How to setup Defender for Cloud Apps Session Control

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey everybody I'm Doug this is Doug does Tech today we're talking about session control policies and conditional access and Defender for cloud apps how to set that whole solution up from end to end we'll cover it here where we're going to walk through how to use it how to set it up and kind of go from there let's hop into it and let's get in talking about what the solution can do for you all right let's begin with the end in mind and demonstrate what exactly we're doing and talking about here so here I am I'm about to sign in from a unmanaged device into my organization and as part of that signin essentially what's happened is I'm getting interrupted in my access to exchange online this is an optional feature you don't actually have to have this show to your user but this is how you can tell it's working end user is able to log in Click continue and access everything that they need to about their organization so they can access their email they can see you know exactly what's going going on and all of the stuff that's happening in their organization and you know pretty much here they can do everything that they need to they can get their job done however we have some guard rails on them that's preventing them from doing certain things so if they try to go in and download from our environment we can come in and intercept that download and say that's not allowed so if you wanted to give access to someone and let them have remote access to whatever application you need Salesforce Microsoft 365 you can come in and you know basically have this compensation control in here to stop them from accessing it so great technology you know what's going on under the hood is really this here right so what we're doing is essentially looking at the signin activity and the Machine that someone's coming from and then using conditional access we can say we don't like that scenario or in these conditions proxy their connection to Defender for cloud apps once the session is inside of Defender Cloud apps then we can set up different policies to basically control access to it so we can control upload download copy paste and depending on the application you might be able to do a little bit more interesting other things like um I think there's some Salesforce specific activities that you can do or like in teams you can block someone from chatting it's kind of some interesting Edge pocket cases but for the most part most companies that I do this with they use this to control download and this might be part of your holistic strategy um I have a series on of conditional access that I use and I call the secure endpoint which uses this as a BYOD scenario to help allow people to do this and so it's a great control that you can use so hopefully that's what covers technology what we're going to be doing let's get into now the hard part setting it up because it's not always easy or obvious how you can set up this solution so let's hop in here and walk through it so here we are in security. microsoft.com and we went down to settings and then Cloud apps here to control and access and set up this whole thing in the bottom here is the defender for cloud apps section and down here under conditional access app control you can see there's all the settings related to it you also notice down here under conditional access app control it's here is the apps that you've set up for this so what you can see here is yeah it's all blank but default and if you hit the add button it's really not obvious what you should be doing and so it causes a lot of confusion for people that I've seen and so I'm going to walk you through the easy way to set this up which is essentially coming down here in setting up app onboarding and maintenance so this is going to be the first step that you're going to need to do you need to come in and put your UPN in for this and then basically set up your account or a testing account with the ability to manage the application from there you then need to go in on board the applications so this is the big really like hard to miss hard to hard to remember step that you need to happen here second one is you need to go into conditional access and set up a policy to send the session over to it so to do that it's a simple type of policy here what we're going to do is do um MCAS so we need to pick an account and basically set this up so that the end user in this um is added to this so we can then set up the app so you're going to Target your app and then what you need to do is say hey anything that I want to set up here we're going to proxy their connection and control it so in my case I'm going to pick just the Office 365 app but if you need to do the admin apps or Salesforce you're going to follow the same procedure in here and in my case you know you I'm not going to do much filtering here but if you're doing um different options you may want to come in and filter out like hey you know i' only want to work on you know uh browser sessions right this policy only really works on browser so you can filter that on it and then if you wanted to filter out like your corporate own devices you know you could do that also of setting it up all right so that's first set next we need to set up the session control policy and have that in here so it's really easy you use conditional access control and then what we're going to do is do the block download one uh actually let's do the monitor only one to start with and then we'll we'll go from there and just like that our policy is set make sure you have a backup count that you can get access if anything goes wrong while you're targeting this and setting these up but this should be pretty safe to do and so we're going to go turn that on and then wait for the app to take I'm going pause this for a second and while I wait for the policies to sync and then I'll come back and show you the next setup procedures all right so I'm back so after you set up the conditional access policies what you need to do in this case is actually go to the apps to trigger the policy to set up the session and here you can see we waited quite a bit I think I gave it 15 minutes just to be safe came back and now I'm ready to set this up and so here you can see I'm able to click on it and continue to it a lot of the Microsoft 365 apps will Auto set themselves up the key is you just need to go to them and make sure they're added into the interface so in this case yeah we need to go in and go to you know one drive and access the one drive application so that it makes itself set up same thing with SharePoint Viva engage all of the things you basically need to go to them as a one-time action as this admin this onboarding admin account so that they will then go a head and set themselves up so make sure you go in go through all of the stuff that you need to do and then um set it up o this is a new one unrecognized domain we'll skip that see if it gets in here and set up here maybe it's not quite ready for everything yet um maybe I didn't give it enough time it looks like it's doing its thing but it's starting the process so essentially what you're going to do again go to each one of those apps go through this process and then once you're there once it's available to you it should start showing up in your security. Microsoft portal so I'm back in the security Microsoft portal and we'll now go um and refresh it just to make sure everything triggers properly and then what we can do is go to that um session control policies and see what apps are now sh out here so it's kind down here conditional aess app control apps and just like that now we can see some of these things are available in our environment and so I can start taking advantage of it from a policy perspective and that's pretty much it from a setup procedure of like enabling the apps you'll come in here enable it and then basically you'll be able to onboard it the hard thing becomes if there is like a custom application you need to do maybe a little bit more groundwork on them to set them up so if you have something like Salesforce or a custom app that your organization wrote or a website that you host that you want it protected you'll come in here you'll do the setup procedures uh just like we did before but then as you'll see you'll you'll click on them and it'll be like hey available controls it'll be missing the session control policies and at that point if you see that you need to come in and click on the app and then enable it for that control I'll do it another app a little bit I'll I'll go and figure out a way to set that up so you can see it um but that's essentially you're going to come in set these up and then you're going to be Tak advantage of of it all right so once it's set up what we need to do is go back into our conditional access policies and then we can start using it for the governance action that we want so uh I did the monitor only to set it up when you're ready to switch it out to do something more dramatic that's where the block download option will come in these two options here they' they say they're in preview but they they've said preview for like 3 years now or two years now and so you can take advantage of them they work really while I use them a lot and if you just need to do something simple like block download you're good to go you'll notice here there is also an option for a custom control that you can take advantage of and essentially what the difference is is basically this requires additional work setting up a full MCAS policy or Defender for cloud apps policy uh to basically control that and so essentially what you're doing is you're handing off the session from um Azure active directory or entra ID and and then sending it to conditional access and or sorry Defender for cloud apps and then Defender for cloud apps catches it and then puts additional policies on it so let's go ahead and look at what that would look like and the different policies that you could do in here so on the left in security. Microsoft we're going to go to policy management and then in here we have conditional access right and so there's another set of conditional access controls you can do in here and there's access policies and session policies access policies can be applied to everything in the environment so this is another way to inspect sign-ins and can do like basically block access on it um and then session policy is what we're talking through here which is um hey if end user is doing this inside of that webbased session block that download access policies can be applied to every signin across the board if you're using thck client all that kind of stuff it can inspect for tour browsers IP address client specific stuff you could just very very granular with the control plan here session policies only apply to the web-based access and letting you control it all right once you set it up here you get some options that you can take advantage of from a deployment perspective right so in this case the template that I'm going to use is block downloads based on real-time content and it's going to kind of preset up this stuff for you in this case the control type is control file download with inspection and that would let you come in and inspect and say hey is this in user trying to download credit cards if so Block in you don't have to inspect you can just come in and say none and that's going to be just the same as your block download option and then say hey they can't access this these filters here is where you can get very specific on different levels of access that you can do in here so you can get uh all sorts of different control plane to say uh a deeper level of inspection on on this thing and so what we do lots of times is if you wanted to do a specific policy for say exchange we can come in and say whenever someone's accessing exchange send it to conditional access app control and then here in conditional access app control we can control those activities and again come in and say okay allow access but block downloads or control that downloads but put a sensitivity label on the document if someone downloading it from our environment and so a lot of good stuff that you can do as part of this and essentially you can set each of them up and get really granular with your policies to do the full control what you may want to do is um have a couple different policies so I showed you the first policy that I lot times do with the control download option they have this control actions option or activity type that you can also use to basically say hey I don't want people to cut copy paste and print from our environment because those are different than download as a control and so if you wanting to do full lockdown you can come in and say hey don't allow them to cut copy or paste and block that kind of stuff in here again you can use content inspection to block it in here I don't know if I showed you that one before but um here is like a Another You Know sample app that I have and set up in my environment and you can see if I try to copy it's also blocking that behavor behavior and so good control that you can take advantage of um I forgot to mention it one way that you know that the session control policy is working in your environment is the redirection of the URLs so when I set up this for you know engage or U Yammer whatever it's called now um you can see instead of going to the regular Microsoft URL I'm instead being redirected to this MCAS Ms and so that's a great way to essentially discover hey yeah I am coming into this site and the session control policy is working the redirect happened in this and so great technology really nice benefit there um let me show you how to set up a custom app because that can be important it's a little bit of a different one so give me a I'm going to pause real quick while I go set it up so you can see it um in this environment all right I'm back so let me show you how to set up a custom application just in case you ever run into the need to set up a custom app with Defender for cloud apps so um what we did is essentially I have a site that I'm hosting internally for demonstration purposes it's an Azure static web app essentially have added it again to a conditional access app control policy and then I've set this up with the monitor only option so once it's in here then you're going to give it some time in my case I had to give it quite a bit of time and then we need to set it up right so so I go to the site again and here you can see this app is not recognized configure the app and Defender for cloud apps so this is where that onboarding option comes into place and uh apparently we're erroring out so that's great going to hit [Music] confirm all right I had to give it a little bit more time and now I can uh show you how it's going to work so in here on the say page um ready to set it up and now it's showing as discovered and ready to be used in this case we have these unidentified apps that we can then go ahead and set up and here is my app orange flower and so what we're going to do is this is a custom app uh and set it up we're going to set this up basically manually and so I'm going to call this uh YouTube and we can select a category it doesn't really matter U business intelligence that's what it is is and the score we can set that up and then the key thing is setting up the Ed conditional access app control it may require you to adjust the URLs if you need to come in and you know basically you know do some Advanced options you may need to GA gather some userdefined domains and then essentially then you can add it here as an app and now we're come back in and wait so this can be a a little bit of a a process to set this up and use it in this case uh do I have to set an address subscription okay good um to actually configure it and have it start showing in the environment but eventually it should go in here so I want to pause this come back in and and hopefully we can complete the next steps all right I think I gave it enough time so we'll go ahead and try to log in again and test it and if I can remember my there it goes fingers crossed we'll see if we get it right and there we go uh and so we are set here and we should now see it and get it to work and yep yep we're in so again The Telltale sign that this is working for you is this mcms option and this is where you can see kind of all this data in here about what's going on and how you're using it um you'll also notice down here there is you know additional information about the session that you can see of like what's going on and you can turn on like recording of the session so if stuff's going wrong and you know it's like not nothing's working right you're having problems you can turn on to access this in this like test mode to usually use this options here and and you can look up usually like the domains that are part of this their apps are showing in here and then you can kind of go from there of like hey yeah if I'm trying to download from here yeah block it and have that control plan there so uh I hope this helps someone else out there get up and running with the solution and start protecting their apps and controlling downloads of it um good luck and stay safe out there

Info

Channel: Doug Does Tech

Views: 803

Rating: undefined out of 5

Keywords:

Id: L-EKqbse2cs

Channel Id: undefined

Length: 18min 24sec (1104 seconds)

Published: Wed May 15 2024