Cloud & Networking
Reader small image

You're reading from  Microsoft 365 Security, Compliance, and Identity Administration

Product typeBook
Published inAug 2023
PublisherPackt
ISBN-139781804611920
Edition1st Edition
Concepts
System Administration
Right arrow
Author (1)
Peter Rising
Peter Rising
author image
Peter Rising

Peter Rising has over 25 years' experience in IT. He has worked for several IT solutions providers and private organizations in a variety of technical and leadership roles, with a focus on Microsoft technologies. Since 2014, Peter has specialized in the Microsoft 365 platform, focusing most recently on security and compliance in his role as a Consulting Services Manager for Insight. Peter is heavily involved in the wider Microsoft community and has been recognized by Microsoft as an MVP. He holds several Microsoft certifications, including MCSE: Productivity; Microsoft 365 Certified: Enterprise Administrator Expert; and Microsoft 365: Cybersecurity Architect Expert.
Read more about Peter Rising

Right arrow

Configuring Microsoft Defender for Cloud Apps

When you move your organization’s apps and services to the cloud, you gain greater flexibility for your users and administrators. However, this is a double-edged sword as a traditional firewall cannot be wrapped around the Microsoft 365 platform. The need to protect your Microsoft 365 apps and services remains absolutely crucial though, and this is where Microsoft Defender for Cloud Apps (MDA) comes in.

MDA is a Cloud Access Security Broker (CASB). CASBs provide you with the visibility and control to protect your organization’s cloud and third-party apps from cyber threats and shadow IT (which is where users feel they do not have the tools to do their jobs, so they look for other, unapproved applications). MDA supports functionalities such as log collection, API connectors, and reverse proxy.

This chapter will cover the following topics:

  • Planning your MDA implementation
  • Configuring MDA
  • Managing Cloud...

Planning your MDA implementation

In this section, you will learn how to plan for and configure MDA. It is a CASB solution designed to provide Microsoft 365 administrators with visibility of all Software-as-a-Service (SaaS) applications within their organization and alert them to risky cloud app usage.

The framework of MDA enables you to discover shadow IT activities (for further information, please refer to the Further reading section at the end of this chapter), as well as identify, classify, and protect sensitive information stored in the cloud. It also detects anomalous behavior within cloud apps to protect you from cyber threats. This in turn helps you ensure that industry standards for security and compliance are applied to your cloud apps to protect them against data leakage.

Note

MDA was previously known as Microsoft Cloud App Security. It is not to be confused with Office 365 Cloud App Security, which is a subset of the features of MDA. Office 365 Cloud App Security...

Configuring MDA

Now that you understand the principles of MDA, take a look at how you can configure it to gain visibility of your SaaS applications. First, you need to be aware of the following prerequisites for using MDA:

  • A valid license to use the MDA service. MDA is available with a variety of Microsoft 365 subscriptions. For more information, please refer to the Further reading section at the end of this chapter.
  • A Global Administrator or Security Administrator role.

Note

Once access has been assigned with the required licenses and roles, you may need to wait approximately 15 minutes before you can log in to the MDA portal.

Once you have fulfilled these prerequisites, you can proceed to configure your Cloud Discovery settings. To configure MDA, complete the following steps:

  1. Log in to the Microsoft 365 Defender portal at https://security.microsoft.com and, from the left menu navigation, choose Settings:

Figure 10.1: The Settings menu in Microsoft 365 Defender

Figure...

Managing Cloud App Discovery

With Cloud App Discovery, you can manually upload traffic logs from your firewall and proxies and analyze for cloud app activity. Additionally, you can automate regular log collection. This is done by completing the following steps:

  1. Log in to the MDA portal at https://security.microsoft.com as a Global Administrator or a Security Administrator and navigate to Cloud apps | Cloud Discovery:
Figure 10.4: Cloud Discovery

Figure 10.4: Cloud Discovery

  1. The first thing to do is to create a snapshot report to provide ad hoc visibility into a set of traffic logs you manually upload from your firewalls and proxies. To do this, click on Cloud App Security Proxy and choose Create snapshot report:
Figure 10.5: Creating a snapshot report

Figure 10.5: Creating a snapshot report

  1. Enter a report name and description for your report. You also have the Anonymize private information option, as shown in the following screenshot. This should be selected if you...

Managing the MDA catalog

MDA includes a vast app catalog consisting of both native Microsoft 365 and third-party cloud applications. Microsoft assigns a risk score to each of these cloud apps, which you can assess to decide whether to sanction an app for use within your Microsoft 365 environment.

To access the app catalog, carry out the following steps in the MDA portal at https://security.microsoft.com:

  1. Navigate to Cloud Apps | Cloud app catalog. Each app has a risk score, and you can mark an app as sanctioned or unsanctioned using the two icons to the right of each app listing, under Actions:

Figure 10.13: Cloud app catalog

Figure 10.13: Cloud app catalog

  1. Clicking on the three dots to the right will also provide you with further actions you can take for the apps in the app catalog, such as tagging apps, app deployment options, and viewing the app score and app details. This is shown in the following screenshot; for more details, please refer to the Further...

Managing apps and app connectors in MDA

You can connect apps in MDA to provide greater visibility by taking the following steps:

  1. From the Microsoft 365 Defender portal at https://security.microsoft.com, navigate to Settings | Cloud Apps | Connected Apps | App Connectors. This will take you to the connected apps section, as shown in the following screenshot:
Figure 10.15: Connected apps

Figure 10.15: Connected apps

  1. Click on the Connect an app option. You will be given the option to add connected apps, as shown here:

Figure 10.16: Adding connected apps

Figure 10.16: Adding connected apps

  1. Select Microsoft Azure to connect to MDA for this example:
Figure 10.17: Connecting an app

Figure 10.17: Connecting an app

  1. Click on Connect Microsoft Azure. You will see the following:

Figure 10.18: Connecting an app

Figure 10.18: Connecting an app

  1. Click on Done. You will see your connected app in the list of connected apps, as in the following screenshot...

Configuring policies and templates

With MDA policies, you can control your cloud apps with governance and compliance actions. This can be achieved by completing the following steps:

  1. From the Microsoft 365 Defender portal, select Cloud apps | Policies, as in the following screenshot:

Figure 10.20: MDA policies

Figure 10.20: MDA policies

  1. Choose Policy management. You will see a list of active MDA policies. These can be filtered by risk category for ease of use, as shown in the following screenshot. From this view, you can choose to view or edit the policy settings by double-clicking on the policy or choosing the cog wheel to the right of the policy. You can also choose to view all matches or alerts for the policy:
Figure 10.21: MDA policy management

Figure 10.21: MDA policy management

  1. Viewing all matches for the risky sign-in policy returned the results shown in the following screenshot. From the action menu (the three dots to the right), you can then make...

Using Conditional Access App Control with MDA

MDA can integrate with Azure AD Conditional Access to control access to your Microsoft 365 cloud apps. Conditional Access App Control allows you to specify conditions where users can be informed that their access is being monitored, blocked from downloading content, or forced to use only online web apps.

To view Conditional Access App Control apps, complete the following steps:

  1. From the Microsoft 365 Defender portal, go to Settings | Connected Apps and select Conditional Access App Control apps. This takes you to the page shown in the following screenshot, where you can see native Microsoft 365 apps included. It is also possible to add a SAML application from your identity provider:

Figure 10.31: Conditional Access App Control

Figure 10.31: Conditional Access App Control

  1. Using the Exchange Online app as an example, create a Conditional Access policy to use session controls. To do this, go to https://portal.azure.com and navigate...

Reviewing and interpreting alerts, reports, and dashboards

With MDA, you can review information on file activity within your cloud applications by completing the following steps:

  1. From the Microsoft 365 Defender portal, go to Cloud Apps | Files, as shown in the following screenshot:
Figure 10.36: Investigating files

Figure 10.36: Investigating files

  1. Click on an individual file to see information related to it. Additionally, selecting the three dots next to an individual file item will show you the recent file activity in this area for your cloud apps, such as related alerts and governance, and allow you to apply the required response actions:

Figure 10.37: The available file actions

Figure 10.37: The available file actions

  1. From the same section of the Microsoft 365 Defender portal, you can also access the Activity log:
Figure 10.38: Activity log

Figure 10.38: Activity log

  1. Use the queries and filters at the top of the activity log to view specific log activity...

Summary

This chapter provided an introduction to MDA. We learned about the two variations of MDA and how Office 365 Cloud App Security is a subset of the broad array of features available in MDA. We learned how MDA can provide visibility of your cloud app usage within your Microsoft 365 environment, both with native Microsoft 365 apps and third-party cloud apps. We also examined how to discover cloud activity by uploading traffic logs from your firewalls and proxies, along with how to sanction and unsanction cloud apps and connect third-party cloud apps using the app connector. The chapter also demonstrated how policies can be applied from built-in templates and policy management creation to control cloud app usage. Finally, we learned how Azure AD Conditional Access can be integrated with MDA using session controls and how to view alerts, file activity, and activity logs.

The next chapter will introduce the features of sensitivity labels in Microsoft Purview. We will learn how...

Questions

  1. Which of the following is not a possible application of Conditional Access App Control?
    1. Monitoring access
    2. Blocking uploads
    3. Blocking downloads
  2. True or false: Defender for Cloud Apps policies can be used to apply sensitivity labels to content.
    1. True
    2. False
  3. Which of the following are names of Defender for Cloud Apps policies? (Choose three)
    1. Access policy
    2. Device compliance policy
    3. File policy
    4. App Protection policy
    5. Activity policy
  4. True or false: Office 365 Cloud App Security contains all the features of Microsoft Defender for Cloud Apps.
    1. True
    2. False
  5. Where in the MDA portal would you go to sanction or unsanction an app?
    1. Cloud App Control | Policies
    2. Cloud app catalog | Cloud Apps
    3. Cloud Apps | Cloud app catalog
    4. Cloud Discovery | Cloud app catalog
  6. When configuring a policy template, which of the following alerts can be configured? (Choose three)
    1. Send alert as email
    2. Send alert via Microsoft Teams
    3. Send alert as text message
    4. Send alert via RSS feed
    5. Send alert to Power Automate
  7. Which...

Further reading

Please refer to the following links for more information:

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 13 of 25
Next Chapter
You have been reading a chapter from
Microsoft 365 Security, Compliance, and Identity Administration
Published in: Aug 2023Publisher: PacktISBN-13: 9781804611920
© 2023 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime

Author (1)

author image
Peter Rising

Peter Rising has over 25 years' experience in IT. He has worked for several IT solutions providers and private organizations in a variety of technical and leadership roles, with a focus on Microsoft technologies. Since 2014, Peter has specialized in the Microsoft 365 platform, focusing most recently on security and compliance in his role as a Consulting Services Manager for Insight. Peter is heavily involved in the wider Microsoft community and has been recognized by Microsoft as an MVP. He holds several Microsoft certifications, including MCSE: Productivity; Microsoft 365 Certified: Enterprise Administrator Expert; and Microsoft 365: Cybersecurity Architect Expert.
Read more about Peter Rising

Personalised recommendations for you

Based on your interests and search pattern

Designing and Implementing Microsoft Azure Networking Solutions

Designing and Implementing Microsoft Azure Networking Solutions

Designing and Implementing Microsoft Azure Networking Solutions Exam Ref AZ-700 is an all-encompassing guide to the AZ-700 exam and contains all the information you need to succeed in the world of virtual networking with Azure. With this book, you will be fully prepared for the exam and the world of cloud networking.

BookAug 2023524 pages
Microsoft 365 Security, Compliance, and Identity Administration

Microsoft 365 Security, Compliance, and Identity Administration

The Microsoft 365 Security, Compliance, and Identity Administration is a comprehensive guide that helps you employ Microsoft 365's robust suite of features and empowers you to optimize your administrative tasks.

BookAug 2023630 pages
Zero Trust Overview and Playbook Introduction

Zero Trust Overview and Playbook Introduction

Get started on Zero Trust with this step-by-step playbook and learn everything you need to know for a successful Zero Trust journey with tailored guidance for every role, covering strategy, operations, architecture, implementation, and measuring success. This book will become an indispensable reference for everyone in your organization.

BookOct 2023240 pages
The Self-Taught Cloud Computing Engineer

The Self-Taught Cloud Computing Engineer

This self-study book helps you master multiple clouds, including AWS, Azure, and GCP, and serves as a roadmap to becoming a certified cloud computing expert. The book will guide you to develop a professional cloud career by helping you build a broad cloud knowledge base, developing hands-on cloud computing skills, and getting cloud certified.

BookSep 2023472 pages
Technology Operating Models for Cloud and Edge

Technology Operating Models for Cloud and Edge

This book will help you build and create ownership of a technology operating model, as well as connect your leadership with engineering and operations, keeping your internal and external customers in mind. It provides practical tips on why, where, and how to make the cloud and edge platform paradigm sing for you, your team, and your organization.

BookAug 2023228 pages
Azure Architecture Explained

Azure Architecture Explained

Azure is the preferred platform to build mission-critical and secure apps. This book provides comprehensive coverage of essential Azure products, services, and solutions vital for every solution architect's success. Elevate your knowledge and master the critical components of Azure to excel in your role with Azure Architecture Explained.

BookSep 2023446 pages
Pentesting Active Directory and Windows-based Infrastructure

Pentesting Active Directory and Windows-based Infrastructure

This practical guide helps you explore the pentesting of Microsoft infrastructure in detail, and enhances your offensive skillset by showing you the different ways to perform security assessment. This book will help blue teamers and IT engineers get up to speed with possible security issues they may encounter in their Windows environments.

BookNov 2023360 pages
Practical Ansible

Practical Ansible

In Practical Ansible, you'll work with the latest release of Ansible and learn to solve complex issues quickly with the help of task-oriented scenarios. You'll start by installing and configuring Ansible to automate monotonous and repetitive IT tasks and get to grips with concepts such as playbooks, inventories, plugins, collections, and network modules.

BookSep 2023420 pages
Windows 11 for Enterprise Administrators

Windows 11 for Enterprise Administrators

Microsoft’s launch of Windows 11 is a step toward satisfying the enterprise administrator’s needs for better management and enhanced user experience customization. This book provides the enterprise administrator with the knowledge needed to fully utilize the advanced feature set of Windows 11 Enterprise.

BookOct 2023286 pages
The Linux DevOps Handbook

The Linux DevOps Handbook

This book is for software and IT professionals seeking knowledge on Linux systems and DevOps practices. This book will provide you with guidance and tools to learn and gain proficiency in managing Linux-based infrastructures and knowledge of DevOps.

BookNov 2023428 pages2