In my blog article series on Conditional Access Demystied I mentioned that Conditional Access can be used to route sessions toward Microsoft Cloud App Security (MCAS). In this article I will go into more detail on what MCAS is, and how to setup Conditional Access App Control.

Disclaimer: This article discusses the full option MCAS product, there are some other flavors providing partial functionality like Office 365 Cloud App Security and Cloud App Discovery (CAD). For information about licensing, see the Microsoft Cloud App Security licensing datasheet.

What is Microsoft Cloud App Security (MCAS)?

MCAS is Microsoft’s implementation of a Cloud App Security Broker (CASB). So what’s a CASB then you might ask yourself – WikiPedia states the following:

“A cloud access security broker (CASB) (sometimes pronounced cas-bee) is on-premises or cloud based software that sits between cloud service users and cloud applications, and monitors all activity and enforces security policies. A CASB can offer a variety of services, including but not limited to monitoring user activity, warning administrators about potentially hazardous actions, enforcing security policy compliance, and automatically preventing malware.”

Microsoft’s CASB implementation MCAS provides the following functionality:

Log Collection also known as Cloud Discovery

By either manual uploading firewall logs (click here to see which FW logs are supported) or setting up an automatic way of doing so, the logfiles are analyzed giving insights in the data concerning cloud applications being accessed from behind the firewall. The main usecase is to gain insights in the so called “Shadow IT” usage, meaning IT services being used within your network out of sight of you (the IT Department).

If you are using Microsoft Defender Advanced Threat Protection (MDATP), you can also enable the connection from MDATP to MCAS allowing for information coming from MDATP to allow machine based investigation, even when machines aren’t on the corporate network and their network traffic doesn’t go through your corporate firewall.

For most applications being discovered, Microsoft provides additional information about Legal, Security and Compliance and based on that calculates a so called Risk Score between 0 and 10. Below is an example of LinkedIn, which has a risk score of 7.

API Connectors also known as App Connectors

By using API Connectors, the information being gathered by MCAS can be extended towards the application services which support this kind of API connection. It’s almost obvious that most Microsoft’s SaaS based apps are supported in this scenario. On the website the following applications supporting API connections are mentioned:

• Office 365
• Box
• Okta
• Gsuite
• ServiceNow
• SalesForce
• Dropbox
• AWS
• Webex
• Workday

What can be discovered is depending on the functionality being provided by the manufacturer of the App. Check this page for more information about what is supported when using the App connector for each product.

Reverse Proxy also known as Proxy Access + Session

By integrating MCAS into your Conditional Access policies, you can redirect user sessions to Cloud Applications through MCAS. MCAS in this case acts a reverse proxy and gives the MCAS administrator the option to govern that session. It’s important to remark that in order to reverse proxy Cloud Application through MCAS, the App must be accessed via Azure Active Directory (Azure AD). If a cloud application is available by other means, like for example with a user account and password coming from another identity provider than Azure AD. (internal mechanism, twitter, google, facebook and so fort). More about this functionality later in this article.

Integration with other and 3rd party products

MCAS provides several integration with other Microsoft products and products from 3rd party vendors. Some examples are that you can use Microsoft Flow when creating policies (more on that later), or integrate with SIEM products or Data Loss Prevention (DLP) solutions.

It’s also possible to integrate MCAS with so called Cloud Proxy solutions, like Zscaler and iBoss. By doing so you are able to block connections for certain cloud services even if clients are not on the corporate network.

MCAS in the Gartner Magic Quadrant for CASB

While writing this article, I noticed some tweets mentioning that research firm Gartner has placed Microsoft in the leader quadrant for CASB solutions, while the report is for paying users only – https://www.gartner.com/en/documents/3892270/magic-quadrant-for-cloud-access-security-brokers. I expect that Microsoft or maybe another mentioned company might make the report available free for download in the near future. If so I will update this article with a link to the report.

What are the use cases voor Conditional Access App Control

The main goal of what we want to accomplish by implementing security products is to keep your users safe and make sure that company data confirms to the Confidentiality, Integrity, and Availability (CIA) triad.

Microsoft has made available a downloadable whitepaper detailing 20 use cases for using a Cloud App Security Broker, which can be downloaded here.

The use cases mentioned are:

1. Discover all cloud apps and services used in your organization
2. Assess the risk and compliance of your cloud apps
3. Goven discovered cloud apps and explore enterprise-ready alternatives
4. Enable continuous monitoring to automatically detect new and risky cloud apps
5. Detect when data is being exfiltrated from your corporate apps
6. Discovery Oauth apps that have access to your environment
7. Gain visibility into corporate data stored in the cloud
8. Enforce DLP and compliance policies for sensitive data stored in your cloud apps
9. Ensure safe collaboration and data sharing practises in the cloud
10. Protect your data when it’s downloaded to unmanaged devices
11. Enfore adaptive session controls to manage user actions in real-time
12. Record an audit trail for all user activities across hybrid environments
13. Identify compromised user accounts
14. Detect threats from users inside your organization
15. Detect threats from privlileged accounts
16. Identify and revoke access to risky OAuth apps
17. Detect and remediate malware in your cloud apps
18. Audit and configuration of your IaaS environments
19. Monitor user activities to protect against threats in your IaaS environments.
20. Capture user activities within custom cloud on-premis apps

So, how do you configure Conditional Access App Control?

In order to be able to use Conditional Access App Control you must meet the following license requirements:

• Azure Active Directory Premium P1 or higher
• Microsoft Cloud App Security
• Apps must be configured with single sign-on in Azure AD
• Apps must use SAML or Open ID Connect 2.0 protocols

With Conditional Access App Control you can redirect the user’s session to the Cloud App through MCAS. You can start doing this by creating a Conditional Access policy which uses the “Use Conditional Access App Control” session control.

There are featured apps, and apps which must be onboarded first before you can use them with MCAS. Featured apps are:

AWS, Azure DevOps (Visual Studio Team Services),Azure portal (preview), Box, Concur, CornerStone on Demand, DocuSign, Dropbox, Dynamics 365 CRM (preview), Egnyte, Exchange Online, G Suite, GitHub, HighQ, JIRA/Confluence, OneDrive for Business, LinkedIn Learning, Power BI, Salesforce, ServiceNow, SharePoint Online, Slack, Tableau, Microsoft Teams (preview), Workday, Workiva, Workplace by Facebook, Yammer (preview)

Example

In this simple example we are going to configure the following scenario: “We want access to Microsoft teams via the webbrowser from unmanaged Azure AD joined devices to be sent to MCAS so that we can monitoring those sessions and apply policies to them. For this example we are going to Block Downloads from within the session”

Create Conditional Access Policy

1. Go to the Azure AD administration portal via: https://aad.portal.azure.com
2. Select Azure Active Directory and select Conditional Access
3. Click on +New policy to create a new Conditional Access policy
4. Provide a name for the new policy, for example “I24 – Route Cloud Services through MCAS”
5. Under Users and Group define for which users you want to make the policy applicable. At first it’s advised to do this to a small subset of users. Make also sure to exclude your break glass accounts in order to make sure that no Conditional Access policy hits these account in case something is wrong.
6. Under Cloud apps or actions , click on Select apps and select Microsoft Teams
7. Under Conditions, select Client Apps (Preview) and select Browser.
8. Under Conditions, select Device State (Preview) and under the tab Exclude select “Device marked as compliant”
9. Under Access controls, Session select “Use Conditional Access App Control” and select “Block Downloads”
10. Save the Conditional Access Policy

Behaviour

If a user to whom the CA policy is applicable goes to https://teams.microsoft.com on an unmanaged device (or not compliant device), the session is redirected to MCAS. This can be seen by the URL being referenced, in my case: https://insight24-nl.eu001.access-control.cas.ms/aad_login

The first page a user sees, is a custom page (company branded) is diplayed telling the user that Access to Microsoft Teams is monitored.  The user has the option to suppress this page for one week, but is reminded again after that.

After clicking “Continue to Microsoft Teams” the user is redirected to Microsoft Teams, note though that the URL still points to MCAS

When the user wants to download a file the following screen appears.

Instead a .txt file is downloaded containing information about the file which was supposed to be downloaded:

The file was blocked since it contained data that is not allowed to be downloaded.

file name: BSN Test.docx
Original file size in bytes: 19373
Original file sha256 checksum: fbfdb872507cd117f6dcc8d208e730979a2158707a36ac05cf06f25b9dfd3aee

Conclusion:

Microsoft Cloud App Security (MCAS) has several usefull security features allowing companies to gain more control about what users are doing with company data. By exending Conditional Access with the Reverse Proxy functionality of MCAS we get even more controls for our Conditional Access policies. While the example above was only a tip of the iceberg about what is possible I hope it gave you an idea of what can be done.

I, myself are also still exploring the numerous features of MCAS, and I hope to describe some more advanced features in a follow up blogposting in the future.