General Risk Factor - Logon URL - Null
I'm trying to create a policy that maps "Logon URL" field in the app details and if its empty/blank, it approves/sanction the application. My only challenge is that I'm not able to set an identifier that reads blank field. I tried ASCII null character but it doesn't work. Wondering if this use case is even possible.
Admin quarantine option is unavailable for malware detected files in MDCA
Howdy! MDCA Brain Trust, I've configured Admin Quarantine location as per the following Microsoft guidance. Created a brand new SPO site and assigned it in the setting. It's been about 3 days (waited before I post this here as it may take a while to reflect the change). https://learn.microsoft.com/en-us/defender-cloud-apps/use-case-admin-quarantine Admin quarantine option however, is still not available for Files detected by MDCA as malicious. Ideally, I should be able to Admin quarantine OneDrive, SPO files detected as malware. I can however, see the Admin Quarantine option in the governance actions in policies but, this isn't the option we're after. Also, Microsoft says MDCA will provision a new folder (See below) in the site which I don't see either. Has anyone experienced/worked around this issue? Appreciate any suggestions to sort this out! Thank you! Manoj
Which MDCA roles will get email notifications by default in Defender for Cloud Apps?
Hi Experts, We've recently setup Defender for Cloud Apps but none of the accounts receive email alerts (some of these accounts have associated mailboxes - Security admin, Cloud App Security Admin etc..). My questions are: How do we setup alerts for admins those who doesn't have mailbox associated to their admin accounts? Which roles will natively receive email alerts for default policies? or is it not based on roles? This is a grey area in MDCA for me and really appreciate any inputs you may have!. Thanks, KevExport MDCA policy matches information via web console or API
Hi Everyone, This is my maiden post and thought this community to be able to give me guidance and help on my situation. I have created a policy to detect file violations using defender for cloud apps (previously MCAS), and the total count has reached approx. 1.2 million for specific Azure Info Protection (AIP) labels that matches the files stored on OneDrive and SharePoint Online. I'd like to export the records in an efficient manner, and I've explored: 1) via website, which limits to 5,000 records onto csv file 2) via Graph API which limits to 100 records every 2-seconds based on API calls limit imposed system wide Both are not working out, as (1) I can't live with 5,000 records, and the work around would be to implement an RPA via say PowerAutomate desktop or UI Path to do some form of web-scraping to download records and changing the advanced filters to a modified date range... even then, I am not quite sure how to do this yet, and if someone out there knows it, do let me know so that I can attempt to figure out via self-learning. Option (2) which is the method I've attempted, is futile as the process is inconsistent and I am continuously facing errors every time I execute scripts to download the records and export them onto the csv file. I'd like to know if anyone in the community has a better way/approach for me to deal with this situation. I tried to segregate my policy by the year of detection (2020, 2021 and 2022), and I am seeing 500k records for 2022, and 300k records for 2021, likely another 400k records for 2020 and before. I am quite stuck at the moment and would appreciate if anyone have any ideas on how to deal with exporting the information captured in the policy which I've created to detect file violations on the tenant. Caroline_Lee GershonLevitz-MSFT for visibility and recommendations.. 🙂
