Implement and manage Microsoft Defender for Cloud Apps

"Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that operates on multiple clouds. It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyber threats across all your cloud services." - Microsoft

In short, The Microsoft Defender for Cloud Apps portal is a place where you can integrate your Azure AD user accounts, devices, and other third-party cloud apps to see what your users are using and then potentially put a stop to it.

Open the Microsoft Defender for Cloud Apps admin center

The Defender for Cloud Apps has its own admin center. You can access it by performing the following:

1. Open the Microsoft 365 Defender admin center > More resources > Click Open under Microsoft Defender for Cloud Apps.

Open Microsoft Defender for Cloud Apps Admin Center

Enable Microsoft Defender for Identity data integration

The first thing you'll want to do is enable Microsoft Defender for Identity data integration. In short, you'll be allowing Microsoft Defender for Cloud Apps access to your user accounts in Azure AD. Defender for Identity collects and holds information from your configured servers. It will collect the following information:

  • network traffic to and from domain controllers
  • Security logs
  • AD information
  • Entity information (for example, names, email addresses, and phone numbers)

Microsoft uses this information to find indicators of attack then generate alerts if a possible attack is detected. Your security team can also view entities and related information gathered from your network.

1. Click the Enable Microsoft Defender for Identity data integration link.

Enable Microsoft Defender for Identity data integration

2. If you see Deploy Microsoft Defender for Identity click the link.

Deploy Microsoft Defender for Identity

3. Click Create.

Create Microsoft Defender for Identity instance

4. Click Provide a username and password.

Provide a username and password

5. Enter your on-premises credentials in the space provided. Click Save.

Enter on-premises credentials

6. Click Download Sensore Setup at the top of the screen.

Download the sensor setup

7. Click Download then copy the access key.

Download the sensor then copy the key

8. Copy the ZIP to a domain controller then extract it. Once extracted run Azure ATP Sensor Setup.

9. On the Choose your language page click Next.

10. On the Sensor deployment type page click Next.

11. On the Configure the sensor page enter the access key you received from step 7. Click Install.

Enter the sensor access key

Review servers with the sensor installed

Now let's review which servers have the sensors installed.

1. Click the gear in the top right corner. Click Settings.

Click the gear then click Settings

2. Click Microsoft Defender for Identity > Configure Microsoft Defender for Identity sensors.

Configure Microsoft Defender for Identity sensors

Create a file alert

Now we may need to alert us on file activity. Let's say we want to receive an alert on any file that has a name that contains the word File. Let's set it up. First, we'll need to enable file monitoring in the Office 365 connector. Then we'll need to create a policy.

The policy below will match any file located in OneDrive or SharePoint with the file name containing the word or phrase you add. In the example below it will match any file with the file name of File. So it will match the following files: File.docx, ImportantFile.docx, and File_Important.docx

Microsoft Defender for Cloud Apps email alert

1. Open the Microsoft Defender for Cloud Apps portal. Go to Investigate > Connected apps. Click the ellipsis (...) next to Office 365. Click Edit settings...

Open the Microsoft Defender for Cloud Apps connected apps settings

2. Click all the Office 365 components checkboxes. Click Connect.

Microsoft Defender for Cloud Apps Office 365 components

3. Close the Connect Office 365 window. Click Control > Policies > Create policy > File policy.

Create file policy

4. Give the policy a name, for example, File Policy 1. Remove the two files matching all of the following filters.

Create a file policy. Set the name and remove the filters

5. Click Select a filter. Select File name.

Filter by file name

6. Click equals. Select contains words. Set the File name field to File.

Set file filter match to contain the words File

7. Check the box next to Create an alert for each matching file. Check the box next to Send alert as email. Enter your email address in the box provided. Click Create.

Set alert to email

Understanding Cloud Apps policies

Understanding the Cloud App policies can be a bit tricky. In short, you always have 4 parts.

Meta-information

The meta-information is at the top. This is data specifically for the policy. For example, the policy name, description, severity, etc.

Cloud App Policy Meta-Information

Filters

The filters are generally next. They tell us who, and what the policy is applied to. You can create a filter for all sorts of different things. For example, you can apply a policy based on the actor (the user that's performing the action) the IP address of the actor, the apps the actor is interacting with, etc.

Cloud app policy filters

Actions

The actions are what will happen when the filters are matched. For example, you can test a policy, in which case an alert can be created but the user won't be prevented from performing an action or you can block the user from performing the action.

Microsoft Defender for Cloud Apps Actions

Alerts

Alerts are sent when a user performs the actions that match the filters. You can send an email, text message, simply create an alert in Defender for Cloud Apps or send alerts to Power Automate.

Microsoft Defender for cloud apps Alerts

Block printing from Exchange Online

Alright, now we've configured some basic alerting let's get more technical. Let's create a session policy that blocks printing from Exchange Online. We'll need a conditional access policy, then we'll create the app access control to block printing.

Create the conditional access policy

1. Go to Azure AD admin center > All services > Azure AD Conditional Access. Click New policy > Create new policy.

Create new conditional access policy

2. Set the name to Block Printing. Click 0 users or workload identities selected. Click All users.

Conditional access policy all users

3. Click No cloud apps, actions, or authentication contexts selected. Click Select apps. Search for Exchange Online. Click Office 365 Exchange Online. Click Select.

Set Exchange Online as the app in the conditional apps

4. Click 0 controls selected located under Session. Click Use Conditional Access App Control. Click Monitor only and select Use custom policy. Click Select.

Session controls

5. Set the Enable policy to On. Click Create.

Enable the conditional access policy

Login to Exchange Online

Now that the conditional access policy is set up we'll need to have someone log into Exchange Online. Someone that is part of the conditional access policy you set up above. Anyone will do. It can even be you. Simply open https://outlook.office.com/mail/.

Enable the app in your organization

1. Open Microsoft Defender for Cloud Apps > Investigate > Connected apps > Conditional Access App Control apps > Click the ellipsis next to Microsoft Exchange Online. Click Edit app...

Edit connected apps

2. Click Use with Conditional Access App Control. Click Save.

Use with conditional access app control

Create session policy

1. Click Control > Policies > Create policy > Session policy.

Create session policy

2. Set the policy name to Block Printing from Exchange Online. Click Select under Session control type. Click Block activities.

Session Policy block activities

3. Click Select apps. Click Microsoft Exchange Online. Click Select activity. Click Print.

Select apps and select activiities

4. Scroll down to the actions section. Click Block. Click Create.

Set the session policy to block

The above policy doesn't only apply to Microsoft 365 apps. Any app that's registered in Azure AD that supports session controls can be managed in the same fashion.