Enhance AI security and governance across multi-model and multi-cloud environments
Generative AI adoption is accelerating, with AI transformation happening in real-time across various industries. This rapid adoption is reshaping how organizations operate and innovate, but it also introduces new challenges that require careful attention. At Ignite last fall, we announced several new capabilities to help organizations secure their AI transformation. These capabilities were designed to address top customer priorities such as preventing data oversharing, safeguarding custom AI, and preparing for emerging AI regulations. Organizations like Cummins, KPMG, and Mia Labs have leveraged these capabilities to confidently strengthen their AI security and governance efforts. However, despite these advancements, challenges persist. One major concern is the rise of shadow AI—applications used without IT or security oversight. In fact, 78% of AI users report bringing their own AI tools, such as ChatGPT and DeepSeek, into the workplace 1 . Additionally, new threats, like indirect prompt injection attacks, are emerging, with 77% of organizations expressing concerns and 11% of organizations identifying them as a critical risk 2 . To address these challenges, we are excited to announce new features and capabilities that help customers do the following: Prevent risky access and data leakage in shadow AI with granular access controls and inline data security capabilities Manage AI security posture across multi-cloud and multi-model environments Detect and respond to new AI threats, such as indirect prompt injections and wallet abuse Secure and govern data in Microsoft 365 Copilot and beyond In this blog, we’ll explore these announcements and demonstrate how they help organizations navigate AI adoption with confidence, mitigating risks, and unlocking AI’s full potential on their transformation journey. Prevent risky access and data leakage in shadow AI With the rapid rise of generative AI, organizations are increasingly encountering unauthorized employee use of AI applications without IT or security team approval. This unsanctioned and unprotected usage has given rise to “shadow AI,” significantly heightening the risk of sensitive data exposure. Today, we are introducing a set of access and data security controls designed to support a defense-in-depth strategy, helping you mitigate risks and prevent data leakage in third-party AI applications. Real-time access controls to shadow AI The first line of defense against security risks in AI applications is controlling access. While security teams can use endpoint controls to block access for all users across the organization, this approach is often too restrictive and impractical. Instead, they need more granular controls at the user level to manage access to SaaS-based AI applications. Today we are announcing the general availability of the AI web category filter in Microsoft Entra Internet Access to help enforce access controls that govern which users and groups have access to different AI applications. Internet Access deep integration with Microsoft Entra ID extends Conditional Access to any AI application, enabling organizations to apply AI access policies with granularity. By using Conditional Access as the policy control engine, organizations can enforce policies based on user roles, locations, device compliance, user risk levels, and other conditions, ensuring secure and adaptive access to AI applications. For example, with Internet Access, organizations can allow your strategy team to experiment with all or most consumer AI apps while blocking those apps for highly privileged roles, such as accounts payable or IT infrastructure admins. For even greater security, organizations can further restrict access to all AI applications if Microsoft Entra detects elevated identity risk. Inline discovery and protection of sensitive data Once users gain access to sanctioned AI applications, security teams still need to ensure that sensitive data isn’t shared with those applications. Microsoft Purview provides data security capabilities to prevent users from sending sensitive data to AI applications. Today, we are announcing enhanced Purview data security capabilities for the browser available in preview in the coming weeks. The new inline discovery & protection controls within Microsoft Edge for Business detect and block sensitive data from being sent to AI apps in real-time, even if typed directly. This prevents sensitive data leaks as users interact with consumer AI applications, starting with ChatGPT, Google Gemini, and DeepSeek. For example, if an employee attempts to type sensitive details about an upcoming merger or acquisition into Google Gemini to generate a written summary, the new inline protection controls in Microsoft Purview will block the prompt from being submitted, effectively blocking the potential leaks of confidential data to an unsanctioned AI app. This augments existing DLP controls for Edge for Business, including protections that prevent file uploads and the pasting of sensitive content into AI applications. Since inline protection is built natively into Edge for Business, newly deployed policies automatically take effect in the browser even if endpoint DLP is not deployed to the device. : Inline DLP in Edge for Business prevents sensitive data from being submitted to consumer AI applications like Google Gemini by blocking the action. The new inline protection controls are integrated with Adaptive Protection to dynamically enforce different levels of DLP policies based on the risk level of the user interacting with the AI application. For example, admins can block low-risk users from submitting prompts containing the highest-sensitivity classifiers for their organization, such as M&A-related data or intellectual property, while blocking prompts containing any sensitive information type (SIT) for elevated-risk users. Learn more about inline discovery & protection in the Edge for Business browser in this blog. In addition to the new capabilities within Edge for Business, today we are also introducing Purview data security capabilities for the network layer available in preview starting in early May. Enabled through integrations with Netskope and iboss to start, organizations will be able to extend inline discovery of sensitive data to interactions between managed devices and untrusted AI sites. By integrating Purview DLP with their SASE solution (e.g. Netskope and iBoss), data security admins can gain visibility into the use of sensitive data on the network as users interact with AI applications. These interactions can originate from desktop applications such as the ChatGPT desktop app or Microsoft Word with a ChatGPT plugin installed, or non-Microsoft browsers such as Opera and Brave that are accessing AI sites. Using Purview Data Security Posture Management (DSPM) for AI, admins will also have visibility into how these interactions contribute to organizational risk and can take action through DSPM for AI policy recommendations. For example, if there is a high volume of prompts containing sensitive data sent to ChatGPT, DSPM for AI will detect and recommend a new DLP policy to help mitigate this risk. Learn more about inline discovery for the network, including Purview integrations with Netskope and iBoss, in this blog. Manage AI security posture across multi-cloud and multi-model environments In today’s rapidly evolving AI landscape, developers frequently leverage multiple cloud providers to optimize cost, performance, and availability. Different AI models excel at various tasks, leading developers to deploy models from various providers for different use cases. Consequently, managing security posture across multi-cloud and multi-model environments has become essential. Today, Microsoft Defender for Cloud supports deployed AI workloads across Azure OpenAI Service, Azure Machine Learning, and Amazon Bedrock. To further enhance our security coverage, we are expanding AI Security Posture Management (AI-SPM) in Defender for Cloud to improve compatibility with additional cloud service providers and models. This includes: Support for Google Vertex AI models Enhanced support for Azure AI Foundry model catalog and custom models With this expansion, AI-SPM in Defender for Cloud will now offer the discovery of the AI inventory and vulnerabilities, attack path analysis, and recommended actions to address risks in Google VertexAI workloads. Additionally, it will support all models in Azure AI Foundry model catalog, including Meta Llama, Mistral, DeepSeek, as well as custom models. This expansion ensures a consistent and unified approach to managing AI security risks across multi-model and multi-cloud environments. Support for Google Vertex AI models will be available in public preview starting May 1, while support for Azure AI Foundry model catalog and custom models is generally available today. Learn More. 2: Microsoft Defender for Cloud detects an attack path to a DeepSeek R1 workload. In addition, Defender for Cloud will also offer a new data and AI security dashboard. Security teams will have access to an intuitive overview of their datastores and AI services across their multi-cloud environment, top recommendations, and critical attack paths to prioritize and accelerate remediation. The dashboard will be generally available on May 1. The new data & AI security dashboard in Microsoft Defender for Cloud provides a comprehensive overview of your data and AI security posture. These new capabilities reflect Microsoft’s commitment to helping organizations address the most critical security challenges in managing AI security posture in their heterogeneous environments. Detect and respond to new AI threats Organizations are integrating generative AI into their workflows and facing new security risks unique to AI. Detecting and responding to these evolving threats is critical to maintaining a secure AI environment. The Open Web Application Security Project (OWASP) provides a trusted framework for identifying and mitigating such vulnerabilities, such as prompt injection and sensitive information disclosure. Today, we are announcing Threat protection for AI services, a new capability that enhances threat protection in Defender for Cloud, enabling organizations to secure custom AI applications by detecting and responding to emerging AI threats more effectively. Building on the OWASP Top 10 risks for LLM applications, this capability addresses those critical vulnerabilities highlighted on the top 10 list, such as prompt injections and sensitive information disclosure. Threat protection for AI services helps organizations identify and mitigate threats to their custom AI applications using anomaly detection and AI-powered insights. With this announcement, Defender for Cloud will now extend its threat protection for AI workloads, providing a rich suite of new and enriched detections for Azure OpenAI Service and models in the Azure AI Foundry model catalog. New detections include direct and indirect prompt injections, novel attack techniques like ASCII smuggling, malicious URL in user prompts and AI responses, wallet abuse, suspicious access to AI resources, and more. Security teams can leverage evidence-based security alerts to enhance investigation and response actions through integration with Microsoft Defender XDR. For example, in Microsoft Defender XDR, a SOC analyst can detect and respond to a wallet abuse attack, where an attacker exploits an AI system to overload resources and increase costs. The analyst gains detailed visibility into the attack, including the affected application, user-entered prompts, IP address, and other suspicious activities performed by the bad actor. With this information, the SOC analyst can take action and block the attacker from accessing the AI application, preventing further risks. This capability will be generally available on May 1. Learn More. : Security teams can investigate new detections of AI threats in Defender XDR. Secure and govern data in Microsoft 365 Copilot and beyond Data oversharing and non-compliant AI use are significant concerns when it comes to securing and governing data in Microsoft Copilots. Today, we are announcing new data security and compliance capabilities. New data oversharing insights for unclassified data available in Microsoft Purview DSPM for AI: Today, we are announcing the public preview of on-demand classification for SharePoint and OneDrive. This new capability gives data security admins visibility into unclassified data stored in SharePoint and OneDrive and enables them to classify that data on demand. This helps ensure that Microsoft 365 Copilot is indexing and referencing files in its responses that have been properly classified. Previously, unclassified and unscanned files did not appear in DSPM for AI oversharing assessments. Now admins can initiate an on-demand data classification scan, directly from the oversharing assessment, ensuring that older or previously unscanned files are identified, classified, and incorporated into the reports. This allows organizations to detect and address potential risks more comprehensively. For example, an admin can initiate a scan of legacy customer contracts stored in a specified SharePoint library to detect and classify sensitive information such as account numbers or contact information. If these newly classified documents match the classifiers included in any existing auto-labeling policies, they will be automatically labeled. This helps ensure that documents containing sensitive information remain protected when they are referenced in Microsoft 365 Copilot interactions. Learn More. Security teams can trigger on-demand classification scan results in the oversharing assessment in Purview DSPM for AI. Secure and govern data in Security Copilot and Copilot for Fabric for Power BI: We are excited to announce the public preview of Purview for Security Copilot and Copilot for Power BI, offering DSPM for AI, Insider Risk Management, and data compliance controls, including eDiscovery, Audit, Data Lifecycle Management, and Communication Compliance. These capabilities will help organizations enhance data security posture, manage compliance, and mitigate risks more effectively. For example, admins can now use DSPM for AI to discover sensitive data in user prompts and agent responses in Security Copilot and detect unethical or risky AI usage. Purview’s DSPM for AI provides admins with comprehensive reports on user activities and data interactions in Copilot for Power BI, as part of the Copilot in Fabrice experience, and Security Copilot. DSPM Discoverability for Communication Compliance: This new feature in Communication Compliance, which will be available in public preview starting May 1, enables organizations to quickly create policies that detect inappropriate messages that could lead to data compliance risks. The new recommendation card on the DSPM for AI page offers a one-click policy creation in Microsoft Purview Communication Compliance, simplifying the detection and mitigation of potential threats, such as regulatory violations or improperly shared sensitive information. With these enhanced capabilities for securing and governing data in Microsoft 365 Copilot and beyond, organizations can confidently embrace AI innovation while maintaining strict security and compliance standards. Explore additional resources As organizations embrace AI, securing and governing its use is more important than ever. Staying informed and equipped with the right tools is key to navigating its challenges. Explore these resources to see how Microsoft Security can help you confidently adopt AI in your organization. Learn more about Security for AI solutions on our webpage Get started with Microsoft Purview Get started with Microsoft Defender for Cloud Sign up for a free Microsoft 365 E5 Security Trial and Microsoft Purview Trial Learn more about the innovations designed to help your organization protect data, defend against cyber threats, and stay compliant. Join Microsoft leaders online at Microsoft Secure on April 9. [1] 2024 Work Trend Index Annual Report, Microsoft and LinkedIn, May 2024, N=31,000. [2] Gartner®, Gartner Peer Community Poll – If your org’s using any virtual assistants with AI capabilities, are you concerned about indirect prompt injection attacks? GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
Converting Active Directory Groups to Cloud-Only with ADGMS
If you find yourself creating and maintaining on-premises groups just so they will synchronize to your Azure tenant, it’s time to free yourself from this time-consuming and potentially risky outdated practice by converting them to cloud only. Converting your groups to cloud-only will eliminate your dependence on legacy Active Directory Domain Services environments and enable you to delegate their management without resorting to custom Active Directory permissions, outdated management interfaces and even VPN or remote access solutions if your administrators are a part of today’s remote workforce. Remember all those distribution groups that your users were able to manage before their mailboxes were migrated to Exchange Online? By converting those groups to cloud-only, your users can once again manage them themselves! This eliminates the need for custom group management tools or for your helpdesk to manage membership on their behalf. So now that we’ve agreed it makes sense to convert your synced groups to cloud-only, what are your options… There are a variety of methods available to convert your groups to cloud-only, however they vary in cost and complexity, ranging from manual re-creation, which can be time-consuming and prone to error, building your own Graph API or PowerShell scripts, which require a significant understanding of Microsoft Exchange, Active Directory, PowerShell as well as rigorous testing to ensure a functional solution, or, worst case, searching the internet and re-using scripts built by others with potentially harmful results. To help simplify and ensure the safety of this process, the IMS team offers a turn-key managed solution called Active Directory Group Modernization Service, or ADGMS. ADGMS is a cloud-based, automated solution that connects to and monitors your Entra tenant, automatically re-creating groups whenever they are moved out of scope of your Entra ID Connect or Entra Cloud Sync solution. ADGMS maintains each group’s membership, including any nesting, as well as it’s email addresses, send and receive restrictions, manager or owner and even extended attributes, and ADGMS uses all this data to instantly re-create the group as cloud-only. Additionally, ADGMS provides reports on all the nested groups in your tenant, helping to identify any cases where you have circular or self-nesting that might otherwise impact mail-flow and management. These reports are then used to create your group modernization strategy by ensuring you re-create your groups in the correct order. The beauty of ADGMS is that it’s 100% automatic and customer-driven. Once ADGMS is enabled, you control the quantity and speed of your group modernizations, and the ADGMS solution handles all the heavy lifting, and because ADGMS maintains all the email routing addresses, your users won’t even realize that the group has been converted to cloud-only. It is important to note, that while ADGMS can help radically change your cloud administration model, it does not support modernization of security groups by default. That said, based on the tens of thousands of groups already modernized with ADGMS, we have found that most legacy mail-enabled security groups primarily exist in Entra for the purposes of email routing and not securing cloud resources. In those cases, the group can be modernized into a cloud-only distribution group, and the on-premises group mail-disabled and left as a security-only group. How to take advantage of ADGMS If you are interested in reducing your administrative burden when it comes to on-premises groups currently synchronizing to Entra and leveraging a proven managed solution for migration of those groups to cloud-only resources, be sure to contact the IMS team for more information about ADGMS. Learn more about IMS and start hassle-free migrations and its capabilities today on our YouTube Channel Want to speak with an expert? Reach out to us at imssales@microsoft.com to connect with a sales representative.Microsoft Defender for Cloud Apps - Ninja Training
Welcome to our Ninja Training for Microsoft Defender for Cloud Apps! Are you trying to protect your SaaS applications? Are you concerned about the posture of the apps you are using? Is shadow IT or AI a concern of yours? Then you are in the right place. The training below will aggregate all the relevant resources in one convenient location for you to learn from. Let’s start here with a quick overview of Microsoft Defender for Cloud Apps’ capabilities. Microsoft Defender for Cloud Apps | Microsoft Security Overview of Microsoft Defender for Cloud Apps and the capability of a SaaS Security solution. Overview - Microsoft Defender for Cloud Apps | Microsoft Learn Understand what Microsoft Defender for Cloud Apps is and read about its main capabilities. Quick Start The basic features of Defender for Cloud Apps require almost no effort to deploy. The recommended steps are to: Connect your apps Enable App Discovery Enable App Governance After enabling these features, all default detections and alerts will start triggering in the Microsoft Defender XDR console, and give you tremendous value with minimal configuration. Simplified SaaS Security Deployment with Microsoft Defender for Cloud Apps | Virtual Ninja Training Step-by-step video on how to quickly deploy Defender for Cloud Apps Get started - Microsoft Defender for Cloud Apps This quickstart describes how to start working with Microsoft Defender for Cloud Apps on the Microsoft Defender Portal. Review this if you prefer text to video Basic setup - Microsoft Defender for Cloud Apps The following procedure gives you instructions for customizing your Microsoft Defender for Cloud Apps environment. Connect apps to get visibility and control - Microsoft Defender for Cloud Apps App connectors use the APIs of app providers to enable greater visibility and control by Microsoft Defender for Cloud Apps over the apps you connect to. Make sure to connect all your available apps as you start your deployment Turn on app governance in Microsoft Defender for Cloud Apps App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights out-of-the box threat detections, OAuth apps attack disruption, automated policy alerts and actions. It only takes a few minutes to enable and provide full visibility on your users’ Oauth app consents Shadow IT Discovery - Integrate with Microsoft Defender for Endpoint This article describes the out-of-the-box integration available between Microsoft Defender for Cloud Apps and Microsoft Defender for Endpoint, which simplifies cloud discovery and enabling device-based investigation. Control cloud apps with policies Policies in Microsoft Defender for Cloud Apps help define user behavior in the cloud, detect risky activities, and enable remediation workflows. There are various types of policies, such as Activity, Anomaly Detection, OAuth App, Malware Detection, File, Access, Session, and App Discovery policies. These policies help mitigate risks like access control, compliance, data loss prevention, and threat detection. Detect Threats and malicious behavior After connecting your cloud apps in Defender for Cloud Apps, you will start seeing alerts in your XDR portal. Here are resources to learn more about these alerts and how to investigate them. Note that we are constantly adding new built-in detections, and they are not necessarily part of our public documentation. How to manage incidents - Microsoft Defender XDR Learn how to manage incidents, from various sources, using Microsoft Defender XDR. How to investigate anomaly detection alerts Microsoft Defender for Cloud Apps provides detections for malicious activities. This guide provides you with general and practical information on each alert, to help with your investigation and remediation tasks. Note that detections are added on a regular basis, and not all of them will have entries in this guide. Configure automatic attack disruption in Microsoft Defender XDR - Microsoft Defender XDR | Microsoft Learn Learn how to take advantage of XDR capabilities to automatically disrupt high confidence attacks before damage is done. OAuth apps are natively integrated as part of Microsoft XDR. Create activity policies - Microsoft Defender for Cloud Apps | Microsoft Learn In addition to all the built-in detections as part of Microsoft Defender for Cloud Apps, you can also create your own policies, including Governance actions, based on the Activity log captured by Defender for Cloud Apps. Create and manage custom detection rules in Microsoft Defender XDR - Microsoft Defender XDR | Microsoft Learn Learn how to leverage XDR custom detection rules based on hunting data in the platform. CloudAppEvents table in the advanced hunting schema - Microsoft Defender XDR | Microsoft Learn Learn about the CloudAppEvents table which contains events from all connected applications with data enriched by Defender for Cloud Apps in a common schema. This data can be hunted across all connected apps and your separate XDR workloads. Investigate behaviors with advanced hunting - Microsoft Defender for Cloud Apps | Microsoft Learn Learn about behaviors and how they can help with security investigations. Investigate activities - Microsoft Defender for Cloud Apps | Microsoft Learn Learn how to search the activity log and investigate activities with a simple UI without the need for KQL App Governance – Protect from App-to-App attack scenario App governance in Microsoft Defender for Cloud Apps is crucial for several reasons. It enhances security by identifying and mitigating risks associated with OAuth-enabled apps, which can be exploited for privilege escalation, lateral movement, and data exfiltration. Organizations gain clear visibility into app compliance, allowing them to monitor how apps access, use, and share sensitive data. It provides alerts for anomalous behaviors, enabling quick responses to potential threats. Automated policy alerts and remediation actions help enforce compliance and protect against noncompliant or malicious apps. By governing app access, organizations can better safeguard their data across various cloud platforms. These features collectively ensure a robust security posture, protecting both data and users from potential threats. Get started with App governance - Microsoft Defender for Cloud Apps Learn how app governance enhances the security of SaaS ecosystems like Microsoft 365, Google Workspace, and Salesforce. This video details how app governance identifies integrated OAuth apps, detects and prevents suspicious activity, and provides in-depth monitoring and visibility into app metadata and behaviors to help strengthen your overall security posture. App governance in Microsoft Defender for Cloud Apps and Microsoft Defender XDR - Microsoft Defender for Cloud Apps | Microsoft Learn Defender for Cloud Apps App governance overview Create app governance policies - Microsoft Defender for Cloud Apps | Microsoft Learn Many third-party productivity apps request access to user data and sign in on behalf of users for other cloud apps like Microsoft 365, Google Workspace, and Salesforce. Users often accept these permissions without reviewing the details, posing security risks. IT departments may lack insight into balancing an app's security risk with its productivity benefits. Monitoring app permissions provides visibility and control to protect your users and applications. App governance visibility and insights - Microsoft Defender for Cloud Apps | Microsoft Learn Managing your applications requires robust visibility and insight. Microsoft Defender for Cloud Apps offers control through in-depth insights into user activities, data flows, and threats, enabling effective monitoring, anomaly detection, and compliance Reduce overprivileged permissions and apps Recommendations for reducing overprivileged permissions App Governance plays a critical role in governing applications in Entra ID. By integrating with Entra ID, App Governance provides deeper insights into application permissions and usage within your identity infrastructure. This correlation enables administrators to enforce stringent access controls and monitor applications more effectively, ensuring compliance and reducing potential security vulnerabilities. This page offers guidelines for reducing unnecessary permissions, focusing on the principle of least privilege to minimize security risks and mitigate the impact of breaches. Investigate app governance threat detection alerts List of app governance threat detection alerts classified according to MITRE ATT&CK and investigation guidance Manage app governance alerts Learn how to govern applications and respond to threat and risky applications directly from app governance or through policies. Hunt for threats in app activities Learn how to hunt for app activities directly form the XDR console (Microsoft 365 Connector required as discussed in quick start section). How to Protect Oauth Apps with App Governance in Microsoft Defender for Cloud Apps Webinar | How to Protect Oauth Apps with App Governance in Microsoft Defender for Cloud Apps. Learn how to protect Oauth applications in your environment, how to efficiently use App governance within Microsoft Defender for Cloud Apps to protect your connected apps and raise your security posture. App Governance is a Key Part of a Customers' Zero Trust Journey Webinar| learn about how the app governance add-on to Microsoft Defender for Cloud Apps is a key component of customers' Zero Trust journey. We will examine how app governance supports managing to least privilege (including identifying unused permissions), provides threat detections that are able and have already protected customers, and gives insights on risky app behaviors even for trusted apps. App Governance Inclusion in Defender for Cloud Apps Overview Webinar| App governance overview and licensing requirements. Frequently asked questions about app governance App governance FAQ Manage the security Posture of your SaaS (SSPM) One of the key components of Microsoft Defender for Cloud Apps is the ability to gain key information about the Security posture of your applications in the cloud (AKA: SaaS). This can give you a proactive approach to help avoid breaches before they happen. SaaS Security posture Management (or SSPM) is part the greater Exposure Management offering, and allows you to review the security configuration of your key apps. More details in the links below: Transform your defense: Microsoft Security Exposure Management | Microsoft Secure Tech Accelerator Overview of Microsoft Exposure Management and it’s capabilities, including how MDA & SSPM feed into this. SaaS Security Posture Management (SSPM) - Overview - Microsoft Defender for Cloud Apps | Microsoft Learn Understand simply how SSPM can help you increase the safety of your environment Turn on and manage SaaS security posture management (SSPM) - Microsoft Defender for Cloud Apps | Microsoft Learn Enabling SSPM in Defender for Cloud Apps requires almost no additional configuration (as long as your apps are already connected), and no extra license. We strongly recommend turning it on, and monitoring its results, as the cost of operation is very low. SaaS Security Initiative - Microsoft Defender for Cloud Apps | Microsoft Learn The SaaS Security Initiative provides a centralized place for software as a service (SaaS) security best practices, so that organizations can manage and prioritize security recommendations effectively. By focusing on the most impactful metrics, organizations can enhance their SaaS security posture. Secure your usage of AI applications AI is Information technologies’ newest tool and strongest innovation area. As we know it also brings its fair share of challenges. Defender for Cloud Apps can help you face these from two different angles: - First, our App Discovery capabilities give you a complete vision of all the Generative AI applications in use in an environment - Second, we provide threat detection capabilities to identify and alert from suspicious usage of Copilot for Microsoft 365, along with the ability to create custom detection using KQL queries. Secure AI applications using Microsoft Defender for Cloud Apps Overview of Microsoft Defender for Cloud Apps capabilities to secure your usage of Generative AI apps Step-by-Step: Discover Which Generative AI Apps Are Used in Your Environment Using Defender for Cloud Apps Detailed video-guide to deploy Discovery of Gen AI apps in your environment in a few minutes Step-by-Step: Protect Your Usage of Copilot for M365 Using Microsoft Defender for Cloud Apps Instructions and examples on how to leverage threat protection and advanced hunting capabilities to detect any risky or suspicious usage of Copilot for Microsoft 365 Get visibility into DeepSeek with Microsoft Defender for Cloud Apps Understand how fast the Microsoft Defender for Cloud Apps team can react when new apps or new threats come in the market. Discover Shadow IT applications Shadow IT and Shadow AI are two big challenges that organizations face today. Defender for Cloud Apps can help give you visibility you need, this will allow you to evaluate the risks, assess for compliance and apply controls over what can be used. Getting started The first step is to ensure the relevant data sources are connected to Defender for Cloud Apps to provide you the required visibility: Integrate Microsoft Defender for Endpoint - Microsoft Defender for Cloud Apps | Microsoft Learn The quickest and most seamless method to get visibility of cloud app usage is to integrate MDA with MDE (MDE license required). Create snapshot cloud discovery reports - Microsoft Defender for Cloud Apps | Microsoft Learn A sample set of logs can be ingested to generate a Snapshot. This lets you view the quality of the data before long term ingestion and also be used for investigations. Configure automatic log upload for continuous reports - Microsoft Defender for Cloud Apps | Microsoft Learn A log collector can be deployed to facilitate the collection of logs from your network appliances, such as firewalls or proxies. Defender for Cloud Apps cloud discovery API - Microsoft Defender for Cloud Apps | Microsoft Learn MDA also offers a Cloud Discovery API which can be used to directly ingest log information and mitigate the need for a log collector. Evaluate Discovered Apps Once Cloud Discovery logs are being populated into Defender for Cloud Apps, you can start the process of evaluating the discovered apps. This includes reviewing their usage, user count, risk scores and compliance factors. View discovered apps on the Cloud discovery dashboard - Microsoft Defender for Cloud Apps | Microsoft Learn View & evaluate the discovered apps within Cloud Discovery and Generate Cloud Discovery Executive Reports Working with the app page - Microsoft Defender for Cloud Apps | Microsoft Learn Investigate app usage and evaluate their compliance and risk factors Discovered app filters and queries - Microsoft Defender for Cloud Apps | Microsoft Learn Apply granular filtering and app tagging to focus on apps that are important to you Work with discovered apps via Graph API - Microsoft Defender for Cloud Apps | Microsoft Learn Investigate discovered apps via the Microsoft Graph API Add custom apps to cloud discovery - Microsoft Defender for Cloud Apps | Microsoft Learn You can add custom apps to the catalog which can then be matched against log data. This is useful for LOB applications. Govern Discovered Apps Having evaluated your discovered apps, you can then take some decisions on what level of governance and control each of the applications require and whether you want custom policies to help govern future applications: Govern discovered apps using Microsoft Defender for Endpoint - Microsoft Defender for Cloud Apps | Microsoft Learn Setup governance enforcement actions when using Microsoft Defender for Endpoint Govern discovered apps - Microsoft Defender for Cloud Apps | Microsoft Learn Apply governance actions to discovered apps from within the Cloud Discovery area Create cloud discovery policies - Microsoft Defender for Cloud Apps | Microsoft Learn Create custom Cloud Discovery policies to identify usage, alert and apply controls Operations and investigations - Sample AH queries - Tips on investigation - (section for SOC) Advanced Hunting Compromised and malicious applications investigation | Microsoft Learn Investigate anomalous app configuration changes Impersonation and EWS in Exchange | Microsoft Learn Audits impersonate privileges in Exchange Online Advanced Hunting Queries Azure-Sentinel/Solutions/Microsoft Entra ID/Analytic Rules/ExchangeFullAccessGrantedToApp.yaml at master · Azure/Azure-Sentinel · GitHub This detection looks for the full_access_as_app permission being granted to an OAuth application with Admin Consent. This permission provide access to all Exchange mailboxes via the EWS API can could be exploited to access sensitive data by being added to a compromised application. The application granted this permission should be reviewed to ensure that it is absolutely necessary for the applications function Azure-Sentinel/Solutions/Microsoft Entra ID/Analytic Rules/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml at master · Azure/Azure-Sentinel · GitHub This rule looks for a service principal being granted permissions that could be used to add a Microsoft Entra ID object or user account to an Admin directory role. Azure-Sentinel/Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousOAuthApp_OfflineAccess.yaml at master · Azure/Azure-Sentinel · GitHub Offline access will provide the Azure App with access to the listed resources without requiring two-factor authentication. Consent to applications with offline access and read capabilities should be rare, especially as the known Applications list is expanded Best Practice recommendations Common threat protection policies - Microsoft Defender for Cloud Apps | Microsoft Learn Common Defender for Cloud Apps Threat Protection policies Recommended Microsoft Defender for Cloud Apps policies for SaaS apps | Microsoft Learn Recommended Microsoft Defender for Cloud Apps policies for SaaS apps Best practices for protecting your organization - Microsoft Defender for Cloud Apps | Microsoft Learn Best practices for protecting your organization with Defender for Cloud Apps Completion certificate! Click here to get your shareable completion certificate!! Advanced configuration Training Title Description Importing user groups from connect apps This article outlines the steps on how to import user groups from connected apps Manage Admin Access This article describes how to manage admin access in Microsoft Defender for Cloud Apps. Configure MSSP Access In this video, we walk through the steps on adding Managed Security Service Provider (MSSP) access to Microsoft Defender for Cloud Apps. Provide managed security service provider (MSSP) access - Microsoft Defender XDR | Microsoft Learn Provide managed security service provider (MSSP) access Integrate with Secure Web Gateways Microsoft Defender for Cloud Apps integrates with several secure web gateways available in the market. Here are the links to configure this integration. Integrate with Zscaler Integrate with iboss Integrate with Corrata Integrate with Menlo Additional resources Microsoft Defender for Cloud Apps Tech Community This is a Microsoft Defender for Cloud Apps Community space that allows users to connect and discuss the latest news, upgrades, and best practices with Microsoft professionals and peers.
General Availability: Dynamic watermarking for sensitivity labels in Word, Excel, and PowerPoint
In today's digital age, protecting sensitive information is more critical than ever. Sensitivity labels from Microsoft Purview Information Protection offer highly effective controls to limit access to sensitive files and to prevent users from taking inappropriate actions such as printing a document, while still allowing unhindered collaboration. However, these controls don't prevent users from taking pictures of sensitive information on their screen or of a presentation being shared either online or in-person, and some forms of screen-shotting can't be blocked with existing technology. This loophole presents an easy way to bypass protections that sensitivity labels enforce on a document, and these pictures can end up in the wrong hands of competitors or the public. Dynamic Watermarking helps address this gap in document security by deterring unauthorized sharing and enabling traceability of leaks. What is Dynamic Watermarking? Dynamic watermarking is a feature that overlays watermarks containing user-specific information on documents. These watermarks are visible when the document is viewed, edited, or shared in Word, Excel, or PowerPoint, deterring leaks and making it easier to trace any unauthorized dissemination of sensitive information. This feature can be configured by the compliance admin on any sensitivity label with admin-defined permissions via the Microsoft Purview compliance portal or PowerShell. When the setting is enabled for a label, files with that label will render dynamic watermarks when opened in Word, Excel, and PowerPoint. Key Features User-Specific Watermarks: Watermarks display the UPN (usually email address) of the user currently viewing the document. Watermark Customizability: Watermarks can be configured to also include the device date-time, enabling admins to know precisely when leaked information was captured, as well as a custom string. Cross-Platform Support: Available on Word, Excel, and PowerPoint for the web, Windows, Mac, iOS, and Android. Seamless Integration: Configurable on sensitivity labels with admin-defined permissions via the Microsoft Purview compliance portal or PowerShell. Enhanced Security: Prevents users from accessing documents with labels configured for dynamic watermarking on Word, Excel, and PowerPoint clients that cannot render dynamic watermarks. Benefits & Differentiators Although there are existing security solutions that may offer different aspects of dynamic watermarking, Microsoft provides the most comprehensive offering with the following differentiators: Broad support in many views (e.g., slide view, notes view, etc.) so it’s not the only the primary application view that’s protected for more comprehensive coverage. Ability to set dynamic watermarking for a sensitivity label and have it apply to all Word, Excel, and PowerPoint files with that sensitivity label (rather than a separate setting), making it easier for admins to apply dynamic watermarking across applications and files all at once. Ability to edit (and coauthor) a watermarked file. Coauthoring enables users to collaborate on Word, Excel, and PowerPoint files that are labeled with sensitivity labels across Web, Windows, Mac, iOS, and Android. Cross-platform support: Web, Windows, Mac, iOS, and Android. When a user attempts to open a file with dynamic watermarks on a version of Office that doesn’t support the feature, they will see an access denied message. Users who don’t have an Office client installed that is capable of dynamic watermarking should use Office for the web to work with watermarked files. Get Started with Dynamic Watermarking When setting up a label in the Purview compliance portal, you can select “Use Dynamic Watermarking” when configuring encryption. You can also configure dynamic watermarking on a sensitivity label using the Set-Label cmdlet in PowerShell. Learn more about configuring sensitivity labels for dynamic watermarking here. For dynamic watermarking for Word, Excel, and PowerPoint, this will require a Microsoft 365 E5, Microsoft 365 E5 Compliance, Microsoft Information Protection and Governance E5, Microsoft Enterprise Mobiity and Security E5, or Microsoft Security and Compliance for Frontline Workers F5 license. These license requirements are necessary to configure dynamic watermarks and apply labels configured for dynamic watermarking. There is no licensing requirement for users to open files with dynamic watermarks. To view the minimum versions needed to open files with dynamic watermarks on all platforms, see Minimum versions for sensitivity labels in Microsoft 365 Apps | Microsoft Learn.Co-authoring on Microsoft Information Protection encrypted documents is now generally available
With hybrid work here to stay, organizations are increasingly looking for ways to facilitate seamless collaboration among workgroups and across organizations while keeping their data secure and compliant. Today, we’re announcing a unique capability from Microsoft Information Protection in Microsoft 365 that empowers you to do just that.Empowering compliance in a complex regulatory landscape with Microsoft Purview Compliance Manager
As organizations increasingly adopt AI-driven solutions and multi-cloud environments, managing compliance across diverse and evolving regulatory frameworks has become critical. At Microsoft Ignite 2024, we are thrilled to showcase the latest innovations in Microsoft Purview Compliance Manager—designed to empower businesses to navigate complex regulations, like the EU AI Act, GDPR, DORA, NIS2, and more. Whether your organization is focused on data privacy, industry-specific standards, or AI governance, Compliance Manager provides the tools to help you proactively manage compliance, streamline risk mitigation and help ensure operational resilience. Let’s explore how these new features can support your compliance journey. Here’s What’s New in Compliance Management at Microsoft Ignite 2024 This year, Microsoft Purview Compliance Manager introduces powerful new capabilities designed to help organizations tackle today’s complex compliance landscape. With tools addressing AI governance and global data privacy regulations, Compliance Manager offers enhanced support for navigating regulatory requirements with greater ease and efficiency.' New Features: Custom Templates for Tailored Compliance Flexibility is key in the regulatory landscape. With Custom Templates, organizations can now modify compliance frameworks to match specific regulatory and operational needs. This feature empowers teams to configure regulations, making Compliance Manager a uniquely adaptable solution for your compliance management journey. Expanded Coverage with Key Global AI Regulations Compliance Manager regulatory scope has broadened to support both AI and other essential global frameworks, now covering the EU AI Act, NIST AI Risk Management Framework, and ISO standards 42001 and 23894. Beyond AI, we’ve added support for key regulations like DORA, NIST CSF 2.0, Indonesia’s PDP law, and Qatar’s Cloud Computing regulations, providing up-to-date support to address new and evolving requirements. EUAI Act Assessment. Pre-Deployment Compliance Tool For regulated industries, compliance validation has often been a roadblock to efficient cloud adoption. Our new Pre-Deployment Compliance Tool enables customers to assess the regulatory alignment of Azure services prior to production deployment. This feature helps accelerate the path to compliant cloud solutions, reducing validation time from weeks to hours. Compliance History Report for Enhanced Tracking Monitoring compliance trends is easier than ever with the new Compliance History Report. This tool provides a timeline view of your compliance score, making it simple to track progress, understand score changes, and address recurring issues, helping teams build a more proactive approach to compliance management. These new capabilities make Microsoft Purview Compliance Manager an essential asset for addressing complex regulatory requirements, supporting responsible AI, and empowering your organization to manage compliance confidently. Addressing Today’s Compliance Challenges with Microsoft Purview Compliance Manager Compliance Manager is tailored to help organizations address key regulatory challenges by providing a unified solution for managing, monitoring, and enhancing compliance efforts. Here are the primary challenges it helps solve: Navigating Complex Regulatory Landscapes: With an ever-growing set of regulations, Compliance Manager provides guidance and tools to monitor and respond to these evolving requirements. Data Privacy and Security Risks: Compliance Manager's automated tools help to identify risks and enforce privacy best practices, mitigating potential exposures and protecting sensitive data. Scaling Compliance Efforts: Compliance Manager enables scalability, helping organizations address both regional and industry-specific needs while maintaining a consistent compliance posture. AI Governance and Accountability: The EU AI Act and similar regulations are driving the need for transparent, accountable AI governance. Compliance Manager supports organizations in establishing ethical frameworks, tracking AI systems, and compliance with principles of fairness, transparency, and accountability. View your compliance score and recommended actions. Key Capabilities of Microsoft Purview Compliance Manager Microsoft Purview Compliance Manager offers a robust suite of features to streamline and automate compliance management across cloud environments: Unified Compliance Dashboard: A centralized dashboard offers real-time visibility into compliance scores, risk mitigation efforts and control implementation. This enables organizations to efficiently manage compliance across the data estate. Automated Compliance Checks: Compliance Manager reduces the time and effort required for compliance checks through automated assessments that recommend actions based on risk levels, helping you stay ahead of compliance demands. Multi-Cloud Support: Compliance Manager extends beyond Microsoft 365, offering support for Azure services, Amazon Web Services and Google Cloud services, providing a unified view of compliance across your digital ecosystem. AI Compliance suggested actions and workflow management for implementation of appropriate controls: With pre-built assessments and recommended actions aligned with AI governance requirements, Compliance Manager helps organizations adopt AI responsibly by providing specific insights to help implement controls aligned to regulatory requirements. How Compliance Manager Supports the EU AI Act and Other Key Regulations Microsoft Purview Compliance Manager simplifies regulatory alignment for critical frameworks, such as the EU AI Act, by providing: Pre-Built Assessment Templates: These templates guide organizations through EU AI Act requirements, identifying gaps and recommending corrective actions to facilitate compliance workflows. Continuous Monitoring: Ongoing monitoring of AI systems supports alignment with responsible AI principles, such as transparency, fairness, and accountability. AI Governance Capabilities: Compliance Manager supports audit trails for AI use, helping customers ensure that AI-driven decisions comply with legal standards and corporate policies. Accelerating Cloud Innovation with Purview Compliance Manager’s Pre-deployment Compliance Tool Pre-deployment Compliance Tool, one of the latest features in Purview Compliance Manager, is a game changer designed to accelerate cloud adoption for regulated industries. This tool enables Microsoft customers to validate complex service compliance requirements during pre-deployment, streamlining the path to cloud adoption and reducing compliance process time with automation. Begin Your Compliance Journey: Try Microsoft Purview Compliance Manager for Free To experience the full capabilities of Microsoft Purview Compliance Manager, start a free trial and explore how it can simplify and automate your compliance efforts. Steps to Begin Your Trial: Start Your Free Trial: Sign up at aka.ms/PurviewTrial to begin your free trial of Microsoft Purview Compliance Manager premium assessments. Learn More: Visit the Microsoft Learn page for resources, best practices, and tutorials on setting up Compliance Manager.Accelerate AI adoption with next-gen security and governance capabilities
Generative AI adoption is accelerating across industries, and organizations are looking for secure ways to harness its potential. Today, we are excited to introduce new capabilities designed to drive AI transformation with strong security and governance tools.NIST CSF 2.0 - Protect (PR) - Applications for Microsoft 365 (Part 1)
This blog and series will look to apply the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0 and, specifically, the Protect (PR) Function to Microsoft 365. Though the discussion will endeavor to focus primarily on Microsoft 365, topics may venture into Microsoft Azure topics periodically by the nature of each solution. Part 1 or any subsequent blogs in the series will not be an exhaustive review of all possible applications of NIST CSF 2.0, nor exhaustive of the technologies mentioned and their abilities to manage cybersecurity risks. Other applicable Functions or Categories found in NIST CSF 2.0 will be evoked throughout in the true spirit of the framework. PR as a function is intended to cover “safeguards to manage the organization’s cybersecurity risks” and contains five Categories. The prior CSF publication included six categories, but two were significantly edited and renamed. Let’s first dive into Identity Management, Authentication, and Access Control (PR.AA).
