Microsoft Cloud APP security (MCAS). How to use and monitoring activities in your cloud environment.

Microsoft Cloud APP security (MCAS). How to use and monitoring activities in your cloud environment.

Note: In this scenario we only makes a small configuration regarding adding a cloud APP and making a policy just to get a understanding of what MCAS is and can be used for.

This cloud framework is really cool, when moving services to the cloud its introduces new challenges regarding how to best protect and observe new cloud services, thats now is a vitale part of the many organizations. High level security, visibility, compliance and data protection is keywords when we talk MCAS and finally it brings the Shadow IT out into the light.

Note: This picture illustration shows all the different phases it’s go through for discovery of Shadow IT applications.

Note: To get access to MCAS and use all or some of the cool features it requires a user based license like Microsoft E3 or E5, but many other Microsoft license also gives full or limited access – Read more about whitch license that are available regarding MCAS access here: https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2NXYO

So where to start? – Well the first things is to login to the portal via https://portal.cloudappsecurity.com/ or try the new Microsoft 365 Security centre https://security.microsoft.com to help you manage and monitor security across your identities, data, devices, apps, and infrastructure towards the whole Microsoft 365 Tenant.

  • After login the dashboard will appear:

Note: Normally doing the first logon the dashboard will be quite empty because no APPs or services are connected yet. In this test lab Office 365 app is the only service connected.

  • To add a app connector click Connect apps:
  • Click on the + Icon and Select Office 365:
  • Now Click Connect Office 365:
  • Now a connector is configured towards Office 365.

Note: Its not supported or possible to delete an app connector from the MCAS portal when the connector first is created. The only way to do so it to create a Microsoft support case.

Note: Microsoft Cloud App Security supports the following Office 365 apps:

Office 365, Sharepoint, Onedrive, Teams, Power BI, Exchange and Dynamics 365.

  • Now lets make some adds to our Office 365 connector. Back on the dashboard click on View all apps:
  • Now Click on Office 365 edit section and choose Edit settings:
  • If selected with yellow maker isn’t set as default this will be a magnificent idea to add for a detailed data and activity overview:
  • One again back to the dashboard Click on a specified app in our case Microsoft Azure:

Note: At the general dashboard you can see all the specified apps that is added to the MCAS and it possible to select a detailed dashboard view for a specific app.

  • Now standing on the dashboard of the selected app Click Activities Monitored:
  • You will now get a list of all the activities that has occurred on that app etc.:
  • Unfold it to see a detailed view of the activity.

Note: This is a very Powerfull tool and IT departments will now be able to track and do documentation much more efficiency than ever before in a central and flexible portal. Thumbs up again Microsoft and thanks!

Now to the Policy section. As we all know much of a controlled environment are based on a set of best practice policies.

  • In the MCAS portal we can configure lots of policies on how we discover, monitor and sets the security level. The Picture shows the policy types that are configurable:
  • On the dashboard Click on Control:

Note: Many policies are pre configured and enabled as best practice from Microsoft. Enabled Policies are blue and disabled are grey and are marked as disabled.

  • Click on Create policy and select for example Activity policy:
  • In this test lab we use a template for Log on from a outdated browser:
  • Now just say Apply template:

Note: When using a template existing values in a template will be overridden. Well our policy is empty so go-on.

  • Now set the settings as preferred:

Note: Suspend a user means that users is suspended from using the application as long as the IT department is investigating the violation etc.

  • Now enabled to policy that just was created by clicking Enabled:

This was only a little taste of what MCAS is able to respond on it’s a world class tool for IT departments to be proactive, react and a tool against the dark web evils plans to infect the organization or steal compromised data 🙂 – now go explore your self.

Happy deployment.

Leave a Reply

Your email address will not be published. Required fields are marked *