Data
Reader small image

You're reading from  Microsoft Identity and Access Administrator Exam Guide

Product typeBook
Published inMar 2022
Reading LevelBeginner
PublisherPackt
ISBN-139781801818049
Edition1st Edition
Languages
C#
Tools
AzureAzure Functions
Concepts
Identity Management
Right arrow
Author (1)
Dwayne Natwick
Dwayne Natwick
author image
Dwayne Natwick

Dwayne Natwick is a Cloud Training Architect Lead at Opsgility, a Microsoft CSP. He has been in IT, security design, and architecture for over 30 years. His love of teaching led him to become a Microsoft Certified Trainer (MCT) Regional Lead and a Microsoft Most Valuable Professional (MVP). Dwayne has a master’s degree in Business IT from Walsh College, the CISSP from ISC2, and 18 Microsoft certifications, including Identity and Access Administrator, Azure Security Engineer, and Microsoft 365 Security Administrator. Dwayne can be found providing and sharing information on social media, industry conferences, his blog site, and his YouTube channel. Originally from Maryland, Dwayne currently resides in Michigan with his wife and three children.
Read more about Dwayne Natwick

Right arrow

Chapter 11: Monitoring Enterprise Apps with Microsoft Defender for Cloud Apps

The previous chapter covered how we can implement enterprise applications into Azure Active Directory (AD) for use with single sign-on (SSO). This included utilizing Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security) to discover applications that are being used on your company network. In this chapter, we will look at the advanced tools and capabilities of Microsoft Defender for Cloud Apps to monitor and manage the use of cloud applications in your company.

In this chapter, we're going to cover the following main topics:

  • Planning your cloud application strategy
  • Implementing cloud app security policies
  • Planning and configuring cloud application permissions
  • Discovering apps by using a Microsoft Defender for Cloud Apps or an Active Directory Federated Services (ADFS) app report
  • Using Microsoft Defender for Cloud Apps to manage application access
...

Technical requirements

In this chapter, we will continue to explore configuring a tenant for the use of Microsoft 365 and Azure. There will be exercises that will require access to Azure AD. If you have not yet created the trial licenses for Microsoft 365, please follow the directions provided within Chapter 1, Preparing for Your Microsoft Exam.

Planning your cloud application strategy

In Chapter 10, Planning and Implementing Enterprise Apps for Single Sign-On (SSO), we discussed how Microsoft Defender for Cloud Apps can help to discover the applications being accessed by users and how we can manage the applications that we want them to use. This included on-premises and cloud applications that we registered for SSO. This chapter will focus more on how to develop a cloud application strategy and the reasons why we would allow or deny certain applications. Let's start by reviewing what Microsoft Defender for Cloud Apps is and how it is used to discover apps being accessed by our users and registered devices.

Discovering apps with Microsoft Defender for Cloud Apps

As mentioned in Chapter 10, Planning and Implementing Enterprise Apps for Single Sign-On (SSO), Microsoft Defender for Cloud Apps is a cloud service with Microsoft 365 that provides cloud access security broker services. A cloud access security broker is...

Implementing cloud app security policies

In the previous sections, we went through the planning process of discovering and identifying applications that can be migrated to Azure AD for SSO. This section goes through the process of configuring an Azure AD application proxy to migrate on-premises applications to Azure AD for authentication and SSO.

Conditional Access policies in Microsoft Defender for Cloud Apps

Microsoft Defender for Cloud Apps allows us to create additional control for cloud apps through policies specific to the cloud apps that we are monitoring. Creating these policies can be done from within the Control menu within the Microsoft Defender for Cloud Apps portal, as shown in Figure 11.4. There are also a number of built-in templates, which can be found under Templates in the Control menu:

Figure 11.4 – Conditional Access policies in Cloud App Security

For more on the use case for creating a Conditional Access policy, please...

Planning and configuring cloud application permissions

The permissions for enterprise applications were discussed in Chapter 10, Planning and Implementing Enterprise Apps for Single Sign-On (SSO), but we will review them again here. There are two primary roles to consider for cloud applications, application administrator and cloud application administrator:

  • The application administrator role, which allows users to create and manage enterprise applications, application registrations, and application proxy settings. These administrators can also grant application permissions and delegated permissions.
  • The cloud application administrator role can still manage enterprise applications and application registrations, but since this designation is for cloud applications, they do not have the ability to manage application proxies.

When determining the role to assign to an administrator, you should determine whether that administrator is going to be required to manage on...

Discovering apps by using Microsoft Defender for Cloud Apps or an ADFS app report

In this section, we show how to discover third-party applications through Cloud App Security with Microsoft Defender for Cloud Apps reporting and ADFS app reports.

Discovering apps with Microsoft Defender for Cloud Apps app report

Microsoft Defender for Cloud Apps utilizes logs from network traffic to identify the applications that users are accessing. Traffic logs from on-premises firewalls will provide a snapshot report on the most common applications and the users that are accessing these apps. Additional information on app discovery can be found at this link: https://docs.microsoft.com/en-us/cloud-app-security/set-up-cloud-discovery. Traffic from managed devices will be fed into the Microsoft Defender for Cloud Apps Cloud Discovery overview dashboard, as shown in Figure 11.20:

Figure 11.20 – Microsoft Defender for Cloud Apps Cloud Discovery dashboard

This information...

Using Microsoft Defender for Cloud Apps to manage application access

The final area that we need to consider for our application strategy is securing the applications and determining which applications will be allowed or denied access by our users and registered devices.

Discovered app scoring

As a company, you have a responsibility to protect against the sharing of personally identifiable information and company data by users. This includes the potential exposure of this data through unsanctioned cloud applications that are being accessed from devices. Cloud App Security provides an easy-to-follow scoring system for cloud applications, where the level of protection that each app provides has a score based on GENERAL, SECURITY, COMPLIANCE, and LEGAL criteria. Figure 11.23 shows the scoring for Microsoft Office Online:

Figure 11.23 – Microsoft Office Online score

Sanctioning and unsanctioning apps

Once you have evaluated the applications that...

Summary

In this chapter, we covered the use of third-party cloud applications within our organization, and how to manage, monitor, and control them with Cloud App Security. This included how to create app policies and discover apps to sanction or unsanction on a Microsoft tenant. In the next chapter, we will discuss entitlement management and managing the terms of use for users.

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 16 of 24
Next Chapter
You have been reading a chapter from
Microsoft Identity and Access Administrator Exam Guide
Published in: Mar 2022Publisher: PacktISBN-13: 9781801818049
© 2022 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime

Author (1)

author image
Dwayne Natwick

Dwayne Natwick is a Cloud Training Architect Lead at Opsgility, a Microsoft CSP. He has been in IT, security design, and architecture for over 30 years. His love of teaching led him to become a Microsoft Certified Trainer (MCT) Regional Lead and a Microsoft Most Valuable Professional (MVP). Dwayne has a master’s degree in Business IT from Walsh College, the CISSP from ISC2, and 18 Microsoft certifications, including Identity and Access Administrator, Azure Security Engineer, and Microsoft 365 Security Administrator. Dwayne can be found providing and sharing information on social media, industry conferences, his blog site, and his YouTube channel. Originally from Maryland, Dwayne currently resides in Michigan with his wife and three children.
Read more about Dwayne Natwick

Personalised recommendations for you

Based on your interests and search pattern

Et al.

Et al.

Ever wonder why speech recognition systems don't understand the Scottish accent, or what would happen if an astronaut only ate mac 'n' cheese, or other spurious reflections you'd have at a bar? We did, then collated those deliberations into absurd research articles with fake figures and methodologies inspired by even more fictionally absurd studies.

BookAug 2023230 pages5
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages4
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages1
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5
Mastering Tableau 2023

Mastering Tableau 2023

This book is a comprehensive resource to mastering your Tableau skills and becoming a BI expert. As you progress, you will learn how to build advanced dashboards and improve your storytelling to derive key business insight, as well as make you well-versed with advanced functionalities of Tableau in the business intelligence domain.

BookAug 2023684 pages
Building AI Applications with ChatGPT APIs

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages5
Building AI Applications with ChatGPT APIs

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages2
Data Engineering with AWS

Data Engineering with AWS

Embark on a journey to master data engineering pipelines on AWS! Our book offers a hands-on experience of AWS services for ingesting, transforming, and consuming data. Whether you're an absolute beginner or someone with basic data engineering experience, this guide is an indispensable resource.

BookOct 2023636 pages5
Modern Data Architecture on AWS

Modern Data Architecture on AWS

Every organization wants an agile, performant, and cost-effective data platform that meets all their current and future business needs. Purpose-built AWS analytics services and their features play a big part in building such a modern data platform. This book brings to you all the design and architectural patterns that’ll help you achieve this goal.

BookAug 2023420 pages5
Practical Guide to Applied Conformal Prediction in Python

Practical Guide to Applied Conformal Prediction in Python

Discover the power of Conformal Prediction with the "Practical Guide to Applied Conformal Prediction in Python." Master the latest techniques to quantify uncertainty in machine learning and computer vision models, and seamlessly apply them to your industry applications.

BookDec 2023240 pages
TinyML Cookbook

TinyML Cookbook

With over 70 project-based recipes, the TinyML Cookbook is a practical guide that will help you to get the most out of your microcontrollers. It provides a comprehensive understanding of the theoretical foundations while giving you hands-on experience training ML models for deployment on Arduino Nano 33 BLE Sense, Raspberry Pi Pico, and SparkFun RedBoard Artemis Nano microcontrollers.

BookNov 2023664 pages