First published on CloudBlogs on Jun 27, 2018
We are excited to announce that
Conditional Access App Control
is now generally available. In this blog post, we’ll provide an overview of the powerful real-time monitoring and controls this feature enables, and deep-dive into the admin experience and some of our most popular use-cases.
Overview
In the modern workplace, it is essential to enable your users to work from any location and any device and grant them access to cloud applications. Additionally, increasing collaboration needs necessitate sharing your company’s data externally. At the same time, you need to safeguard your organization’s data and resources.
It is essential to provide a flexible environment that allows you to determine how your organization’s data can be accessed, balancing protection and productivity. Microsoft Cloud App Security delivers these capabilities in a holistic and integrated experience with Conditional Access App Control, which integrates directly with
Azure AD conditional access
policies.
This feature empowers you to granularly define what risk means in your organization, and then gain control and visibility of any user sessions that match that definition. For example, if a Business-business (B2B) collaboration user was granted access to some of your data and tries to access company-confidential resources from an unmanaged device as a result, you can block or encrypt the download of those resources in real-time, to prevent confidential information from leaking outside of your organization. These controls can be applied to any SAML application configured with single sign-on in your organization.
Empowering the admin
Conditional Access App Control utilizes a reverse proxy deployment to redirect the user session to a Cloud App Security server upon authentication. Our unique integration with Azure AD conditional access empowers the admin to proactively configure which sessions should be routed to our servers, ensuring that only the subset of traffic you scoped will be proxied. You can define these rules based on conditions such as users/groups, device management, location information, and sign-in risk, among others. Once the session reaches our servers, granular
Session
and
Access
policies determine what the user will experience.
if // specify the conditions for which the resulting action should occur
In building these policies, the admin can further scope controls to apply only to specific files or activities. For example, a filter can be applied to only enforce monitoring/controls on files with Azure Information Protection classification labels, certain file extensions, or those matching custom strings in the title or body of the document. Or, policies can be scoped to only apply to certain activities, such as file uploads or file sharing.
then // specify the resulting action that should occur
Finally, the admin can select what controls to apply when a policy match occurs, such as monitor, block, or protect (encrypt) downloads, or monitor and
block one of many granular in-app activities.
All log-in events, downloads, and scoped activities will instantly appear in the Cloud App Security activity log for you to review. Finally, any matching sessions can be configured to send an alert directly to the administrator by phone or email.
[video width="1920" height="1080" mp4="
https://cloudblogs.microsoft.com/uploads/prod/2018/06/Video-1-Session-policy.mp4"][/video]
Video 1 - Creating a Session Policy in MCAS
Common scenarios
Now that the intended policies are configured, let’s take a look at what the end-user experience will be, when navigating to a protected app from a risky session, by exploring four key use cases.
Scenario 1: Block/protect downloads from unmanaged devices
Risk: Unmanaged devices often have security gaps, such as lack of a PIN/passcode, malicious apps on the device, connections to public Wi-Fi, etc., and could potentially expose sensitive company information as a result.
Solution: Block download of highly sensitive files in real-time when accessing sanctioned company apps from an unmanaged device.
[video width="1920" height="1080" mp4="
https://cloudblogs.microsoft.com/uploads/prod/2018/06/Video-2-Download-blocked.mp4"][/video]
Scenario 2: Read-only mode for Business-to-business users (B2B)
Risk: While
B2B users
need access to some data in your applications, limiting their actions is essential, since you do not have control of their organizations’ security.
Solution: Create a read-only mode for B2B users in your organization by blocking various in-app activities.
[video width="1920" height="1080" mp4="
https://cloudblogs.microsoft.com/uploads/prod/2018/06/Video-3-Upload-and-share-blocked.mp4"][/video]
Scenario 3: Monitor use of sanctioned applications
Risk: An application is sanctioned in your organization but presents unknown risks, which can be identified via monitoring.
Solution: Monitor log-ins, file downloads, and various in-app activities in MCAS, without restricting the actions users can take.
[video width="1920" height="1080" mp4="
https://cloudblogs.microsoft.com/uploads/prod/2018/06/Video-4_Compressed.mp4"][/video]
Scenario 4: Block access from unmanaged devices via client certificates
Risk: The data stored in applications can be highly sensitive and should not be accessed from any BYOD machines.
Solution: Create a policy to block access to any app with sensitive information from any device without a valid client certificate.
[video width="1920" height="1080" mp4="
https://cloudblogs.microsoft.com/uploads/prod/2018/06/Video-5_Compressed.mp4"][/video]
All these controls are available today, and we are working to continuously enrich the capabilities of Conditional Access App Control with more features and use-cases.
You can
configure
real-time monitoring and controls for your apps today, and if you don’t already use Microsoft Cloud App Security, get started with a
free trial
today!
More info and feedback
Detailed information is available on our
technical documentation site
. As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our
Tech Community page
.