• Home
  • Blog
  • Technical
  • Inventory and Control of Apps within and beyond the perimeter with Microsoft 365

Inventory and Control of Apps within and beyond the perimeter with Microsoft 365

Back to Blog
06Apr2020

Inventory and Control of Apps within and beyond the perimeter with Microsoft 365

Managing devices is a topic I have probably burnt my readers out on by this point, so it’s time we move into the next stage: wrangling all those crazy third-party applications hiding out in your environment! To build up a foundation of good security, we must identify our apps and determine what is approved and not approved, and how to take governance actions against apps that are both sanctioned and unsanctioned.

The key that unlocks all of this is Cloud App Discovery, available with Azure AD Premium P1 (now included in Microsoft 365 Business Premium) and Microsoft Cloud App Security (MCAS). And, for those out there who want even more security superpowers, we should discuss some important integrations to Microsoft Defender ATP, which is also now available as a standalone subscription that can be added to Business (it also exists in Microsoft 365 E5 or Microsoft 365 E5 Security).

Cloud App Discovery

If you visit the Cloud App Security portal (portal.cloudappsecurity.com) you will find a place to discover all the various applications sending and receiving traffic in your environment.

This is an amazing tool that allows you to gather data about apps that you may or may not know about in your organization. You can even get some good information about compliance related concerns for each discovered application.

The above data (under Discovered apps) displays the applications that exist in this demo environment; applying a couple of quick filters and sorting based on “Score,” I can already see that some of them might pose a higher risk for the organization. Not all cloud apps will meet your compliance requirements, and this tool can tell you quickly which ones you should be looking to block and replace.

For example, if you wanted to meet ISO 27001, FINRA, or ITAR–you’ll need to replace this app!

Data gathering

Where does all the data about what apps are being witnessed in the environment come from? One of two places:

  1. Firewall (e.g. uploading logs from your edge device)
  2. Endpoints (via MDATP)

The first option is available with a Microsoft 365 Business Premium / Azure AD Premium P1 subscription, and we can gather the data either as a snapshot (this is a one-time upload–which is a great tool for assessments), or you can have it shipped to MCAS automatically via syslog or similar when you want continuous monitoring. Just use the ellipses in the upper right corner to find these options.

Now, just take a look at the current situation with this pandemic. Much less traffic than ever before is routing through your traditional corporate firewall–and even before the pandemic, this was the trend: work happens everywhere, and we’re more mobile than ever. Therefore the best way to get this data is from the endpoint–but to do that requires a subscription to Microsoft Defender ATP as well as Microsoft Cloud App Security.

Once you have the licenses applied, from the Microsoft Defender Security Center (securitycenter.windows.com), go to Settings > Advanced features to enable the integration and allow MDATP to send its endpoint data to MCAS.

Note: You must license all your users even though the functionality opens up with a single license applied to the tenant (users who benefit from features must be licensed for the features)!

Blocking apps

Microsoft 365 provides a lot of functionality and tools that people historically went out to get on their own. Do you really need DropBox or other file sharing apps if you have OneDrive, Teams and SharePoint? No, probably not. And there are many other examples of apps that can be re-evaluated and replaced with alternatives in 365 platform, too!

But after you put out the message to switch over to the approved corporate apps, how do you enforce the policy? Two choices: one, remove local admin privilege–this is a great way to reduce your overall risk anyway and you should be working toward it. This can be done easily with Autopilot, which is a feature of Microsoft Endpoint Manager (Intune)–included with Microsoft 365 Business Premium.

Second option: if you leap for the extra security bundles, MCAS will allow you to block apps and this can (again) happen in one of two ways:

  1. Firewall (generate a block script that is applied to the device)
  2. Endpoint (built-in integration using MDATP)

To use the firewall option, pick the ellipses in the upper right corner of the Discovered apps page and click Generate block script, after marking apps as unsanctioned.

The block script will need to be applied to your edge device in order to block the apps. To enable the MDATP integration, visit Settings > Microsoft Defender ATP and tick the checkbox.

You will also need to enable one more option under the Advanced features in Microsoft Defender Security Center called Custom network indicators. This allows the MDATP service to tell endpoint devices to add custom URL’s and IPs to the block list using Defender’s Network protection capability.

Assuming you configured the integrations as described above, MDATP will handle the rest, communicating the information to endpoints. Users would not be able to use these apps anymore on their Windows 10 devices.

Pretty slick, right?

Of course, if an app IS sanctioned even though it is third-party, we also have the option to bring these other apps under management using Azure AD for Single Sign-on, adding more security while adopting them into the corporate fold. This is also available natively in Microsoft 365 Business Premium.

However it is also worth mentioning that Microsoft Cloud App Security can take your management further for several popular third-party apps, by monitoring logs and governing files and activities via policy–the same as we do for Office 365. Proxying traffic via MCAS, you can then also enable Conditional Access App Control policies (another integration with Azure AD Premium).

Overwhelmed?

I know, it’s just crazy how many security tools are in Microsoft 365, right?! Yes, it is pretty gnarly. But I like to think that it is gnarly in a good way. This is just one powerful example of how the various pieces of Microsoft 365 can work better together.

If you were building your own security solution, and wanted to include an EDR (like MDATP) as well as a CASB (e.g. a Cloud App Security Broker like MCAS), these would be two different tools that do not communicate with one another, and do not necessarily link back to your identity provider, either. With Microsoft 365, these and more can all be had in a single pre-integrated bundle, and they layer seamlessly on top of your Office 365 and Windows 10 investments.

Although the fancier part (MDATP to MCAS integration) requires additional subscriptions on top of the normal Microsoft 365 Business Premium SKU (details in the table below), I would argue that it is worth a closer look if you are an MSP working out how to provide a valuable service with Microsoft 365 for your customers that can also result in additional monthly recurring revenue.

You can add MCAS in a number of ways to Microsoft 365 Business Premium: as a standalone subscription or bundled in other packages. Maybe we will see some more of this stuff trickle into the Business sphere eventually, but for now, this is where it’s at.

Technical , , , , , 0 Comments
Share:

Leave a Reply

Back to Blog

Related Posts

12Jun

Conditional access is now supported in Microsoft 365 Business (and how to get started)

Okay, so the big day has finally arrived! We have been sitting on PINS AND NEEDLES waiting for this announcement, as it has been rumored for quite some time. I couldn't be happier now that it is here: Conditional access, which is a critical security... read more
25Jan

Tutorial: How to downgrade to the old Office 365 Message Encryption

I recently shared the method used to enable the "new" Office 365 Message Encryption features, built on Azure Information Protection. That process can be followed either to setup a new tenant with the latest version (v2), or to upgrade an existing tenant from the old... read more
21Jan

Password write-back is now supported on Microsoft 365 Business Premium! (And how to setup SSPR for hybrid accounts)

Well, well. Isn't this a pleasant surprise? Microsoft recently granted another one of my wishes, which I have previously blogged about, here. (1) Self-service password reset (SSPR) is now supported for hybrid synced accounts on the Microsoft 365 Business Premium subscription. The welcome announcement made on... read more
03Oct

Windows Information Protection done right, part 2: typical set up steps

Last time we talked about a couple of key concepts including enlightened and non-enlightened apps, and how Windows Information Protection (WIP) treats corporate data differently than personal. In short, a non-enlightened app and all of its data will be treated by WIP as personal (by... read more
20Apr

What is Windows Hello, and how to enable it

Windows 10 introduced a new security feature called "Hello," which allows a computer to be unlocked via different means than a traditional username/password prompt.  The marketing around this sells it as a more "personalized" login experience--more "human" or whatever. But it's really just extra security... read more
14Sep

How to Setup and Configure Azure Backup for File, Folder and System State Protection

Until very recently, the Azure Backup agent only supported file and folder backup from an on-premises server to the cloud. We now have support for System State protection added to this list, so we will cover how to configure that today. Azure Backup also offers... read more
03Oct

How to secure your BYOD Windows 10 Device

I do not want to confuse anyone too much with this post. So let me begin with a clear disclaimer: I am not suggesting that we abolish Active Directory and encourage open BYOD across our small and mid-sized enterprises. Active Directory and Group Policy still provides the... read more
27Aug

How to configure Advanced Threat Protection (ATP) part 3: safe links

This will be our last post in this series on Advanced Threat Protection (ATP). We have previously covered anti-phishing policies and safe attachments. Now we will consider safe links. Safe links are basically just taking hyperlinks which exist in Exchange email messages or other content in... read more
25Jan

Manage Office 365 Mailboxes using Directory Synchronization w/o Hybrid Exchange

When you have a hybrid environment configured between Exchange 2010 or 2013 and Office 365, then you will probably have noticed that mailbox creation and management happens on-premises. For example, to create a new mailbox, you would initiate this process from the local Exchange server... read more
Multi-tenant management for Microsoft 365, and other things
03Sep

Multi-tenant management for Microsoft 365, and other things

IT service providers are constantly looking for more efficiency, and better ways to manage their customers' hardware and software assets. In the Microsoft realm, we finally have Microsoft 365 Lighthouse, which is now in public preview. Some of my MSP customers have raised question marks... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me