Cloud App Discovery: Frequently Asked Questions
Note
Cloud App Discovery described in this FAQ is now retired and was replaced by Cloud Discovery in the Cloud App Security framework. For more information go tothe Cloud Discovery documentation.
For feedback, click here
Overview
What are the main goals of AAD Cloud App Discovery?
AAD Cloud App Discovery enables IT to easily determine which cloud apps are in use in the organization.
IT can then take steps to integrate the applications with Azure Active Directory.
What do I get with AAD Cloud App Discovery?
With Cloud App Discovery, IT can:
- Get a summary view of total number of cloud applications in use and the number of users using cloud applications
- See the top cloud applications in use within the organization
- See usage graphs for applications that can be pivoted on users, requests or volume of data exchanged with the application
- Drill down into specific applications for targeted information
- Visibility into which discovered apps you are already using with Azure AD
- View which users are accessing which apps
- Export data to an Azure Storage for offline access and analysis
- Easily proceed to integrate an application with Azure Active Directory
Functionality
How do I get started?
Just go to New Azure Portal and 'Sign in' with your Microsoft Organizational account.
Click here for a detailed walkthrough
What kind of devices can the Cloud App Discovery agent be installed on?
Currently the Cloud app discovery endpoint agent can be installed on any Windows 7, 8, 8.1, 10 machine. It can also be installed on Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview 4.
How long do I need to wait till I see data in the AAD Cloud App Discovery dashboard?
After installing the agent on a machine where the user has been accessing applications, data typically shows up within 10 minutes in Cloud App Discovery.
Remember that there must be some application access activity on the machine.
What data is the Cloud App Discovery agent capturing?
The agents capture URLs, headers and metadata for HTTP/HTTPS accesses originating from the machine.
This allows the agent to capture requests to all cloud applications accessed over HTTP or HTTPS.
The agent also captures the username of the user on the machine.
Does the Cloud App Discovery agent only collect applications accessed through my browsers?
The agent captures all HTTP/HTTPS traffic originating from the machine---regardless of whether it is from a browser or other application.
Does the Cloud App Discovery agent collect information about applications accessed, even if I am in private mode?
Yes. The Cloud app Discovery endpoint agent doesn’t distinguish between private or non-private modes.
I’m using a rich client to access my cloud app, but I don’t see the cloud app show up. Why?
Currently the Cloud App Discovery endpoint agent only captures applications that are accessed over HTTP/HTTPS.
Some rich client applications use other protocols to talk to cloud applications.
In such cases, these cloud applications will not be discovered
Why am I seeing such a high number of web requests to an application? I didn't go to the application that often.
Every access to an application’s site typically includes multiple different requests to the site to retrieve different parts of the web-page (images, icons, etc). For example, when viewing http://www.msn.com your browser will actually make over dozens of additional web requests for content like pictures, social plugins and other resources. See the snapshot below.
For known applications in the database, the Cloud App Discovery services includes an optimization that only counts webpage loads once---so the Cloud App Discovery Service can ignore counting every access to various elements of the webpage. However, this is an area we’re looking to continue to make improvements on.
I never went to a Cloud application/or site? Why do I see it?
There are a number of websites that when accessed, trigger requests to other sites. For example, when you browse to http://www.msn.com there are actually multiple web requests being made as part of the web-page load, including requests to Facebook.com (the Like button), Twitter.com (to Follow on Twitter), Bing.com (for Web Searches), and many more. Because the Cloud App Discovery endpoint agent captures all HTTP/HTTPS requests being made from the machine, these sites that were accessed ‘incidentally’, show up in the dashboard.
However, this is an area we’re looking to make improvements on so we can weed out the ‘noise’ from these incidental accesses.
Why didn’t my cloud application show up as a business cloud application?
We’d love to hear from you about applications you’d like to see added to Azure Active Directory. You can suggest an application for pre-integration with AAD here.
Is my data secure?
The Cloud App Discovery agent collected traffic is sent securely to our service over an encrypted channel.
The data in the service is only visible to admins of the tenant.
Each tenant admin can only see the data for their tenant. And no other tenant’s.
Where is my data stored? Can I delete it?
Currently the data is stored in Azure blob store in the United States.
The Cloud App Discovery service will extend to support data storage in other locations before we GA.
The Cloud App Discovery service does not support deleting the data today, but will add support for this soon.
How can I stop the agent?
If you want to stop the agent, you can launch services.msc and stop the ‘Microsoft Cloud App Discovery Endpoint Agent’ service.
You can start it again later if you feel like.
If you want to uninstall the agent, just go relaunch the msi and click uninstall.
Can I see the users who have accessed the cloud applications?
You can view which users have accessed a cloud app by selecting 'users discovered' tile in the application page.
Click here for a detailed walkthrough
Can I download the report?
You can configure Cloud App Discovery to route your data to your Azure Storage.
Click here for a detailed walkthrough