Redaguoti

Bendrinti naudojant


Microsoft Defender for Cloud Apps for US Government offerings

The Microsoft Defender for Cloud Apps GCC High and Department of Defense (DoD) offerings is built on the Microsoft Azure Government Cloud and is designed to inter-operate with Microsoft 365 GCC High and DoD. The GCC High and DoD offerings utilizes the same underlying technologies and capabilities as the commercial instance of Microsoft Defender for Cloud Apps. Therefore, the commercial offering's public documentation should be used as a starting point for deploying and operating the service.

The Microsoft Defender for Cloud Apps US Government Service Description is designed to serve as an overview of the service offering in the GCC High and DoD environments and will cover feature variations from the commercial offering. For more information about government offerings, see US Government service description.

Note

Defender for Cloud Apps customers who are using GCC should use this URL to log on to the service: https://portal.cloudappsecuritygov.com

Getting started with Microsoft Defender for Cloud Apps for US Government offerings

The Microsoft Defender for Cloud Apps offerings for GCC High and DoD customers are built on the Microsoft Azure Government Cloud and are designed to inter-operate with Microsoft 365 GCC High and DoD environments. Full details on the services and how to use them can be found in the Microsoft Defender for Cloud Apps public documentation. The public documentation should be used as a starting point for deploying and operating the service and the following Service Description details and changes from functionality or features in the GCC High or DoD environments.

To get started, use the Basic Setup page for access to the Microsoft Defender for Cloud Apps GCC High or DoD portals, and ensure your Network requirements are configured. To configure Defender for Cloud Apps to use your own key to encrypt the data it collects while it's at rest, see Encrypt Defender for Cloud Apps data at rest with your own key (BYOK). Follow the additional steps in the How-to guides for other detailed instructions.

Note

Data encryption is currently only available for specific Microsoft Defender for Cloud Apps government offerings.

Feature variations in Microsoft Defender for Cloud Apps US Government offerings

Unless otherwise specified, new feature releases, including preview features, documented in What's new with Microsoft Defender for Cloud Apps, will be available in GCC High and DoD environments within three months of release in the Microsoft Defender for Cloud Apps commercial environment.

Feature support

Microsoft Defender for Cloud Apps for US Government offers parity with the Microsoft Defender for Cloud Apps commercial environment except for the following list of App Governance features. These features are on the roadmap for support in GCC, GCC High and DoD:

App Governance predefined app policy alerts:

  • App created recently has low consent rate

  • High volume of email search activity by an app

  • High volume of inbox rule creation activity by an app

  • Increase in app API calls to EWS

  • Suspicious app with access to multiple Microsoft 365 services

App Governance threat detection alerts:

  • App accessed from unusual location post certificate update

  • App performed drive enumeration

  • App redirects to phishing URL by exploiting OAuth redirection vulnerability

  • App with bad URL reputation

  • App with suspicious OAuth scope made graph calls to read email and created inbox rule

  • App impersonating a Microsoft logo

  • App is associated with a typosquatted domain

  • App metadata associated with known phishing campaign

  • App metadata associated with previously flagged suspicious apps

  • App metadata associated with suspicious mail-related activity

  • App with EWS application permissions accessing numerous emails

  • Application initiating multiple failed KeyVault read activity with no success

  • Dormant OAuth App predominantly using ARM API or MS Graph recently seen to be accessing EWS workloads

  • Dormant OAuth App predominantly using ARM or EWS recently seen to be accessing MS Graph workloads

  • Dormant OAuth App predominantly using MS Graph or Exchange Web Services recently seen to be accessing ARM workloads

  • Dormant OAuth App with no recent ARM activity

  • Dormant OAuth App with no recent EWS activity

  • Dormant OAuth App with no recent MS Graph activity

  • Entra Line-of-Business app initiating an anomalous spike in virtual machine creation

  • Increase in app API calls to Exchange after a credential update

  • New app with numerous consent revocations

  • OAuth App using unusual user agent

  • OAuth App with suspicious Reply URL

  • Oauth app with suspicious reply url

  • Suspicious enumeration activities performed using Microsoft Graph PowerShell

  • Unused app newly accessing APIs

Next steps