Implement and manage Microsoft Defender for Cloud Apps
"Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that operates on multiple clouds. It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyber threats across all your cloud services." - Microsoft
In short, The Microsoft Defender for Cloud Apps portal is a place where you can integrate your Azure AD user accounts, devices, and other third-party cloud apps to see what your users are using and then potentially put a stop to it.
What are the license requirements?
Microsoft does have a stand-alone license available too so you can get access to Microsoft Defender for Cloud Apps without the rest of the security suite.
- Microsoft Cloud App Security stand-alone license
- Microsoft 365 E5 & Microsoft 365 E5 Security & Microsoft 365 E5 Compliance
- Microsoft 365 Enterprise Mobility & Security (EMS E5)
- Office 365 E5 (no 3rd party applications can be connected and managed with this license)
- Microsoft 365 Education A3 & Microsoft 365 Education A5
Open the Microsoft Defender for Cloud Apps admin center
The Defender for Cloud Apps has an admin center. You can access it by performing the following:
1. Open the Microsoft 365 Defender admin center > More resources > Click Open under Microsoft Defender for Cloud Apps.
Enable Microsoft Defender for Identity data integration
The first thing you'll want to do is enable Microsoft Defender for Identity data integration. In short, you'll be allowing Microsoft Defender for Cloud Apps access to your user accounts in Azure AD. Defender for Identity collects and holds information from your configured servers. It will collect the following information:
- network traffic to and from domain controllers
- Security logs
- AD information
- Entity information (for example, names, email addresses, and phone numbers)
Microsoft uses this information to find indicators of an attack and then generate alerts if a possible attack is detected. Your security team can also view entities and related information gathered from your network.
1. Click the Enable Microsoft Defender for Identity data integration link.
2. If you see Deploy Microsoft Defender for Identity click the link.
3. Click Create.
4. Click Provide a username and password.
5. Enter your on-premises credentials in the space provided. Click Save.
6. Click Download Sensore Setup at the top of the screen.
7. Click Download then copy the access key.
8. Copy the ZIP to a domain controller then extract it. Once extracted run Azure ATP Sensor Setup.
9. On the Choose your language page click Next.
10. On the Sensor deployment type page click Next.
11. On the Configure the sensor page enter the access key you received from step 7. Click Install.
Review servers with the sensor installed
Now let's review which servers have the sensors installed.
1. Click the gear in the top right corner. Click Settings.
2. Click Microsoft Defender for Identity > Configure Microsoft Defender for Identity sensors.
Create a file alert
Now we may need to alert us on file activity. Let's say we want to receive an alert on any file that has a name that contains the word File. Let's set it up. First, we'll need to enable file monitoring in the Office 365 connector. Then we'll need to create a policy.
The policy below will match any file located in OneDrive or SharePoint with the file name containing the word or phrase you add. In the example below it will match any file with the file name of File. So it will match the following files: File.docx, ImportantFile.docx, and File_Important.docx
1. Open the Microsoft Defender for Cloud Apps portal. Go to Investigate > Connected apps. Click the ellipsis (...) next to Office 365. Click Edit settings...
2. Click all the Office 365 components checkboxes. Click Connect.
3. Close the Connect Office 365 window. Click Control > Policies > Create policy > File policy.
4. Give the policy a name, for example, File Policy 1. Remove the two files matching all of the following filters.
5. Click Select a filter. Select File name.
6. Click equals. Select contains words. Set the File name field to File.
7. Check the box next to Create an alert for each matching file. Check the box next to Send alert as email. Enter your email address in the box provided. Click Create.
Understanding Cloud Apps policies
Understanding the Cloud App policies can be a bit tricky. In short, you always have 4 parts.
Meta-information
The meta-information is at the top. This is data specifically for the policy. For example, the policy name, description, severity, etc.
Filters
The filters are generally next. They tell us who, and what the policy is applied to. You can create a filter for all sorts of different things. For example, you can apply a policy based on the actor (the user that's performing the action) the IP address of the actor, the apps the actor is interacting with, etc.
Actions
The actions are what will happen when the filters are matched. For example, you can test a policy, in which case an alert can be created but the user won't be prevented from performing an action or you can block the user from acting.
Alerts
Alerts are sent when a user performs the actions that match the filters. You can send an email, text message, simply create an alert in Defender for Cloud Apps or send alerts to Power Automate.
Block printing from Exchange Online
Alright, now we've configured some basic alerting let's get more technical. Let's create a session policy that blocks printing from Exchange Online. We'll need a conditional access policy, then we'll create the app access control to block printing.
Create the conditional access policy
1. Go to Azure AD admin center > All services > Azure AD Conditional Access. Click New policy > Create new policy.
2. Set the name to Block Printing. Click 0 users or workload identities selected. Click All users.
3. Click No cloud apps, actions, or authentication contexts selected. Click Select apps. Search for Exchange Online. Click Office 365 Exchange Online. Click Select.
4. Click 0 controls selected located under Session. Click Use Conditional Access App Control. Click Monitor only and select Use custom policy. Click Select.
5. Set the Enable policy to On. Click Create.
Login to Exchange Online
Now that the conditional access policy is set up we'll need to have someone log into Exchange Online. Someone that is part of the conditional access policy you set up above. Anyone will do. It can even be you. Simply open https://outlook.office.com/mail/.
Enable the app in your organization
1. Open Microsoft Defender for Cloud Apps > Investigate > Connected apps > Conditional Access App Control apps > Click the ellipsis next to Microsoft Exchange Online. Click Edit app...
2. Click Use with Conditional Access App Control. Click Save.
Create session policy
1. Click Control > Policies > Create policy > Session policy.
2. Set the policy name to Block Printing from Exchange Online. Click Select under Session control type. Click Block activities.
3. Click Select apps. Click Microsoft Exchange Online. Click Select activity. Click Print.
4. Scroll down to the actions section. Click Block. Click Create.
The above policy doesn't only apply to Microsoft 365 apps. Any app that's registered in Azure AD that supports session controls can be managed in the same fashion.
Review the logs
So now we have a few apps set up in Cloud App Security. Let's dive in and see how to review the logs to see how to track who's doing what.
1. Open the Microsoft 365 Cloud App Security admin center. Click Investigate > Activity log.
2. Click on an activity to see more information.