Playbooks with MDCA
I am attempting to integrate MDCA alerts with freshdesk as per the e.g. https://learn.microsoft.com/en-us/defender-cloud-apps/flow-integration I have E5 without teams licenses. I created the flow, Once from playbooks in MDCA portal and once in power automate directly and went to create a policy to test it out but the option "Sent to power automate" from the policy is always greyed out. Alerts are not automatically detected in the flow unless the action in the policy is set to send to power automate which again is greyed as option in the policies. Also playbooks tab in the MDCA portal does not show the flows I created before, It shows empty, Seems link is broken between MDCA and PowerAutomate. Any reason for this, Any Idea about this? Thanks in advance.
Using Microsoft Defender for Cloud Apps to block apps on managed devices.
Greetings, I have been tasked to work with Microsoft Defender for cloud apps and to block the usage of the Firefox browser on all endpoints within my estate apart from a few users who require it. I have tried to unsanctioned app feature. This only displays a warning prompt but users can still proceed with using and interacting with the application. We have already configured web content filtering and works fine. I already looked up other articles relating to downloading a block script but that applies to other security appliances such as firewalls which we don't want to get into. Is there a convenient way to block certain apps usage by solely using Microsoft Defender for Cloud Apps or is this platform only used for monitoring purposes and cannot really block the app by unsanctioning it?
Only browser activities can be found in Activity Log for Conditional Access App control App
We have add Deskbird into Microsoft Defender for Cloud Apps via Entra ID CA policy, and it is listed in MDCA - Cloud apps - Activity log now. However, we found only the activities via web browser were logged, the activities trigged from mobile Apps are not. But those activities can be found in Sign-in Logs from Azure enterprise application portal. How to make MDCA receive all activities include both browser and App? We want to setup access control policy, without the visibility to Mobile App activities, the policy can't cover all scenarios.SharePoint site security configurations for Defender Cloud Apps Admin Quarantine Feature
Referring to Microsoft official documentation below which is very high-level, has anyone done/would recommend hardening or applying security measures to secure the SharePoint site dedicated for "Admin Quarantine" purpose?. It shouldn't be just as simple as creating a separate site and setting in the Defender portal as this should not be exposed to the rest of the organization, in my view. Shouldn't we at a minimum, restrict the permissions of the site? Official reference - Protect files with admin quarantine - Microsoft Defender for Cloud Apps | Microsoft Learn Any ideas are greatly appreciated ! Thank you!Microsoft Purview- Paint By Numbers Series (Part 10)- Defender for Cloud Apps & DLP - Overview
Before we start, please not that if you want to see a table of contents for all the sections of this blog and their various Purview topics, you can locate the in the following link: Microsoft Purview- Paint By Numbers Series (Part 0) - Overview - Microsoft Tech Community Disclaimer This document is not meant to replace any official documentation, including those found at docs.microsoft.com. Those documents are continually updated and maintained by Microsoft Corporation. If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed. Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix. All of the following steps should be done with test data, and where possible, testing should be performed in a test environment. Testing should never be performed against production data. Target Audience The Microsoft Defender for Cloud Apps section of this blog series is aimed at Security and Compliance officers who need protect data through a Cloud App, meaning a third-party cloud-based application. Document Scope This document is meant to guide an administrator who is “net new” to Microsoft E5 Purview through. In this blog entry, we want to understand how Microsoft Defender for Cloud Apps (MDCA) is leveraged for Data Loss Prevention. Microsoft Defender for Cloud Apps (MDCA) can be used for things such as Conditional Access, Shadow IT, and other security features. However, in this blog entry, we are focused only on how MDCA can be used for Data Loss Prevention (DLP). This is limited in scope and meant to walk you through the basic process configuring a DLP activity. Out-of-Scope This document does not cover any other aspect of Microsoft E5 Purview, including: Data Classification Information Protection Data Protection Loss (DLP) for Exchange, OneDrive, Devices Data Lifecycle Management (retention and disposal) Records Management (retention and disposal) eDiscovery Insider Risk Management (IRM) Priva Advanced Audit Information Barriers Communications Compliance Licensing This is limited in scope and meant to walk you through the basic process configuring a Data Loss Prevention activity in Microsoft Defender for Cloud Apps. It is presumed that you have a pre-existing understanding of what Microsoft E5 Purview does and how to navigate the User Interface (UI). For details on licensing (ie. which components and functions of Purview are in E3 vs E5) you will need to contact your Microsoft Security Specialist, Account Manager, or certified partner. Overview of Document What MDCA Does DLP features supported by MDCAs Use Case An organization who wants to configure Data Loss Prevention (DLP) against a cloud-based application. In this blog we will only look at general DLP use cases. Definitions Cloud App – meaning a third-party cloud-based application. Session Policy – a session policies enable real-time session-level monitoring, affording you granular visibility into cloud apps and the ability to take different actions depending on the policy you set for a user session. Policy Control – these policies “detect risky behavior, violations, or suspicious data points and activities in your cloud environment.” Notes None. Pre-requisites You have read Part 0 of this blog series. What MDCA does Microsoft Defender for Cloud Apps (MDCA) is the Microsoft Cloud App Security Broker (CASB). So even though we are looking at it in this blog series to provide DLP functionality, it has a broader range of security features. Here is a list of the other things you can do with MDCA: Thread Detection – “Detect unusual behavior across cloud apps to identify ransomware, compromised users or rogue applications, analyze high-risk usage and remediate automatically to limit the risk to your organization.” Information Protection – “Understand, classify, and protect the exposure of sensitive information at rest. Leverage out-of-the box policies and automated processes to apply controls in real time across all your cloud apps.” Conditional Access – “Real-time monitoring and control over access to cloud apps based on user, location, device, and app.” This also allows for “real-time session-level monitoring, affording you granular visibility into cloud apps and the ability to take different actions depending on the policy you set for a user session.” Shadow IT – “Identify the cloud apps, IaaS, and PaaS services used by your organization. Investigate usage patterns, assess the risk levels and business readiness of more than 31,000 SaaS apps against more than 80 risks. Start managing them to ensure security and compliance.” DLP features supported by MDCA For data protection with MDCA, you can do 3 different types of policies: File Policy Access Policy Session Policy Of these three policies, the one you will use the most for DLP activities will be the Session Policy. The reason is Session policies allow for the following types of Session control types (which are the most similar to service and device level DLP functionalities): Monitor Only Block Activities Control file download (with inspection) Control file upload (with inspection) Here are the Activities related to DLP: Cut/Paste item Paste item Print Send item (Exchange/Teams message) Here are the Actions (in addition to the Session control types mentioned above) related to the above Activities. Test Block Apply Microsoft Sensitivity Labels Apply custom permissions. Appendix and Links Overview - Microsoft Defender for Cloud Apps | Microsoft Learn Data security and privacy practices - Microsoft Defender for Cloud Apps | Microsoft Learn What's new - Microsoft Defender for Cloud Apps | Microsoft Learn Session policies - Microsoft Defender for Cloud Apps | Microsoft Learn Connect apps to get visibility and control - Microsoft Defender for Cloud Apps | Microsoft Learn Protect apps with Conditional Access App Control - Microsoft Defender for Cloud Apps | Microsoft Learn Deploy Conditional Access App Control for catalog apps with Azure AD - Microsoft Defender for Cloud Apps | Microsoft Learn Control cloud apps with policies - Microsoft Defender for Cloud Apps | Microsoft LearnMicrosoft Purview- Paint By Numbers Series (Part 10a)- Defender for Cloud Apps - MSTeams Browser DLP
Before we start, please not that if you want to see a table of contents for all the sections of this blog and their various Purview topics, you can locate the in the following link: Microsoft Purview- Paint By Numbers Series (Part 0) - Overview - Microsoft Tech Community Disclaimer This document is not meant to replace any official documentation, including those found at docs.microsoft.com. Those documents are continually updated and maintained by Microsoft Corporation. If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed. Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix. All of the following steps should be done with test data, and where possible, testing should be performed in a test environment. Testing should never be performed against production data. Target Audience The Microsoft Defender for Cloud Apps section of this blog series is aimed at Security and Compliance officers who need protect data through a Cloud App, meaning a third-party cloud-based application. Document Scope This document is meant to guide an administrator who is “net new” to Microsoft E5 Purview through. We will be blocking the ability to Cut and Copy date from a web-based Teams chat. This is limited in scope and meant to walk you through the basic process configuring a DLP activity. Out-of-Scope This document does not cover any other aspect of Microsoft E5 Purview, including: Data Classification Information Protection Data Protection Loss (DLP) for Exchange, OneDrive, Devices Data Lifecycle Management (retention and disposal) Records Management (retention and disposal) eDiscovery Insider Risk Management (IRM) Priva Advanced Audit Information Barriers Communications Compliance Licensing This is limited in scope and meant to walk you through the basic process configuring a DLP activity in Microsoft Defender for Cloud Apps. It is presumed that you have a pre-existing of understanding of what Microsoft E5 Compliance does and how to navigate the User Interface (UI). For details on licensing (ie. which components and functions of Purview are in E3 vs E5) you will need to contact your Microsoft Security Specialist, Account Manager, or certified partner. Overview of Document Create a Conditional Access policy for Microsoft Teams and your test users Access Microsoft Teams on a browser Verify Microsoft Teams is connected to Microsoft Defender for Cloud Apps Create a Session policy Test the Session policy Use Case An organization who wants to configure Data Loss Prevention against a cloud-based application. In this blog we will use Microsoft Teams. Definitions Cloud App – meaning a third-party cloud based application Session Policy – a session policies enable real-time session-level monitoring, affording you granular visibility into cloud apps and the ability to take different actions depending on the policy you set for a user session. Notes None. Pre-requisites You have read Part 0 of this blog series. Conditional Access App Control To enable Data Loss Prevention with Microsoft Teams running from a browser, or any other cloud-based application) being accessed by a browser, we will need to follow the steps below. Create Conditional Access policy (Azure Portal) We will block Microsoft Teams from being able to “Cut and Copy” as an initial test for MDCA. First, we will set up Conditional Access for MS Teams and our Test user (ex. Megan Bowen). Go to portal.azure.microsoft.com Go to Security -> Conditional Access Click on Policies Click New Policy Give the policy a name (ex. Teams Session Policy) Select a user for this policy under Assignments –> Users (ex. Megan Bowen). We must now select our test app for our policy. Go to Assignments –> Cloud Apps or Actions. Under Include, select the Microsoft Teams application. Under Assignments –> Conditions, we will not select any conditions at this time. For We will now verify the access Access Control –> Grant, leave at default of Grant Access to the App (ie. Microsoft Teams). For Session, go to Access Control –> Session, and enable Use Conditional Access App Control and set to Use Custom Policy At the bottom of the policy, set Enable policy to “On”. Now under Policies, you will see your new policy for Microsoft Teams. Now go to MDCA and verify your Connected apps. Access Microsoft Teams on a Browser For MFDC to see Microsoft Teams, your test users must be accessing it via a web browser. Login into Microsoft Teams via web browser with your test user (ex. Megan Bowen). Now go to MDCA and Connect apps. Verify Microsoft Teams is a Connected App (MDCA) Login to portal.cloudappsecurity.com Go to Connected apps -> Conditional Access App Control Apps. Verify that Microsoft Teams shows up here If it is not showing up here, you might need to: Perform an App Onboarding (see the troubleshooting below). You might not have logged into Microsoft Teams on a web browser with your test users (see the section above). Create a Session policy (MCAS) We will now set up a Session Policy. Stay in MDCA and go to Policies – Conditional Access Click Create Policy -> Session Policy Give the policy a name and description (ex. Teams block Cut/Copy). Leave the Category art “DLP”. For Activity source, select the following 3 options: App, equals, Microsoft Teams. Activity Type, equals, Cut/Copy item. Devices, Tag, does not equal, Intune compliant, Hybrid Azure AD joined. For the section Use Content inspection, do not inspect the content at this time. Under Actions, enable Block with 1) also notify by email and 2) customize block message (place the date and time in the message in case you need to troubleshoot this policy). Now create the policy. You are now done preparing a Session Policy to block Microsoft Teams Cut and Copy. Proceed to the testing section below. Test the Session policy We will now test the blocking of Microsoft Teams Cut and Copy using a Session Policy from MFCA. Go to Teams online with your test user. You should see a message similar to the one below in your browser. Click Continue to Microsoft Teams. You should see a URL similar to the one below. The “mcas” indicates you are now accessing Microsoft Teams via MFCA and the session policy. Type something into the Microsoft Teams chat, select that text and attempt to copy it. You should get a message similar to the one below. Note – As you recall previously, we placed a date and time in our Session Policy message (see above). This is where having that information will help you know if the latest version of your policy is in effect. If all is working, you are now done with testing this Session Policy for Data Loss Prevention. Troubleshooting If you want MDCA to have a custom logo on splash pages, follow the steps below. App Onboarding / Maintenance (MDCA) It might be necessary to add your admin account to the App onbaoarding/maintance. Do to accomplish this, follow these steps. Go to either 1) security.microsoft.com or 2)your Microsoft Defender for Cloud Apps (MDCA) Go to Settings –> Cloud Apps -> Conditional Access App Control -> App onboarding/maintenance Add the Admin account if needed. Click Save. Appendix and Links Session policies - Microsoft Defender for Cloud Apps | Microsoft Learn Connect apps to get visibility and control - Microsoft Defender for Cloud Apps | Microsoft Learn Protect apps with Conditional Access App Control - Microsoft Defender for Cloud Apps | Microsoft Learn Deploy Conditional Access App Control for catalog apps with Azure AD - Microsoft Defender for Cloud Apps | Microsoft Learn
New blog post | Container Security with Microsoft Defender for Cloud
In recent years, containerization has become a popular approach to application deployment and management. Containers enable developers to build more quickly and efficiently in the cloud by offering a convenient and streamlined way to package applications and their dependencies. While lightweight and portable, containerized environments introduce new attack vectors and risks such as runtime vulnerabilities, configuration errors and lateral movement between containers. Ensuring the security of containerized environments requires a comprehensive approach that involves multiple layers of security and continuous monitoring such as consistent vulnerability scanning and threat detection. Container Security in Microsoft Defender for Cloud
