Configuring Microsoft Cloud App Security for Access and Session Control

Configuring Microsoft Cloud App Security for Access and Session Control

11/14/2024

This technical and educational article aims to guide security analysts, IT administrators, and systems engineers in configuring and using Microsoft Defender for Cloud Apps (MDCA), formerly known as Microsoft Cloud App Security (MCAS), to implement access and session control in cloud applications. MDCA is a Cloud Access Security Broker (CASB) solution that offers visibility, control over data traffic and sophisticated analytics to identify and combat cyber threats in cloud environments, being a critical component for the Zero Trust strategy [1].

Introduction

The growing adoption of SaaS (Software as a Service) applications has brought numerous benefits in terms of productivity and flexibility, but it has also introduced new security challenges. Organizations need to ensure that access to these applications is secure, that sensitive data is not leaked, and that malicious activity is detected and mitigated. Microsoft Defender for Cloud Apps acts as a point of control between users and cloud apps, enabling organizations to monitor and control access and sessions in real time, even for unmanaged apps or on non-compliant devices [2].

This practical guide will cover prerequisites, integrating MDCA with Azure AD Conditional Access, configuring session and access policies, monitoring activity, and best practices to ensure a robust security posture for your cloud applications. Step-by-step instructions, practical examples will be provided so that the reader can implement and validate access and session control with MDCA, strengthening the security of their data and applications in the cloud in an autonomous, professional and reliable way.

Why is Microsoft Cloud App Security crucial for Access and Session Control?

  • Visibility and Control: Provides deep visibility into cloud application usage and enables granular control over user actions in real time.
  • Data Protection: Helps prevent data leaks, unauthorized downloads and uploads of sensitive files to cloud applications.
  • Threat Detection: Identifies behavioral anomalies and suspicious activities that may indicate compromised accounts or insider threats.
  • Compliance: Helps organizations comply with privacy and security regulations, ensuring data is treated in accordance with corporate policies.
  • Integration with Azure AD Conditional Access: Extends the capabilities of Azure AD Conditional Access, enabling real-time access and session policies.
  • Support for Unmanaged Applications: Allows you to extend control and protection to cloud applications that are not directly managed by the organization.

Prerequisites

To implement access and session control with Microsoft Cloud App Security, you will need the following items:

  1. Licensing: Microsoft 365 E5, Enterprise Mobility + Security E5, or Microsoft Defender for Cloud Apps standalone licenses [3].
  2. Administrative Access: An account with the role of Global Administrator or Security Administrator on the Microsoft Defender XDR portal (https://security.microsoft.com) and the Azure portal (https://portal.azure.com).
  3. Azure AD Conditional Access: Azure AD Conditional Access Policies configured and in use as MDCA integrates with them to enforce session and access controls [4].
  4. Cloud Applications: Cloud applications (SaaS) that you want to protect. MDCA works with any application, but integration with Azure AD Conditional Access requires reverse proxy application deployment.

Step by Step: Configuring Microsoft Defender for Cloud Apps for Access and Session Control

Let's configure MDCA to control access and sessions to cloud applications.

1. Enabling Cloud App Security Integration

First, make sure MDCA is enabled and integrated into your environment.

  1. Open your browser and navigate to the Microsoft Defender XDR portal: https://security.microsoft.com.
  2. Log in with an account that has the necessary permissions.
  3. In the left navigation pane, select Configurations > Endpoints.
  4. Scroll down and select Advanced Features.
  5. Make sure the Microsoft Defender for Cloud Apps feature is On.

2. Configuring an Azure AD Conditional Access Policy for Session Control

Before MDCA can apply session controls, traffic must be routed through the MDCA conditional access proxy. This is done by configuring an Azure AD Conditional Access policy.

  1. Open your browser and navigate to the Azure portal: https://portal.azure.com.
  2. In the top search field, type Azure Active Directory and select it from the results.
  3. In the left navigation pane, select Security > Conditional Access.
  4. Click +New Policy.
  5. Name: Give the policy a meaningful name (e.g. MDCA Session Control for SharePoint Online).

  6. Identity Users or Workloads:

    • Under Include, select All Users or specific groups you want to target.
    • Under Exclude, add any users or groups that should be exempt from this policy (e.g. service accounts, emergency administrators).

  7. Cloud applications or actions:

    • Under Include, select Select applications and search for the cloud application you want to protect (ex: SharePoint Online).

  8. Conditions: Configure the conditions as per your need (e.g. Locations to require access to come from specific IPs, Devices to require the device to be compatible).

  9. Session Controls:

    • Select Use conditional application access control.
    • From the drop-down menu, choose Use custom policy.

  10. Enable Policy: Set to On.

  11. Click Create.

    • Explanation: This policy will redirect traffic to SharePoint Online through the MDCA proxy, allowing MDCA to apply session policies in real time.

3. Configuring Session Policies in Microsoft Cloud App Security

Now that the traffic is being routed, you can create session policies in MDCA to control what users can do.

  1. Navigate back to the Microsoft Defender XDR portal: https://security.microsoft.com.
  2. In the left navigation pane, select Cloud Apps > Policies > Policy Management.

  3. On the Conditional Access tab, click + Create policy > Session policy.

  4. Policy Name: Give it a name (ex: Block SharePoint Online Download).

  5. Description: Provide a clear description of the purpose of the policy.
  6. Severity type: Define the severity (ex: High).
  7. Category: Select a category (ex: Data loss prevention).

  8. Activity filters:

    • Activities: Select Download.
    • Applications: Select SharePoint Online.
    • Device: Select Device Tag and choose Unmanaged (to block downloads on unmanaged devices).
    • Users: Specify the users or groups to which this policy applies.

  9. Actions:

    • Select Block.
    • Optionally, you can select Test to monitor activity without blocking, or Control with proxy to allow downloads but with inspection or labeling.

  10. Configure Alerts and Governance as needed.

  11. Click Create.

    • Explanation: This policy will block SharePoint Online downloads for users accessing from unmanaged devices, thanks to MDCA proxy redirection by the Azure AD Conditional Access policy.

4. Configuring Access Policies in Microsoft Cloud App Security

Access policies in MDCA control access to cloud applications based on various criteria such as location, device, IP, etc.

  1. In the Microsoft Defender XDR portal, select Cloud Apps > Policies > Policy Management.

  2. On the Conditional Access tab, click + Create policy > Access policy.

  3. Policy name: Give it a name (ex: Block Access from Risky Country).

  4. Description: Provide a clear description.
  5. Severity type: Set the severity.
  6. Category: Select a category (ex: Access control).

  7. Activity filters:

    • Activities: Select Access.
    • Applications: Select the apcloud application (e.g. All Cloud Applications).
    • Locations: Select IP address tag and choose Risk Countries or create a new IP tag for specific countries you want to block.

  8. Actions:

    • Select Block.

  9. Configure Alerts and Governance as needed.

  10. Click Create.

    • Explanation: This policy will block access to all cloud applications for users trying to connect from countries considered at risk.

5. Monitoring Activities and Alerts

MDCA provides robust tools for monitoring and investigating user activity and alerts.

  1. No portal do Microsoft Defender XDR, selecione Cloud Apps > Logs de atividade.

    • Here you can view all activities detected by MDCA, filter by user, application, type of activity, etc.

  2. In the left navigation pane, select Incidents & Alerts > Alerts.

    • Here you will see all alerts generated by the policies you have configured, as well as anomaly detection alerts.

Validation and Testing

It's critical to validate configured policies to ensure they work as expected.

1. Testing the Session Policy (Block Download)

  1. Use a device that is not marked as Managed or Supported (ex: a personal computer or a mobile device without Intune).
  2. Sign in to your Microsoft 365 account and try to access SharePoint Online.

  3. Try downloading a file from SharePoint Online.

    • Expected Result: The download should be blocked, and a custom MDCA message should appear stating that the action was blocked due to organization policy.

  4. Check the Activity Logs and Alerts in the MDCA portal to confirm that the session policy was triggered and that an alert was generated.

2. Testing the Access Policy (Block Access from Risky Country)

  1. Use a VPN or proxy to simulate a connection from a country that you have configured as a Risk Country.

  2. Try accessing any cloud application (e.g. Outlook Web Access, SharePoint Online).

    • Expected Result: Access should be blocked, and a custom MDCA message should appear stating that access was denied due to organization policy.

  3. Check the Activity Logs and Alerts in the MDCA portal to confirm that the access policy was triggered and that an alert was generated.

Security Tips and Best Practices

  • Start with Monitoring: When implementing new policies, start with the Monitor or Test action to understand the impact before applying Block or Control with proxy actions.
  • User Education: Clearly communicate to users about security policies and why certain actions are blocked. This helps reduce frustration and increase compliance.
  • Policy Granularity: Create granular session and access policies for different user groups, applications and risk scenarios. Avoid overly broad policies that could impact productivity.
  • Integration with Other Solutions: Take advantage of MDCA integration with other Microsoft solutions (Defender for Endpoint, Azure AD Identity Protection, Microsoft Sentinel) for a more comprehensive security view.
  • Periodic Review: Review and adjust your MDCA policies regularly to adapt to changing threats, business requirements, and the adoption of new cloud applications.
  • Proxy Settings: Understand how the MDCA conditional access proxy works and the impacts on user experience and application compatibility.
  • Device Management: Combine MDCA with Microsoft Intune to manage device compliance and apply stricter policies to unmanaged devices.

Common Troubleshooting

  • Session/access policies are not being applied: Verify that the Azure AD Conditional Access policy is configured correctly to route traffic through MDCA (Use conditional application access control). Make sure the cloud application is included in the policy.
  • Users are wrongly blocked: Review the activity filters and conditions in MDCA session and access policies. Check your Azure AD Conditional Access policy for required exclusions. Check activity logsity to understand which policy is being triggered.
  • Slow performance or compatibility issues: MDCA proxy routing may introduce a small amount of latency. Check network connectivity and proxy settings. Some applications may have proxy compatibility issues. See Microsoft documentation for known issues.
  • False Positive Alerts: Adjust policy conditions and sensitivity to reduce irrelevant alerts. Use Monitor or Test mode to refine policies before applying them in blocking mode.
  • Applications do not appear in MDCA: Make sure the cloud application is actively being used and that MDCA is configured to discover applications. For reverse proxy applications, check your Azure AD Conditional Access configuration.

Conclusion

Microsoft Defender for Cloud Apps is an indispensable tool for any organization looking to protect its data and users in a cloud-centric world. By implementing access and session controls, MDCA enables security teams to enforce granular policies in real time, mitigating risks of data leakage, unauthorized access, and malicious activity in SaaS applications. Integration with Azure AD Conditional Access creates a powerful synergy, extending Zero Trust security to the application layer. With this practical guide, security professionals will be well-equipped to configure, validate, and manage Microsoft Security for Cloud Apps, ensuring a more secure and compliant cloud environment for their organizations.

References:

[1] Microsoft Learn. What is Microsoft Defender for Cloud Apps?. Available at: https://learn.microsoft.com/pt-br/defender-cloud-apps/what-is-defender-for-cloud-apps [2] Microsoft Learn. Microsoft Defender for Cloud Apps Conditional Access App Control. Available at: https://learn.microsoft.com/pt-br/defender-cloud-apps/proxy-intro-aad [3] Microsoft Learn. Microsoft Defender for Cloud Apps Licensing. Available at: https://learn.microsoft.com/pt-br/defender-cloud-apps/licensing [4] Microsoft Learn. Configure Conditional Access policies for Conditional Access Application Control. Available at: https://learn.microsoft.com/pt-br/defender-cloud-apps/conditional-access-app-control-how-to-overview [5] Microsoft Learn. Create Microsoft Defender for Cloud Apps session policies. Available at: https://learn.microsoft.com/pt-br/defender-cloud-apps/session-policy-aad [6] Microsoft Learn. Create Microsoft Defender for Cloud Apps access policies. Available at: https://learn.microsoft.com/pt-br/defender-cloud-apps/access-policy-aad