0
(0)

Note

We’ve renamed Microsoft Cloud App Security. It’s now called Microsoft Defender for Cloud Apps. In the coming weeks, we’ll update the screenshots and instructions here and in related pages. For more information about the change, see this announcement. To learn more about the recent renaming of Microsoft security services, see the Microsoft Ignite Security blog.

As an IT admin today, you’re stuck between a rock and hard place. You want to enable your employees to be productive. That means allowing employees to access apps so they can work at any time, from any device. However, you want to protect the company’s assets including proprietary and privileged information. How can you enable employees to access your cloud apps while protecting your data?

This tutorial allows you to reevaluate Azure AD Conditional Access policies when users take sensitive actions during a session.

The threat

An employee logged in to SharePoint Online from the corporate office. During the same session, their IP address wp-signup.phped outside of the corporate network. Maybe they went to the coffee shop downstairs, or maybe their token was compromised or stolen by a malicious attacker.

The solution

Protect your organization by requiring Azure AD Conditional Access policies to be reassessed during sensitive session actions the Defender for Cloud Apps Conditional Access App Control.

Prerequisites

  • A valid license for Azure AD Premium P1 license
  • Configure a cloud app for SSO using one of the following authentication protocols:
    TABLE 1
    IdP Protocols
    Azure AD SAML 2.0 or OpenID Connect
  • Make sure the app is deployed to Defender for Cloud Apps

Create a policy to enforce step-up authentication

Defender for Cloud Apps session policies allow you to restrict a session based on device state. To accomplish control of a session using its device as a condition, create both a conditional access policy and a session policy.

Step 1: Configure your IdP to work with Defender for Cloud Apps

Make sure you’ve configured your IdP solution to work with Defender for Cloud Apps, as follows:

After completing this task, go to the Defender for Cloud Apps portal and create a session policy to monitor and control file downloads in the session.

Step 2: Create a session policy

  1. In the Defender for Cloud Apps portal, select Control followed by Policies.
  2. In the Policies page, select Create policy followed by Session policy.
  3. In the Create session policy page, give your policy a name and description. For example, Require step-up authentication on downloads from SharePoint Online from unmanaged devices.
  4. Assign a Policy severity and Category.
  5. For the Session control type, select Block activities, Control file upload (with inspection), Control file download (with inspection).
  6. Under Activity source in the Activities matching all the following section, select the filters:
    • Device tag: Select Does not equal, and then select Intune compliantHybrid Azure AD joined, or Valid client certificate. Your selection depends on the method used in your organization for identifying managed devices.
    • App: Select the app you want to control.
    • Users: Select the users you want to monitor.
  7. Under Activity source in the Files matching all of the following section, set the following filters:
    • Sensitivity labels: If you use Microsoft Information Protection sensitivity labels, filter the files based on a specific Microsoft Information Protection sensitivity label.
    • Select File name or File type to apply restrictions based on file name or type.
  8. Enable Content inspection to enable the internal DLP to scan your files for sensitive content.
  9. Under Actions, select Require step-up authentication.
  10. Set the alerts you want to receive when the policy is matched. You can set a limit so that you don’t receive too many alerts. Select whether to get the alerts as an email message, text message, or both.
  11. Select Create.

Validate your policy

  1. To simulate this policy, sign in to the app from an unmanaged device or a non-corporate network location. Then, try to download a file.
  2. You should be required to perform the action configured in the authentication context policy.
  3. In the Defender for Cloud Apps portal, select Control followed by Policies, and then select the policy you’ve created to view the policy report. A session policy match should appear shortly.
  4. In the policy report, you can see which logins where redirected to Microsoft Defender for Cloud Apps for session control, and which files were downloaded or blocked from the monitored sessions.

Source : Official Microsoft Brand
Editor by : BEST Antivirus KBS Team

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

(Visited 16 times, 1 visits today)