Secure Access for applications with Microsoft Cloud App Security
Published Mar 09 2021 09:00 AM 13.6K Views

Authored with Anisha Gupta, Product Manager, Microsoft Cloud App Security 


Digital transformation has been accelerated by remote workThe result is that many of our toughest security challenges have risen to the surface. Our traditional perimeter-based network and security models can’t adapt as quickly to this massive, fast shiftMany organizations are struggling to support permanent hybrid work models. For them, establishing secure access outside the corporate network is critical and remains elusive. As employees transition to these work models, they’re unintentionally bringing new risks and threats—for example, when accessing corporate resources from personal and unmanaged devices. It’s a challenging landscape that security teams are expected to manage.  


In 2020, the Microsoft Threat Intelligence Center reported a 230% increase in password spray attacks alone, and observed over 5 billion attacker-driven sign-ins. As our cloud services evolve, threats also evolve. It’s clear that a new approach to security is required. Thankfully, security admins can leverage secure access in Microsoft Cloud App Security to remediate against this increasing threat landscape.  

Your cloud access security broker (CASB) should provide secure, easy and adaptive access to your organization’s apps depending on factors like location, device and user behaviorAdaptive access affirms the security measures your organization has put into place. This brief two-minute video demonstrates the flexibility of secure access in Microsoft Cloud App Security: 

In this blog post, we will summarize Conditional Access App Control and celebrate an exciting new capability which provides continuous adaptive access.


Background: Conditional Access App Control in Microsoft Cloud App Security 

Microsoft Cloud App Security enables admins to enforce real-time monitoring and controls on actions performed within a session. These controls can be configured through either a single checkbox integration with Azure AD Conditional Access or a quick set-up wizard with 3rd party identity providers. Based on access conditionslike the identity sourcethe device being usedor the risk level of the user, the user actions can be explicitly allowed or blocked. 


Adaptive Access: step-up authentication  

Today, we’re excited to introduce a powerful new administrative controlpolicy action for in-session step-up authentication. The announcement of this feature shifts the paradigm from only enforcing security checks at the entrance to a session, to the adaptive enforcement of those same conditions in the sessionIn partnering with Azure AD, Microsoft Cloud App Security has enabled admins to configure Conditional Access authentication context and apply it to in-session activities. In-session actions, like the download of sensitive information, can now be required to pass through an additional security check, such as an MFA challenge or device compliance check, before a user can access data. 


This feature re-evaluates Azure AD Conditional Access policies in real-time when a sensitive action is performed, to mitigate the risk of changing conditions and risk In this screenshot, we can see how the new feature is expressed as a secondary security check, required as the user attempts to download a PDF from 3rd party app on an unmanaged device: 


After the security check is complete, the user receives an on-screen result of the check: 



What to do next 

We invite you to take these scenarios and adapt them to your organizational needs. This grants visibility into your cloud environment for all your apps. For onboarded and sanctioned apps, the Cloud App Security team recommends that admins apply access and session controls.  Leveraging advanced scenarios like access and session controls, Azure AD User Risk or in-session step-up authentication, in accordance with your organization’s environment security goals, is the next step toward a secure posture management of sessions. For unsanctioned apps, the recommended first step is to block the application at the endpoint with a policy, or utilize the Microsoft Cloud App Security Endpoint CASB tools. In either scenario, the two layers of cloud and identity determine the best way to deploy secure adaptive access in your environment 


Organizations can easily, flexibly block any app from access by the end user. Users can effectively use their time, unencumbered by security and compliance concerns because they are already being protected by adaptive access scenariosAn integrated set of solutions from Microsoft work in concert across your security stack. 


For further training or information, view Anisha’s twenty-minute discussion on secure access in Microsoft Cloud App Security: 




We welcome your feedback or relevant use cases and requirements for this pillar of Cloud App Security by emailing and mention Secure Access. 


Learn more 

For further information on how your organization can benefit from Microsoft Cloud App Security, connect with us at the links below: 

Join the conversation on Tech Community 

Stay up to date—subscribe to our blog.  

Upload a log file from your network firewall or enable logging via Microsoft Defender for Endpoint to discover Shadow IT in your network. 

Learn more—download Top 20 use cases for CASB. 

Connect your cloud apps to detect suspicious user activity and exposed sensitive data. 

Search documentation on Microsoft Cloud App Security 

Enable out-of-the-box anomaly detection policies and start detecting cloud threats in your environment. 

Understand your licensing options .  

Continue with more advanced use cases across information protection, compliance, and more. 

Follow the Microsoft Cloud App Security Ninja blog and learn about Ninja Training 

Go deeper with these interactive guides: 


To experience the benefits of full-featured CASB, sign up for a free trial—Microsoft Cloud App Security. 

Follow us on LinkedIn as #CloudAppSecurity. To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity on Twitter, and Microsoft Security on LinkedIn for the latest news and updates on cybersecurity. 

Version history
Last update:
‎Nov 02 2021 04:59 PM
Updated by: