18 - Defender for Cloud Apps Access and Session Policies
Lab scenario
Microsoft Defender for Cloud Apps allows us to create additional Conditional Access policies specific to the cloud apps that we are monitoring. Creating these policies can be done from within the Control menu within the Microsoft Defender for Cloud Apps portal.
Estimated time: 20 minutes
Exercise 1 - Create and test the Conditional Access App Contol policy
Task 1 - Confirm that PradeepG has unconditional access to FORMS
- Launch a new InPrivate browsing window.
- Connect to https://forms.microsoft.com.
- Select the login in the upper-right corner of the page.
- Log in as Pradeep Gupta.
- Username = PradeepG@«
>> - Password = the password from your resources tab
- Username = PradeepG@«
- Confirm that Microsoft Forms opens and that you do not get any warning messages.
- Close the InPrivate browsing window.
Task 2 - Configure Microsoft Entra ID to work with Defender for Cloud Apps
-
Navigate to https://entra.microsoft.com and go to Microsoft Entra ID.
-
Under Identity, select Protection.
-
Then select Conditional Access.
-
Select + Create new policy.
-
Enter a policy name, such as Monitor Pradeep using Forms.
-
Under Assignments, choose 0 users and groups selected, select Specific users included, select Select users and groups and mark the Users and groups.
-
Choose the Pradeep Gupta account for the lab tenant and select Select.
-
Under Target resources, select No target resources selected.
-
Select Select apps, and then choose Microsoft Forms, and select Select.
-
Under Access controls, select Session and 0 controls selected.
-
Select the Use Conditional Access App Control box, leave the default of Monitor only, and select Select.
-
Under Enable policy, select On, and select Create.
Task 3 - Log into Forms and validate that conditional access is monitoring
- Launch a new InPrivate browsing window.
- Connect to https://forms.microsoft.com.
- Select the login in the upper-right corner of the page.
- Log in as Pradeep Gupta.
- Username = PradeepG@«
>> - Password = the password from your resources tab
- Username = PradeepG@«
- Confirm that Pradeep has access and that you get a new message:
- Access to Microsoft Forms is monitored.
- Close the InPrivate browsing window.
Exercise 2 - Setup alerts in Microsoft Defender for Cloud Apps
Task 1 - Access Microsoft Defender for Cloud Apps and create Conditional Access App Control
Registering your application establishes a trust relationship between your app and the Microsoft identity platform. The trust is unidirectional: Your app trusts the Microsoft identity platform—not the other way around.
-
Sign in to https://security.microsoft.com using a Global Administrator account.
-
On the left menu, scroll to and select Polices in the Cloud Apps section of the menu on the left..
-
In the Policies menu, locate and select Policy Management.
-
Select + Create policy. Select Access policy.
-
Enter a name for the policy, such as Monitor Microsoft Forms access..
-
Leave the Category as Access control.
-
Under Activities matching all of the following, select the drop-down for Intune compliant, Microsoft Entra Hybrid joined and unselect Microsoft Entra Hybrid joined.
-
Select the drop-down for Select apps. Select Microsoft Forms.
-
Leave Actions as Test.
-
Under Alerts, leave Create an alert… checked and select Send alert as email.
-
Enter the lab admin email address and select Enter on your keyboard.
-
Select Create to create the access policy.
Task 2 - Log in as Pradeep to Forms to trigger activity
- Launch a new InPrivate browsing window.
- Connect to https://forms.microsoft.com.
- Select the login in the upper-right corner of the page.
- Log in as Pradeep Gupta.
- Username = PradeepG@«
>> - Password = the password from your resources tab
- Username = PradeepG@«
- Confirm that Pradeep has access and that you get a new message:
- Access to Microsoft Forms is monitored.
- Close the InPrivate browsing window.
Task 3 - Review the Activity in Defender for Cloud Apps
- Return to the browswer running Defender for Cloud Apps.
- Refresh the browser to ensure the most recent data is downloaded.
- From the Investigate menu, select Activity log.
- Using the App: filter pick Microsoft Forms from the list.
- Notice the sign-on records for Pradeep.