%3CLINGO-SUB%20id%3D%22lingo-sub-1777683%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20Admins%2C%20MCAS%2C%20and%20BLOCK!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1777683%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20article%20on%20RBAC%20and%20MCAS!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1778389%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20Admins%2C%20MCAS%2C%20and%20BLOCK!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1778389%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20for%20Sharing%20with%20the%20Community!%3C%2FP%3E%0A%3CP%3ERBAC%20is%20Great%20!%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fhtml%2Fimages%2Femoticons%2Fcool_40x40.gif%22%20alt%3D%22%3Acool%3A%22%20title%3D%22%3Acool%3A%22%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1778716%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20Admins%2C%20MCAS%2C%20and%20BLOCK!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1778716%22%20slang%3D%22en-US%22%3E%3CP%3EDifferent%20take%20on%20limiting%20the%20privileges%20of%20AAD%20RBAC%20-%20Excellent%20article%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1779176%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20Admins%2C%20MCAS%2C%20and%20BLOCK!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1779176%22%20slang%3D%22en-US%22%3E%3CP%3EExcellent%20article%20--%20I%20would%20not%20have%20thought%20to%20limit%20scope%20with%20Conditional%20Access%20Rule%20!%20Thanks%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F708110%22%20target%3D%22_blank%22%3E%40Sarahzin%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1777167%22%20slang%3D%22en-US%22%3ESecurity%20Admins%2C%20MCAS%2C%20and%20BLOCK!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1777167%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EConditional%20Access%20and%20MCAS%20RBAC!%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EBy%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F708110%22%20target%3D%22_blank%22%3E%40Sarahzin%3C%2FA%3E%26nbsp%3Band%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F808161%22%20target%3D%22_blank%22%3E%40erin_boris%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHi%20everyone%2C%20we%20are%20very%20excited%20to%20bring%20this%20blog%20to%20you%20on%20one%20of%20our%20most%20asked%20questions%20regarding%20Microsoft%20Cloud%20App%20Security%20(MCAS)%20access!%20These%20days%2C%20many%20customers%20have%20a%20constant%20dilemma%20on%20how%20to%20restrict%20accesses%20in%20line%20with%20the%20security%20best%20practice%2C%20least%20privilege.%20As%20you%20may%20know%2C%20access%20to%20MCAS%20can%20be%20granted%20through%20inherited%20roles%20from%20Azure%20Active%20Directory%20(AAD)%20or%20through%20role-based%20access%20control%20(RBAC)%20assignments%20from%20within%20the%20MCAS%20portal%20itself.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22RBAC.png%22%20style%3D%22width%3A%20529px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F226445i84FAF0DDC9133D2F%2Fimage-dimensions%2F529x189%3Fv%3D1.0%22%20width%3D%22529%22%20height%3D%22189%22%20role%3D%22button%22%20title%3D%22RBAC.png%22%20alt%3D%22RBAC.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20more%20information%20on%20overall%20MCAS%20RBAC%2C%20check%20out%20our%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fmanage-admins%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Edocumentation%3C%2FA%3E!%20It%20is%20important%20to%20note%20that%20you%20%3CSTRONG%3Ecannot%20overwrite%20an%20AAD%20admin%20role%20with%20a%20manually%20assigned%20MCAS%20role%3C%2FSTRONG%3E%20as%20AAD%20role%20assignments%20take%20precedence%20over%20MCAS%20assigned%20roles.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20it%20stands%20today%2C%20AAD%20Global%20administrators%20and%20Security%20administrators%20have%20full%20access%20and%20permissions%20in%20MCAS.%20They%20can%20add%20admins%2C%20%26nbsp%3Bcreate%20policies%20and%20settings%2C%20upload%20logs%2C%20and%20perform%20governance%20actions.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Foffice-365-security%2Fpermissions-microsoft-365-compliance-security%3Fview%3Do365-worldwide%23security-administrator%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESecurity%20administrator%3C%2FA%3E%20role%20is%20one%20of%20the%20most%20popular%20admin%20roles%20assigned%3B%20this%20role%20has%20permissions%20to%20manage%20additional%20security%20related%20features%20and%20products%20within%20the%20Microsoft%20stack%20(%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F%3Fp%3D91813%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMicrosoft%20Defender%20for%20Endpoint%3C%2FA%3E%2C%20Intune%2C%20etc.).%20As%20our%20customers%20continue%20to%20use%20our%20security%20products%2C%20they%E2%80%99ve%20come%20to%20us%20asking%20how%20to%20limit%20AAD%20role%20permissions%20for%20MCAS%2C%20and%20within%20other%20products%20as%20well.%20This%20blog%20goes%20over%20a%20customer%20scenario%20for%20MCAS%20and%20the%20steps%20that%20can%20be%20taken%20to%20meet%20their%20requirements.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECustomer%20Scenario%3A%20We%20follow%20a%20very%20specific%20RBAC%20policy.%20We%20have%20Security%20administrators%20assigned%20to%20specific%20groups%20for%20access%20across%20our%20entire%20security%20stack.%20However%2C%20we%20want%20to%20follow%20least%20privilege%20and%20give%20access%20to%20specific%20products%20with%20the%20permissions%20inherited%20from%20the%20Security%20administrator%20role.%20Not%20all%20the%20products%20have%20a%20product-specific%20administrator%20role%20available%20in%20AAD.%20How%20do%20we%20limit%20the%20Security%20administrator%20role%E2%80%99s%20access%20in%20MCAS%20without%20impacting%20existing%20permissions%20to%20other%20products%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESolution%3A%20AAD%20Conditional%20Access%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBy%20navigating%20to%20the%20Azure%20Portal%20and%20selecting%20AAD%20Conditional%20Access%2C%20we%20can%20scope%20a%20policy%20based%20on%20specific%20conditions.%20For%20more%20information%20regarding%20Conditional%20Access%2C%20check%20out%20our%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Foverview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eoverview%20documentation%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELet%E2%80%99s%20start%20with%20a%20Conditional%20Access%20policy%20named%20%E2%80%9CMCAS%20Restrictions%E2%80%9D%20and%20begin%20our%20conditions%20on%20%E2%80%9CUsers%20and%20Groups%E2%80%9D%20under%20Assignments.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20the%20screenshots%20below%2C%20we%20have%20configured%20our%20policy%20to%20include%20the%20Azure%20roles%20of%20Security%20administrators%20and%20Global%20administrators%20(both%20roles%20have%20access%20to%20MCAS%20by%20default)%20and%20exclude%20two%20of%20our%20users%20from%20the%20policy%2C%20Adele%20and%20Allan.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20image-alt%3D%22Try.jpg%22%20style%3D%22width%3A%20360px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F226453i149A05F61B7097A1%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Try.jpg%22%20alt%3D%22Try.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20image-alt%3D%22Try%202.jpg%22%20style%3D%22width%3A%20353px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F226454iE5CBF4F1FB2B4AAC%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Try%202.jpg%22%20alt%3D%22Try%202.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWithin%20the%20%E2%80%9CCloud%20App%20or%20Action%2C%E2%80%9D%20we%20selected%20Microsoft%20Cloud%20App%20Security%20to%20scope%20this%20policy%20to%20only%20those%20users%20that%20are%20attempting%20to%20log%20into%20MCAS.%20We%20also%20selected%20an%20%E2%80%9CAccess%20Control%E2%80%9D%20to%20Block%20Access.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20image-alt%3D%22Try%203.jpg%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F226455i075BABD8EE8DAADE%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Try%203.jpg%22%20alt%3D%22Try%203.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhen%20Christie%20Cline%2C%20who%20is%20currently%20assigned%20the%20Security%20administrator%20role%2C%20attempts%20to%20log%20into%20MCAS%2C%20she%20receives%20the%20following%20message%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20image-alt%3D%22RBAC.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F226449iB31643C5DDD45216%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22RBAC.png%22%20alt%3D%22RBAC.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20larger%20organizations%2C%20it%20can%20become%20challenging%20to%20separate%20duties%20between%20roles.%20Conditional%20Access%20offers%20the%20capability%20to%20quickly%20deny%20access%20to%20users%20that%20may%20be%20privileged%20but%20do%20not%20require%20the%20ability%20to%20login%20to%20MCAS%20and%20other%20security%20applications.%20In%20addition%2C%20this%20process%20is%20not%20limited%20to%20only%20the%20Security%20admin%3B%20it%20can%20be%20scoped%20to%20other%20directory%20roles.%20With%20proper%20configuration%2C%20%3CSTRONG%3EConditional%20Access%20will%20take%20precedence%20over%20AAD%20directory%20roles%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELet%20us%20know%20if%20you%20have%20any%20feedback%20after%20trying%20this%20Conditional%20Access%20policy.%20What%20other%20scenarios%20would%20you%20like%20us%20to%20cover%3F%20Feel%20free%20to%20comment%20below!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1777167%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20image-alt%3D%22RBAC.png%22%20style%3D%22width%3A%20325px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F226452i342D8501866736B0%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22RBAC.png%22%20alt%3D%22RBAC.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EControl%20access%20to%20Microsoft%20Cloud%20App%20Security%20using%20Conditional%20Access!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECheck%20out%20our%20new%20blog%20on%20restricting%20inherited%20roles!%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1777167%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Cloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

Conditional Access and MCAS RBAC!

By @Sarahzin and @erin_boris 

 

Hi everyone, we are very excited to bring this blog to you on one of our most asked questions regarding Microsoft Cloud App Security (MCAS) access! These days, many customers have a constant dilemma on how to restrict accesses in line with the security best practice, least privilege. As you may know, access to MCAS can be granted through inherited roles from Azure Active Directory (AAD) or through role-based access control (RBAC) assignments from within the MCAS portal itself.

 

RBAC.png

 

For more information on overall MCAS RBAC, check out our documentation! It is important to note that you cannot overwrite an AAD admin role with a manually assigned MCAS role as AAD role assignments take precedence over MCAS assigned roles.

 

As it stands today, AAD Global administrators and Security administrators have full access and permissions in MCAS. They can add admins,  create policies and settings, upload logs, and perform governance actions.

 

The Security administrator role is one of the most popular admin roles assigned; this role has permissions to manage additional security related features and products within the Microsoft stack (Microsoft Defender for Endpoint, Intune, etc.). As our customers continue to use our security products, they’ve come to us asking how to limit AAD role permissions for MCAS, and within other products as well. This blog goes over a customer scenario for MCAS and the steps that can be taken to meet their requirements.

 

Customer Scenario: We follow a very specific RBAC policy. We have Security administrators assigned to specific groups for access across our entire security stack. However, we want to follow least privilege and give access to specific products with the permissions inherited from the Security administrator role. Not all the products have a product-specific administrator role available in AAD. How do we limit the Security administrator role’s access in MCAS without impacting existing permissions to other products?

 

Solution: AAD Conditional Access

 

By navigating to the Azure Portal and selecting AAD Conditional Access, we can scope a policy based on specific conditions. For more information regarding Conditional Access, check out our overview documentation.

 

Let’s start with a Conditional Access policy named “MCAS Restrictions” and begin our conditions on “Users and Groups” under Assignments. 

 

In the screenshots below, we have configured our policy to include the Azure roles of Security administrators and Global administrators (both roles have access to MCAS by default) and exclude two of our users from the policy, Adele and Allan.

 

Try.jpg

Try 2.jpg

 

Within the “Cloud App or Action,” we selected Microsoft Cloud App Security to scope this policy to only those users that are attempting to log into MCAS. We also selected an “Access Control” to Block Access.

 

Try 3.jpg

 

When Christie Cline, who is currently assigned the Security administrator role, attempts to log into MCAS, she receives the following message:

 

RBAC.png

 

For larger organizations, it can become challenging to separate duties between roles. Conditional Access offers the capability to quickly deny access to users that may be privileged but do not require the ability to login to MCAS and other security applications. In addition, this process is not limited to only the Security admin; it can be scoped to other directory roles. With proper configuration, Conditional Access will take precedence over AAD directory roles.

 

Let us know if you have any feedback after trying this Conditional Access policy. What other scenarios would you like us to cover? Feel free to comment below!

 

4 Comments
Microsoft

Great article on RBAC and MCAS!

Thank you for Sharing with the Community!

RBAC is Great ! :cool:

Microsoft

Different take on limiting the privileges of AAD RBAC - Excellent article

New Contributor

Excellent article -- I would not have thought to limit scope with Conditional Access Rule ! Thanks @Sarahzin