.
Let’s put everything together and look at a conditional access policy and session policy working together for a typical use case scenario: Example Azure AD Conditional Access Policy:
Conditions : User is Bob, App is Box
Controls : Use proxy-enforced restrictions
Example Conditional Access App Control session policy:
Session Control Type : Monitor all activities and control file download
Filters : Classification label equals “confidential”; Device tag does not equal “compliant, domain joined or valid client certificate”
Action : Block
The Azure AD conditional access policy and the Conditional Access App Control session policy will work together to perform real-time monitoring and control. User Bob, accessing Box from a non-compliant device such as his personal computer, would be routed through Azure AD to Microsoft Cloud App Security where his session would then be monitored. If Bob attempts to download a confidential labelled file, the download will be blocked and present Bob with the message that he is not allowed to download the file from the device he is using. Bob can still access Box and non-confidential files, but he will not be able to download the confidential files to this unknown and non-compliant machine. This capability provides you granular controls for controlling actions in user sessions. Blocking the sensitive data download to unmanaged devices helps you protect your organization’s data. At the same time, Bob can access the app and complete his required work from home. But this is only one of many use cases. IT admins can also perform the following key protection and productivity scenarios:
Conditional Access App Control session policy – actions
For those of you who are familiar with Microsoft Cloud App Security, you know the power of our activity log to investigate actions and events and pivot on critical inputs such as user and application. Regardless of the deployment method, API or reverse proxy (Conditional Access App Control), you can analyze activities in protected apps, gain a greater understanding of user behavior, and refine your session policies based on these insights. Additionally, you can also select Conditional Access App Control as a source for discovery analysis which will allow you to gain visibility to app traffic and usage patterns routed through the reverse proxy.
Detailed information is now available at our technical documentation site . As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us at our Tech Community page .
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.