Access policies in Microsoft Defender for Cloud Apps
Microsoft Defender for Cloud Apps (previously known as Microsoft Cloud App Security) is now part of Microsoft 365 Defender. The Microsoft 365 Defender portal allows security admins to perform their security tasks in one location. This will simplify workflows, and add the functionality of the other Microsoft 365 Defender services. Microsoft 365 Defender will be the home for monitoring and managing security across your Microsoft identities, data, devices, apps, and infrastructure. For more information about these changes, see Microsoft Defender for Cloud Apps in Microsoft 365 Defender.
Microsoft Defender for Cloud Apps access policies enable real-time monitoring and control over access to cloud apps based on user, location, device, and app. You can create access policies for any device, including devices that aren't Hybrid Azure AD Join, and not managed by Microsoft Intune by rolling out client certificates to managed devices or by using existing certificates, such as third-party MDM certificates. For example, you can deploy client certificates to managed devices, and then block access from devices without a certificate.
Instead of allowing or blocking access completely, with session policies you can allow access while monitoring the session and/or limit specific session activities.
Prerequisites to using access policies
- Azure AD Premium P1 license, or the license required by your identity provider (IdP) solution
- The relevant apps should be deployed with Conditional Access App Control
- Make sure you have configured your IdP solution to work with Defender for Cloud Apps, as follows:
Create a Defender for Cloud Apps access policy
To create a new access policy, follow this procedure:
Go to Control > Policies > Conditional access.
Select Create policy and then select Access policy.
In the Access policy window, assign a name for your policy, such as Block access from unmanaged devices.
In the Activities matching all of the following section, Under Activity source, select additional activity filters to apply to the policy. Filters include the following options:
Device tags: Use this filter to identify unmanaged devices.
Location: Use this filter to identify unknown (and therefore risky) locations.
IP address: Use this filter to filter per IP addresses or use previously assigned IP address tags.
User agent tag: Use this filter to enable the heuristic to identify mobile and desktop apps. This filter can be set to equals or does not equal. The values should be tested against your mobile and desktop apps for each cloud app.
Under Actions, select one of the following options:
Test: Set this action to explicitly allow access according to the policy filters you set.
Block: Set this action to explicitly block access according to the policy filters you set.
You can Create an alert for each matching event with the policy's severity and set an alert limit and select whether you want the alert as an email.
If you run into any problems, we're here to help. To get assistance or support for your product issue, please open a support ticket.