Describe how to protect apps with Defender for Cloud Apps Conditional Access App Control
It's important that security administrators know what's happening in their organization's cloud app environment.
If Contoso's users are using apps that you don't know about, they might be introducing malware without your knowledge. Contoso might suffer from data loss when users share content without proper controls. However, you must allow users to use the apps they need, and from devices that they might own. In short, you must strike a balance between users' needs, and the security of Contoso and its data.
Some of these apps might use Microsoft Entra ID as the identity provider. Other apps might not, and might instead rely on an alternative identity provider. But by using Microsoft Defender for Cloud Apps, you can implement access and session controls with any supported identity provider.
Note
If your users' apps rely on Microsoft Entra ID, access and session controls are already fully integrated into Microsoft Entra Conditional Access tool.
What is Conditional App Access Control?
You can use Conditional App Access Control in Defender for Cloud Apps to monitor and control user app access and sessions based on configurable policies. The following table describes how you can use these policies.
| Action | Description |
|---|---|
| Prevent data exfiltration | Block download, and prevent cut, copy, and paste of sensitive documents. |
| Protect on download | Require protection of sensitive documents with Azure Information Protection before users can download them. |
| Prevent upload of unlabeled files | Prevent the upload of sensitive content until it has been correctly labeled by the user. |
| Block potential malware | Block files identified as potentially malicious from being uploaded by your users. |
| Monitor user sessions for compliance | Monitor risky user sessions by logging user activities. |
| Block access | Block specific users or specific apps based on risk factors. |
| Block custom activities | Scan content for sensitive information, and block where required. |
How it works
You start by creating a session policy in Defender for Cloud Apps. This session policy enables you to control user sessions. In effect, the user session is redirected through a reverse proxy instead of connecting directly to the targeted app. This approach means that all user access is directed through Defender for Cloud Apps, providing you with the controls discussed earlier.
When you protect a session with a proxy, all the app's URLs and cookies are modified with a Defender for Cloud Apps suffix. For example, if the app URL is app.contoso.com, the modified URL is app.Contoso.com.mcas.ms.
Tip
Using this method avoids you having to install anything on a device in order to redirect app access through the proxy.
Managed device identification
The decision that you make about allowing or blocking access and files might be impacted if you know more about the device. For example, you might be more flexible with sensitive content actions if the device being used to access the content is a managed device.
To help you with this determination, Defender for Cloud Apps can verify whether the device:
- Is Microsoft Intune compliant
- Is a Microsoft Entra hybrid joined device
- Has client certificates in a trusted chain
Microsoft Entra Conditional Access policies enable device information for Intune Compliant and Hybrid joined devices to be submitted to Defender for Cloud Apps. You can then use an access or session policy that implements device state as a filter.
Certificates work in a different way. When a client certificate is used, Defender for Cloud Apps verifies that the certificate is valid, unrevoked, and is under the correct root or intermediate Certificate Authority (CA). You can create and use a policy to determine device management based on client certificates by selecting Settings in the Defender for Cloud Apps portal. Then select the Device identification tab. You can then upload as many root or intermediate CA certificates as you require.
Important
You must upload certificates in the PEM format.
Onboard and deploy Conditional Access App Control for any app
You can use session controls in Defender for Cloud Apps to work with any app. These apps might include non-featured SaaS apps, line-of-business apps, or even on-premises apps hosted by Microsoft Entra application proxy. However, your environment must meet certain prerequisites discussed below. You must have:
- A Microsoft Entra ID P1 or P2 license, or a license required by another identity provider
- A Microsoft Defender for Cloud Apps license
- Apps that are configured for single sign-on (SSO)
- Apps that support one of the following authentication protocols:
- SAML 2.0
- OpenID Connect
To deploy any app
To deploy any app so that it is controlled by Defender for Cloud Apps Conditional Access App Control, use the following high-level procedure:
- Configure your identity provider to work with Defender for Cloud Apps
- Configure the users that deploy the app
- Configure the app that you are deploying
- Verify that the app is working correctly
- Enable the app for use in your organization
- Update the Microsoft Entra policy
Note
You can review more detail in the following document: To deploy any app.