Advanced security for any app in your organization
Published Aug 28 2019 06:14 AM 23.8K Views

This blog post was co-authored by @Alex Esibov - Senior Program Manager, Cloud App Security


In today’s modern enterprises, apps run the workplace. While we see an average of 129 IT-managed applications, discovery data from our Cloud Access Security Broker (CASB) shows that the total number of apps accessed by employees in large organizations exceeds 1,000.

In addition, we see that a hybrid app environment is a reality for many organizations. You likely still have on-premises apps alongside your modern cloud apps, as well as a wide range of custom line-of-business apps, that all need to be equally integrated into your security strategy.




The increasing number of apps and their various deployment modes provide a challenge for IT departments in ensuring secure access and protecting the flow of critical data with a consistent set of controls.

To help streamline the process of providing advanced security for any app in your organization, Microsoft Cloud App Security now provides real-time session controls for any app across cloud, on-premises and custom apps. It provides a centralized experience that allows you to apply a standardized set of inline controls to all the apps in your organization, making it the first Cloud Access Security Broker (CASB) to deliver on a true self-service onboarding experience with a standardized set of powerful monitoring capabilities and controls.


This expands the support for Conditional Access App Control, our CASB inline controls, to any app in addition to the rich support we already offer for a set of featured applications. Any app in your environment can now be protected by our CASB solution and allows you to enable powerful real-time monitoring and control over data infiltration and exfiltration across your cloud, on-premises, and custom apps. In creating this new capability, we were focused on developing a solution for customers that ensures a fast, simple and integrated deployment, taking away the pain points of traditional proxy configurations.


Any cloud app that leverages SAML 2.0 or Open ID Connect and is configured with single sign-on in Azure AD, as well as any on-premises app configured with Azure AD App Proxy that uses Kerberos Constrained Delegation (KCD) is supported.




The self-guided deployment is simple and only requires 3 basic steps:


1. Configure the app in Microsoft Cloud App Security

2. Traverse the app to ensure to ensure as all behaviors are expected, with the ability to provide feedback to the engineering team from directly inside the app to enable a fast fix process if needed.

3. Enable the app with a checkbox deployment and configure the relevant conditional access policies


GIF 1: Onboarding a custom app to Cloud App Security and admin testingGIF 1: Onboarding a custom app to Cloud App Security and admin testing


Once an app is connected, you can implement any of the below controls to prevent exfiltration of sensitive data during risky user sessions, and equally prevent malicious files from compromising your environment:


Data exfiltration

  • Block download
  • Block copy/cut
  • Block print
  • Apply Azure Information Protection (AIP) label on download


Data infiltration

  • Block upload
  • Block paste


Exemplary use case: Prevent download when the user's device is unmanaged


use case2.png


GIF 2: End user experience when a file download is blockedGIF 2: End user experience when a file download is blocked


All activities are monitored by our Cloud Access Security Broker and available for review and in-depth analysis in the admin activity log. On the Activity log  page admins can leverage various filters to find specific activities or search for activities performed on a certain file. In addition admins can create activity-based policies to define alerts and automatic governance actions. In the image below you can see a series of activities performed by an end users across various apps. Upon login to a custom app, the user was redirected to inline session controls.


Image 1: Activity log in Microsoft Cloud App Security, showing redirection to the reverse proxy for a custom app.Image 1: Activity log in Microsoft Cloud App Security, showing redirection to the reverse proxy for a custom app.


The extension of Conditional Access App Control to any app is a game changer in securing your organization. It allows for seamless and centralized configuration of real-time security policies and monitoring across all the apps that matter to you with easy onboarding and an optimized end-user experience. At the same time, we will continue to expand our list of featured apps that will provide custom controls specific to each app.—for example, protecting sensitive content from being share via IM messages in Microsoft Teams.

Get started today and onboard all apps that matter in your organization.


More info and feedback




Version history
Last update:
‎Nov 02 2021 04:33 PM
Updated by: