Microsoft Defender for Cloud apps: Session Controls

Hello everyone! I felt like after my last article talking about Defender for Endpoint that I felt the need to follow up with Defender for Cloud apps. This article will explain some of the functionality that you can expect with Defender for Cloud apps.

After taking a high-level look at some of the functionality, I will give an example of connecting an application for monitoring via conditional access app control apps.

What you need to get started

This section will tell us what we need to get started to using Defender for Cloud apps.

• Licensing - A license with Defender for Cloud apps such as Microsoft 365 E5, E5 Security Add-on, EMS E5. Ideally the licensing should contain the following services, Defender for Cloud apps, Microsoft Defender for Endpoint, Intune (makes onboarding Defender for Endpoint easy), and Microsoft Entra P2.
• Continuous Reporting (Endpoint Telemetry) - Windows Endpoints, Windows Servers, and macOS devices enrolled into Defender for Endpoint. As a bonus, this is the same package that will onboard you into Purview Endpoint DLP! Defender for Endpoint does integrate with Defender for Cloud app and will be part of the workflow.
• Continuous Reporting (Logging Servers) - Additionally, Windows Docker or Linux Docker to send network traffic from appliances to Defender for Cloud apps. *Please note that Windows Docker will have additional licensing cost.
• Access - Be sure to have Security Administrators and also within the Defender for Cloud apps settings you will need to set who can onboard apps/maintenance.
• Applications - SSO ready apps, for this article we will assume these are Entra SSO enabled applications. Applications must support SAML 2.0 or OpenID Connect to be compatible for use. You can use OKTA or Ping Authentication/SSO but that will be for another time. *Please note that not all applications are created equal and configuration may vary or may not support some features based on the app.
• Entra Conditional access policies - (You should have MFA on already if not, MFA should be top priority at this point!) The policy will be what I consider the front door for the Conditional access session control policies. This is where the authentication and session begin the journey.
• Defender for Cloud apps - Session and Access Controls created from Defender for Cloud apps

The Workflow

To use Defender for Cloud apps, we'll take a look at an example workflow. This workflow is only going to cover conditional access app controls for Monitoring applications.

Access to onboard apps and onboarding an app

There are a few ways to onboard applications into Defender for Cloud apps Conditional access app control apps but first and foremost once you have checked the prerequisites do not forget to give yourself access to onboard/maintain apps.

The Conditional Access side of things

Now that you have the access you need, let's take a look at onboarding an application. I want to convey the message to proceed with caution here, I recommend testing this with a small pilot test group extensively before considering a broad roll out. With the Monitor and Block download options from Entra Conditional access, one issue you can face is additional configurations you didn't know you needed. Selectively target that test app and avoid rolling this out for all apps.

The Defender for Cloud apps side of things

Session and Access controls trigger authentication before moving through a reverse proxy tunnel to the application. This proxy is what protections your session with the application and may require a fully satisfied authentication to pass through. This is where some applications can malfunction because they require that sign in to occur before the tunnel. This is why you may have a need for the application to perform a second login.

It will be required to enable the app to work on session controls for you to use this app in a conditional access session/access control workflow. You will add the User Defined domains to the configurations, however, the perform a secondary log will vary from app to app.

The process to adopt should be slowed down to allow critical testing without production downtime. The Block Downloads also will onboard applications into Conditional access app controls but may need additional configurations. To find the conditional app control apps listed, you will look in settings > cloud apps > connected apps.

This will be the list of connected applications and determine if they have session controls in place. This list is where you can also set those additional configurations by clicking on the three dots on the right and choosing > Edit application. See my example of the list below:

I want to reference this article because if you do run into issues, this may point you in the right direction Troubleshoot access and session controls for admins - Microsoft Defender for Cloud Apps | Microsoft Learn

I also want to call out here that if you are using Edge primarily and want to see a different user experience you can force this all into Edge by using the Microsoft Edge for Business settings within Defender for Cloud apps. The users will not see the redirect to the proxy tunnel which is normal during sessions. You can also dictate if your userbase sees that the applications are being connected once the first factor authentication has appeared. The users see a landing page to let them know activity is monitored once you have this conditional access app access controls up and running.

Monitoring the application

See an example of what the user experience looks like when monitoring apps below:

After the application has been connected, you will be able to navigate to the Activity log section of Defender for Cloud apps for your data. This will show what activities have occurred during authenticated application sessions. This will allow your organization to uncover use cases and plan for protection where needed.

In Summary

This is a quick look at how you can onboard and monitor applications, but this barely scratches the surface of the capabilities and automation that can be used to secure applications and practice Microsoft Zero Trust principles.

I feel like if you are already utilizing Defender for Endpoint and the licensing is available; Defender for Cloud apps should be on your radar. It is more than just protecting resources in that traditional sense, you have to approach the cloud and create layers and a perimeter, this tool can help you with securing application-level resources. Thank you for reading and stay safe out there!