Skip to content
Menu
ChrisOnSecurity
  • Blog
  • Microsoft Security portals
  • Presentations
  • GitHub
  • About me
  • Impressum
  • Disclaimer
ChrisOnSecurity

Getting started with Microsoft Cloud App Security Conditional Access App Control

Posted on 6. December 20188. February 2020

Microsoft Cloud App Security Conditional Access App Control – phew, what a name. A good reason to keep the technology behind it as simple as possible.

So, what does it do? Basically, Microsoft Cloud … ok ok I’ll keep it a bit shorter, MCASCAAC is a reverse proxy architecture that allows you to actively control the session of a user. While MCAS takes a small amount of time to react to certain actions or activities you can also take a real-time apporach by leveraging MCASCAAC for even more protection of your data. At the moment, MCASCAAC relies on SAML or Open ID Connect authentication to do its magic, therefor, the number of supported cloud apps is limited:

AWS

Feld

Concur

CornerStone OnDemand

DocuSign

Dropbox

Egnyte

G Suite

GitHub

HighQ

JIRA/Confluence

Salesforce

ServiceNow

Slack

Tableau

Workday

Workiva

Workplace by Facebook

Exchange Online (Preview)

OneDrive for Business (Preview)

Power BI (Preview)

SharePoint Online (Preview)

Azure DevOps (Preview)

Yammer (Preview)

Fortunately, Microsoft’s own apps are starting to become available for the service.

How to prepare for MCASCAAC

As the name already implies, Microsoft Cloud App Security Conditional Access App Control is sort of an extension for Azure AD’s Conditional Access. So that’s the place where you configure which users or groups are controlled by MCASCAAC. So first, you add a group of users you want to onboard to MCASCAAC:

Second, select the cloud apps you want to have in scope of MCASCAAC:

Finally, select “Use Conditional Access App Control” under “Sessions”

How to configure MCASCAAC

Now we can go back to the MCAS portal. Once a user with an assigned MCASCAAC policy signs in to one of the cloud apps we selected in the Conditional Access policy this app will appear under “Conditional Access App Control apps”:

Click “Continue setup” to add the app to MCASCAAC:

Now, you can define Access (1) and Session (2) policies for apps that are controlled by App Control:

Session policies

Session policies are quite similar to regular MCAS polices.

You can define severity, category, and control type.

You can also define custom activity…

… and file filters for each policy.

Session policies are also capable of “content inspection” which offers DLP capabilities for each policy.

Finally, you can decide on what to do with a session if it meets your filter criteria:

Access policies

Access polices are quite similar. However, they offer less configurable options compared to session policies:

User experience

Once a user signs in to an app that is in scope of MCASCAAC a hint will be shown that notifies the user about enhanced session control:

App Control will also always notifiy the user if they are limited by a policy:

They will also notice that URLs are now rewritten, as they are redirected to the MCASCAAC service.

There you have it. A quick introduction to Microsoft Cloud App Security Conditional Access App Control. Of course you can dig much deeper into it but I leave that up to you.

Cheers and thanks for reading!

Chris

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

@ChrisOnSecurity@infosec.exchange

Recent posts

  • What’s new: Microsoft 365 Security & Compliance December 2022
  • What’s new: Microsoft 365 Security & Compliance November 2022
  • Counter MFA spam attacks with Azure Active Directory
  • Windows 11 security – a first look
  • Conditional Access – device identification using certificates

@ChrisOnSecurity

Tweets by ChrisOnSecurity

Recent posts

  • What’s new: Microsoft 365 Security & Compliance December 2022
  • What’s new: Microsoft 365 Security & Compliance November 2022
  • Counter MFA spam attacks with Azure Active Directory
  • Windows 11 security – a first look
  • Conditional Access – device identification using certificates

Tags

Administration Administrative Units Android AV Azure Active Directory Azure AD Azure Sentinel Client Security Conditional Access Conditional Access App Control Defender ATP Delegation EDR EMS Enterprise Mobility + Security Identity Protection Information Protection & Compliance Linux M365 M365 E3 Mail Security MCAS MDAPT MDATP MFA Microsoft 365 Microsoft 365 E3 Microsoft 365 Security Microsoft Cloud App Security Microsoft Defender ATP Microsoft Ignite Mobile Security Monitoring Network Control Office 365 Office ATP passwordless Perimeter Security Baseline Session Control Sysmon Unified Incidents User submissions Web Content Filtering Windows 10 Enterprise
©2023 ChrisOnSecurity | WordPress Theme by Superbthemes.com
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT