Integrate SaaS apps for Zero Trust with Microsoft 365
The widespread increase in cloud adoption is transforming how organizations achieve business outcomes. This shift highlights the reliance on cloud-based apps resulting in higher demand for services such as Software as a service (SaaS), Platform as a service (PaaS), Infrastructure as a service (IaaS), and app development platforms.
While a multicloud environment can help reduce operational costs and improve scalability, the large amount of sensitive data and the flexibility it affords organizations can potentially pose a security risk. Deliberate steps must be taken to ensure that resources hosted in the cloud are protected.
This solution guides you on applying Zero Trust principles using Microsoft 365 to help manage your digital estate of cloud apps, with a focus on SaaS. SaaS apps play a key role in ensuring that applications and resources are available and accessible from any device with an Internet connection.
To ensure that access and productivity is secure, implementation of SaaS needs to align with the Zero Trust security model, which is based on these guiding principles:
Verify explicitly
Always authenticate and authorize based on all available data points. This is where Zero Trust identity and device access policies are crucial to sign-in and ongoing validation.
Use least privileged access
Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection.
Assume breach
Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses.
Microsoft 365 capabilities help you bring your SaaS apps into management to meet the principles of Zero Trust security.
In the illustration:
- A collection of SaaS apps is pictured.
- You can add these SaaS apps to Microsoft Entra ID and include these apps in the scope of your multi-factor authentication and conditional access policies. For more information, Integrating all your apps with Microsoft Entra ID.
- Using Microsoft Defender for Cloud Apps, you can discover other cloud apps your organization uses. You can approve apps, apply session controls, and discover sensitive data. For newly discovered enterprise cloud apps that supports federation you can add them to Microsoft Entra ID to enforce multi-factor authentication and other policies.
- Microsoft Purview Information Protection capabilities can be extended through Microsoft Defender for Cloud apps to these cloud apps to protect data, and prevent data loss.
Implementing the layers of protection for SaaS apps
Protecting SaaS apps is a multi-layer process.
The following diagram illustrates building blocks to integrate SaaS apps that align with the Zero Trust security model. The elements related to achieving this are numbered 1, 2, and 3. These are the layers of protection device admins will coordinate with other administrators to accomplish.
In this illustration:
| Step | Description | |
|---|---|---|
| 1 | Add SaaS apps to Microsoft Entra ID | Add applications to Microsoft Entra ID so that authorized users can securely access it. Many types of applications can be registered with Microsoft Entra ID. |
| 2 | Create Microsoft Defender for Cloud Apps policies | You want to make sure that policies are in place to ensure that only authorized users and specific conditions are met before users are able to access resources. |
| 3 | Deploy information protection for SaaS apps | Organizations need to protect proprietary information, ensure that information protection is in place so that sensitive data is protected. |
For guidance on licensing, see Microsoft 365 guidance for security & compliance.
For more information, see the Microsoft 365 Zero Trust deployment plan.
What's in this solution
This solution steps through the deployment of key layers to integrate SaaS apps for Zero Trust with Microsoft 365.
Microsoft 365 helps you manage your SaaS applications giving you control and optics to discover and manage apps. You're likely already aware of the primary cloud apps used by your organization. Microsoft Entra ID includes a gallery of apps you can add to your directory. You can also use Microsoft Defender for Cloud Apps to discover other cloud your users interact with. For more information, see Discover and assess cloud apps. After knowing your digital estate, you'll need to make sure that only authorized users and that certain conditions are met before they're accessed, and that the information is properly protected.
The steps in this solution are:
- Add SaaS apps in Microsoft Entra ID.
- Create Microsoft Defender for Cloud Apps policies.
- Deploy information protection for SaaS apps.
Learning for administrators
The following resources help administrators learn concepts about SaaS.
Design a strategy for securing PaaS, IaaS, and SaaS services
Description: Learn how to design a cybersecurity strategy, which will secure cloud services in the SaaS, PaaS, and IaaS service models.
1 hr 42 min - 13 units
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for