Table of Contents
Cloud App Security
Cloud App Security is part of the E5 EMS license structure and provides some good insight into what's going on in your Office 365 cloud environment.
Getting Started
The portal can be reached from the office365 Admin portal: https://portal.office.com → Admin Centers → Cloud App Security. This will patch you through to something like: https://COMPANY.portal.cloudappsecurity.com. Or you can access the portal directly through: https://portal.cloudappsecurity.com
Access
All global admins have access to the Cloud App Security Portal. You can also add people to the Security Readers role in https://portal.azure.com → User → Directory role. And finally you can grant users access inside the Cloud App Security Settings → Manage Admin Access
- Global Admin: Admins with Full access have full permissions in Cloud App Security. They can add admins, add policies and settings, upload logs and perform governance actions.
- Security Reader: Has read-only permissions and can manage alerts.
OAuth Apps
You can use Cloud App Security to get an overview of all apps that are authorized by users to access Company data.
- Go to Investigate → OAuth Apps
Manage App Registration
By default, users can register apps themselves and consent to data access. You can disable this by setting these two settings:
- Azure Portal → Azure Active Directory → Users → User settings → App Registration → NO
- Azure Portal → Azure Active Directory → Enterprise Applications → User Settings → Users can consent to apps accessing company data on their behalf → NO
Manage Registered Apps
Once the apps are registered you can Approve or Block them in the Cloud App Security Portal:
- Select the App in the Manage OAuth Apps overview
- You can Approve or Block the app on the rightside of the screen
Remove Individual User
You can remove an individual user from access to an app which is convenient if you don't want to block access to the app for the entire company in a single click. You need to take two steps, you need to configure the app to require user assignment (only once) and then remove the individual users.
Enterprise App - User assignment required
- Go to Azure Active Directory → Enterprise Applications and select the application
- Go to properties → User assignment required → YES
Enterprise App - Remove User access
- Go to Azure Active Directory → Enterprise Applications and select the application
- Go to Users and Groups and select the user. Click Remove.
It might take up to an hour for the setting to take effect (time measured when testing) but then the user gets an notification that the application is no longer available.
Overview Shared Data with External Guests
To get an overview of data that is publicly shared or shared with external guests:
- Go to Investigate → Files
- Set Access Level as appropriate, for example External
If you have the need to unshare files you can do so:
- Select the files by clicking the document icon in front of the filename.
- At the top three vertical dots appear, click them
- Select Make Private
Alerts
Go to the Alerts dashboard to view the open alerts. If required you can set to receive emails for these alerts in your own admin settings. Go to your profile → User Settings → Notifications (note that your account needs a valid email address).
Policies
The alerts gets triggered by policies that are maintained by Microsoft. You can setup your own policies as well, or modify the default policies. To do so:
- Go to Control → Policies
- Select the policy you want to modify
- You can change the scope to include or exclude specific users
- Or configure the alerts to be sent to a specific mailbox (Alerts → Send alert as email → Enter the email address)
- Or set to notify or suspend the user (Governance → Notify user / Suspend User)