Protect your Identities with Cloud App Security

This is the first in a series of articles about why you should consider using Microsoft’s Cloud App Security (MCAS) to decrease your organization’s risk from cybersecurity threats. MCAS is a cloud access security broker (CASB) providing the ability to identify applications, assess their risk and control their usage. It evaluates network traffic to over 15,000 applications and evaluates files for sensitive information in over a dozen different systems (including Box, AWS, GCP, Azure, and Office 365).

1 Objective

MCAS can help an organization do the following:

  1. Discover Shadow IT in an organization – identification of cloud apps and services being used by people in your organization.
  2. Protect information in the Cloud – ensuring files containing sensitive information are managed appropriately.
  3. Detect and Protect against Cyberthreats – identify unusual behavior across cloud apps to identify ransomware, compromised users or rogue applications, analyze high-risk usage and fix automatically to limit the risk to your organization.
  4. Assess and Protect your IaaS Environment – compare your cloud apps to various compliance requirements, prevent data transfer to non-compliant systems and block access to regulated data.

With all this capability, it is easy to get overwhelmed with options which can make it a challenge to focus on solving a specific problem. I hope  this article will make this tool more manageable by focusing on the identity protection features.

2 Importance of Identity Protection

Many organizations are moving to a zero-trust approach in which each user’s access to systems and data is evaluated. When an identity is compromised the risk to the organization is increased substantially. During 2019, Microsoft detected over 27 million compromised users in 2019 and blocked over 30 billion malicious sign-in attempts. The number of compromised accounts has been increasing every year.

Identity-related attacks such as password spray, breach replay and phishing are serious problems that are not going to stop any time soon.

3 Identity Protection Features

MCAS generates an Investigation Priority Score for each user .  The investigation priority score is based on security alerts, abnormal activities, and potential business and asset impact related to each user to help you assess how urgent it is to investigate each specific user. Use the score to focus on the accounts most likely to have been compromised. Microsoft uses machine learning algorithms with many different factors such as previous user behavior, assets being accessed and much more. The score is continuously updated as alerts are generated, actions are performed, and data is gathered by Microsoft from around the world. The use of behavioral analytics eliminates the need to maintain signature files which quickly become obsolete. This score will help you determine how urgent it is to investigate the user’s actions. You can easily determine if the account is compromised or if data is being exfiltrated.

Access Policies provide the ability to evaluate the device tags, location, IP address and user agent tag when someone attempts to use a monitored application. Access can be allowed or blocked and alerts can send emails or text messages if desired.

MCAS reads the account information from every connected app which makes it possible to evaluate the permissions and actions associated with each user. This includes internal staff as well as external partners. You can perform governance actions such as suspending an app, blocking the user or require the user to reauthenticate again. The users risk level can be set to high which will cause Azure AD to enforce any relevant policy action.

3.1 Dashboard

The general dashboard is on the home page of MCAS. This contains widgets showing metrics for the top three alerts, open alerts, and the top users. The alerts are categorized by severity and by type. The Privileged Accounts and Access Control alert categories will be of interest to identity protectors .

A list of monitored apps makes it easy to view a list of metrics  filtered for the specific app of interest to the investigator. These metrics include the number of user notifications sent, accounts monitored, and activities monitored.

Cloud App Security General Dashboard

3.2  Discovery

The Cloud Discovery dashboard provides the ability to investigate specific users. The top 100 users are listed and others can be selected when necessary. The apps used, the amount of traffic generated by uploads and downloads, and the IP addresses used are all provided on the dashboard

3.3 Investigate

The Investigate section includes pages for the following:

  • Activity Log– provides preconfigured queries and the ability to filter results by app, user, IP Address, activity type and location.
  • User and Accounts– provides investigation priority, account type, apps used, affiliation and group membership information
  • Identity Security Posture – provides recommendations for improving identity security.

MCAS provides the ability to conduct a wide variety of investigations. A few examples include:

  • Searching for inactive accounts in a particular service. Maybe you can revoke the license for that user to that service.
  • Determining which users have a specific role?
  • Confirming a former employee does not have access to an app and can use that access to steal information?
  • Do you want to revoke a user’s permission to a specific app or require a specific user to use multi-factor authentication?

3.4  Control

The control section provides templates to create new policies. The ten different types of policies are assigned to eight risk categories. While no policy templates are specifically focused on identity protection, the following templates can be used to create policies to monitor user activities and potential risks:

  • General anomaly detection – Alert when an anomalous session is detected in one of the sanctioned apps, such as: impossible travel, sign in pattern, inactive account.
  • Anomalous behavior in discovered users – Alert when anomalous behavior is detected in discovered users and apps, such as: large amounts of uploaded data compared to other users, large user transactions compared to the user’s history
  • Administrative activity from a non-corporate IP address – Alert when an admin user performs an administrative activity from an IP address that isn’t included in the corporate IP address range category.
  • Log on from a risky IP address – Alert when a user signs into your sanctioned apps from a risky IP address. By default, the risky IP address category contains addresses that have IP address tags of anonymous proxy, TOR, or Botnet. You can add more IP addresses to this category in the IP address ranges settings page.
  • Multiple failed user sign-in attempts to an app – Alert when a single user tries to sign into a single app and fails more than 10 times within 5 minutes
  • User log on from a non-categorized IP address – Alert when a user logs on from an IP address not included in a specific IP range category.

3.5  Alerts

Alerts are managed in their respective policies and can be configured to be sent as an email, text message, or both.  Alerts are grouped into eight different categories to be easier for the security team to focus on topics of concern. The identity protection related categories include Access Control and Privileged Accounts. Access policies provide a real-time monitoring and control over user logins to your cloud apps. Activity policies allow you to enforce a wide range of automated processes using the app provider’s APIs. These policies enable you/one to monitor specific activities carried out by various users or follow unexpectedly high rates of one certain type of activity.

Identity protection alerts include the following:

  • Compromised account – triggered when Cloud App Security identifies an account that was compromised. This means there’s a very high probability that the account was used in an unauthorized way
  • New admin user – Alerts you to changes in your privileged accounts for connected apps.
  • Suspicious activity – lets you know that anomalous activity has been detected that isn’t aligned with expected activities or users in your organization
  • Use of personal account – lets you know that a new personal account has access to resources in your connected apps
  • Inactive account- triggered when an account hasn’t been used in 60 days in one of your connected cloud apps.

Existing alerts should be reviewed and policies adjusted as necessary. The default policies may not be appropriate for every organization, so it is imperative  adjustments are made to avoid alert fatigue.

A justification should be entered whenever an alert is dismissed so that Microsoft can adjust the machine learning models.

Cloud App Security Alerts

4  Integration with Other Microsoft Systems

While MCAS can be integrated with Azure Information Protection (AIP) and other systems, many of these integrations are not relevant to identity protection, so they are omitted from this post and will be addressed in other postings.

For the purposes of this post, the primary systems of interest are Azure ATP, Azure AD and Azure Sentinel.

4.1 Azure ATP

MCAS can be integrated with Azure Advanced Threat Protection (ATP) which will provide context about user behavior in the on-premises environment. After enabling Azure ATP integration, you’ll be able to see on-premises activities for all the users in your organization. You will also get advanced insights on your users that combine alerts and suspicious activities across your cloud and on-premises environments.

Azure ATP Identity Security posture assessments are available for each of the following risks. These assessments provide a downloadable report with instructions for use and tools for building an action plan to remediate or resolve:

  • Entities exposing credentials in cleartext – alerts you to the current exposure risks (most impacted entities) in your organization with suggested remediation
  • Legacy protocols usage – identifies the top discovered entities using legacy protocols (for now, NTLMv1). Using the report, you can immediately review any top impacted entities and act on them, stopping use of these protocols and eventually, disabling them altogether
  • Weak cipher usage – identifies clients and servers that are using the RC4 cipher which has many vulnerabilities
  • Unsecure Kerberos delegation – discover which of your non-domain controller entities are misconfigured.  Determining a misconfiguration provides the entity the ability to impersonate you to any other chosen service
  • Domain Controllers with Print Spooler service available – domain controllers and active directory admin systems need to have the print spooler service disabled
  • Dormant entities in sensitive groups – these are targets of opportunity for malicious actors to gain sensitive access to your organization.

4.2  Azure AD Conditional Access

Azure AD conditional access policies can be configured to redirect users to MCAS. This provides real-time control of a session with a cloud application or an on-premises app that uses Azure AD Application Proxy. By implementing a session control, you can monitor when high-risk users sign in and then apply policies to protect information.

4.3 Azure Sentinel

Alerts from MCAS are sent to Sentinel where the data can be analyzed with a wide variety of tools including:

  • Visualization of alerts
  • Workbooks to integrate data from MCAS and other sources
  • Threat hunting with queries, bookmarks and notebooks

5 Amazon Web Services

Connecting Amazon Web Services (AWS) to MCAS helps you secure your assets and detect potential threats by monitoring administrative and sign-in activities, notifying you on possible brute force attacks, and malicious use of a privileged user account. You can use the following built-in policy templates to detect and notify you about potential threats:

  • IAM policy changes
  • Logon from a risky IP address
  • Network access control list (ACL) changes
  • Security group configuration changes
  • Activity from anonymous IP addresses
  • Activity from infrequent country
  • Activity from suspicious IP addresses
  • Impossible travel
  • Activity performed by terminated user (requires AAD as IdP)
  • Multiple failed login attempts
  • Unusual administrative activities

6  Box, Dropbox or Google

Connecting Box, Dropbox, Google Cloud Platform or GSuite to MCAS gives you improved insights into your users activities, provides threat detection using machine learning based anomaly detection and enables automated remediation controls. You can use the following built-in policy templates to detect and notify you about potential threats:

  • Activity from anonymous IP addresses
  • Activity from infrequent country
  • Activity from suspicious IP addresses
  • Impossible travel
  • Activity performed by terminated user (requires AAD as IdP)
  • Multiple failed login attempts
  • Unusual administrative activities
  • Unusual file deletion activities
  • Unusual file share activities
  • Unusual multiple file download activities
  • Activity policy template logon from a risky IP address
  • Mass download by a single user

7 Conclusion

MCAS is one of the most powerful tools in Microsoft’s extensive catalog of security related applications. Its integration with the other products is very strong and additional identity protection capabilities are on the roadmap.

I strongly recommend reviewing the capabilities of existing security tools to identify areas in which MCAS should be considered as a replacement. The implementation of MCAS should simplify the security operations in many organizations and may also decrease software licensing costs.

8 More to Come

Future articles in this series will focus on using MCAS to:

  1. Protect your information – using MCAS with Azure Information Protection
  2. Protect your network – using MCAS to discover and manage shadow IT in the network
  3. Protect your devices – using MCAS to create access policies for any device, including devices that aren’t domain joined, and not managed by Windows Intune by rolling out client certificates to managed devices or by using existing certificates, such as third-party MDM certificates

SharePoint Online – Searching the Internet

My client wanted to be able to search their public website from a page in a SharePoint Online (SPO) web site. I told them that this would be easy to do since I knew that there was an InternetSearchResults result source available by default in SPO. But after working with SharePoint for over 10 years, I should have remembered that just because something can be done in SharePoint it may take more effort than expected to implement. The InternetSearchResults result source uses the OpenSearch 1.0/1.1 protocol and it turned out that there is virtually no documentation provided by Microsoft regarding the use of this protocol

Paul Stork provided me some clues in his answers at but this did not provide me the full answer to my problem

In the SP Admin Center, the Search page contains a link to Manage Result Sources. On this page, the InternetSearchResults source contains the following query:

Since this syntax calls it is obviously quite old (Bing replaced Live around 2009).  Even though, it still functions, I decided that I would rather use I did some research and found that:

  1. the acceptable parameters for an OpenSearch query are shown at OpenSearch parameters.
  2. the advanced search keywords for Bing at Bing Parameters

I thought that I would be able to simply add the parameter “site” to the end of the search query and set it to my client’s public web site domain as follows.

However, this did NOT work.

I did some testing and thinking and realized that since the “site” parameter is the most limiting value of the query that it would need to be at the beginning of the statement. Some other articles state that the “site” parameter can follow the Search Terms, but my tests did not confirm that syntax.

I found that a specific internet site could be searched in SPO (as well as other SP versions) by using the following syntax.{searchTerms}&count={itemsPerPage}&first={startItem}&mkt={language}&format=rss&FORM=SHAREF

I hope that this can help someone else who needs to solve this type of problem. Please let me know if you have any questions

SharePoint Online – Search Results not Sorted

While using the People Search Core Results web part, I changed the query and set the Sorting value to a RefinableString that was configured to be sortable. However, the search results were not displaying in the sort order. It turns out that the Available Sort Orders (JSON) setting in the Results Control Settings section of the web part task pane supersede the Sort Order specified in the Query.

I had to change the  Available Sort Order to the following:

 [{“name”:”Last name (A-Z)”,”sorts”:[{“p”:”RefinableString00″,”d”:0}]},{“name”:”Last name (Z-A)”,”sorts”:[{“p”:”RefinableString00″,”d”:1}]},{“name”:”First name (A-Z)”,”sorts”:[{“p”:”FirstName”,”d”:0}]},{“name”:”First name (Z-A)”,”sorts”:[{“p”:”FirstName”,”d”:1}]}]

Thanks to the articles at and


Why I Need a Blog

I received a request for assistance from one of employees, and after working on the problem for 30 minutes, I got nowhere. I came back to work a few days later and she asked me if I had the problem fixed, I didn’t, so I took a look again and all of a sudden it seemed very familiar. I did a search on the internet and found several articles about the problem. One of the proposed answers was something that I had written 16 months earlier that I had forgotten about. I NEED this blog to help me keep track of things that I have learned. Hopefully, it may help some other people also.