Suspicious Session Detected - Azure Security in Question.
Daily, I receive notifications on suspicious sessions that were detected in our organization. What is concerning is that often some of these accounts were recently created. I have MFA enabled and conditional access, so they suspicious activity of itself is not concerning (they are all denied). What is concerning is how are people (hackers/bots/etc.) getting these accounts and attempting access? Especially accounts that are recently created. There have been times that an account had this notification and was just created within days. In the old days, that would be a flag that a port is open that was allowing access to listing user accounts but in Azure, one would think that is not the case. Is there something I need to tighten up to prevent these?Requested Scope Not Present in Access Token scp Claim
TL,DR version: I have an Azure AD app registration for a UI configured with permission to request an API scope from another app registration. The UI app is correctly requesting the API scope and the scope is present in the consent UI presented to the user. The scp claim does not contain the API scope even though it was authorized. Is this expected behavior? Hello all. I have a pretty extensive background in leveraging OAuth 2.0 and OIDC for authorization and authentication management. However, I'm just breaking into the Azure implementation of these concepts, and I'm finding myself a little confused by some of the specifics. My goal is to use Azure AD app registrations to secure the interaction between a UI and the API it consumes. Historically, I'm used to defining a scope, granting my UI client permission to request that scope from my IdP, and demanding on the API side that the scope claim be present in an access token to authorize access to that API. I've defined an app registration for my API, as well as defined an "all access" scope for it under the Expose an API blade. I've also defined an app registration for my UI and requested that scope under the API Permissions blade. I've created the UI client app and added the fully qualified scope name (something like api://my.api.name/MyApi.All) to the requested scopes for the authorize request to be made using the MSAL. When logging in, my user is presented with the consent UI, and the API scope and app are listed as part of the requested permissions. When monitoring the request in my browser network tab, the scopeform data element includes the expected value, something like: scope: User.Read api://my.api.name/MyApi.All openid profile offline_access This is what I would expect if I wanted to request API scope access, MS Graph access, and user profile information from Azure AD, all appropriate for my goals. However, when checking the access token returned from the request, the scp claim only includes the following: { ... "scp": "openid profile User.Read email" ... } I'm a little confused by the results here, because if I'm requesting access to a resource scope, my expectation is that the resource should be able to verify the access token presented contains the required scope for access. Is there some reason the app registration's resource principal is cut out of the list here? Am I misunderstanding the access model intended with these app registrations? Or did I just mess up my configuration somewhere? EDIT: It appears, after some testing, that the order in which I request scopes in MSAL determines the output of the access token. It would seem that I cannot request Microsoft Graph API scopes at the same time as one of my app registration API scopes, and the first requested scope defines what else is included in the token. Is my understanding correct, and is this expected? I can imagine some of the reasons why this is so, but could use validation.
Conditional access app control vs. Conditional access
Hello all I'm trying to understand when i would use one vs. the other? On the surface it looks like "Conditional access app control" is used when i want to redirect my 3rd party saml apps to MCAS, and "Conditional access" in cloud app security only applies to the built in O365 apps ? Is this correct ?Cloud app security non-interactive
Does cloud app security detect and log non-interactive sign-on's ? When i look at the azure sign-in logs for a particular user, i can see the non interactive sign-on's, however trying to match this up or corelate this in cloud app security is proving to be difficultTrying to get an app into cloud app discovery
Hello We use an app called "OfficeSpace" I can see this app in "Cloud Discovery". I am trying to get the app added to "cloud app security" . Per the screen shot below , i have selected "use with CA app Control" , however i still dont see the app in cloud app security. Any help is appreciated.
How to restrict access to D365 Customer Insights to company network (IP range)
Hi, I'd like to ask if anyone here knows a way to restrict access to the Customer Insights app so that users can access this cloud app only if they are doing it from within our own network? We were able to set up an AAD Conditional Access policy to achieve this for other Dynamics 365 apps by restricting access for the Common Data Service. But I don't find an appropriate app to select for restriction of Customer Insights. Do we have to restrict something different to achieve this or do we have to use another feature or is it not possible to do what we want? Our data protection officer told us that we have to seal our D365 cloud apps off first before we may upload sensitive customer data to/through it. That way we can easily make sure (more or less) that users use controlled devices and controlled client apps and filtered LAN/VPN that prohibits them from accidentally orintentionally leaking sensitive data to other services etc. I appreciate every hint. Thanks in advance. RobertoConditional access app control differences
Hello I have a bunch of saml enterprise apps that have been added to Azure enterprise applications. Azure is the IDP for these apps. If i create a CA policy and add for example the "Docusign" app to "Use Conditional access app control" and select "Monitor" , after logging into the app i can now see the app in "Connected apps" in cloud app security. My question is what is the difference between adding "Docusign" using the wizard below vs. adding the app using a CA policy ?
Export report
We have over 260K users all with one-to-one laptops for our k-12. I use this Office 365 Cloud App Security very often, daily to monitor activity. There are times we have in one 1-2 days 250 open alerts in Office 365 Cloud App Security, such as leaked credentials, impossible travel etc. When we have that many this dashboard unusable because the export feature does not include the user's ID (UPN) from AD.
New Blog Post | Prevent sophisticated attacks: MCAS and M365 Defender
New Blog Post | Prevent sophisticated attacks: MCAS and M365 Defender - Microsoft Tech Community Attacks don’t respect domain boundaries. They move fast across cloud applications, endpoints, user identities and data domains. They establish a foothold and move laterally acrossplatforms. The integration of Microsoft Cloud App Security and Microsoft 365 Defenderisdesignedto reduce the surface area for potential attackbyaccomplishing thesethreekeyobjectives(and that’s just the start): Protectingagainst attacks and coordinatingdefensive responses in multi-cloud, multi-app environments and other Microsoft 365 Defender workloads through signal sharing and automated actions. Deliveringcomplete narration of the attack across products for security teams by joining data on alerts, suspicious events by comparing UEBA analytics and impacted assets to incidents. Enablingsecurity teams to performdetailed, effectivethreat hunting across all security domains.
