This blog post is about Microsoft Cloud App Security CASB, and how does it fit in the overall set of Microsoft security products.


There is always a trade-off between moving to the cloud with all its benefits, and the challenge of keeping an organization secure. Microsoft provides a suite of security solutions that can help securing corporate identities, devices, application and data.

As more data is moving to the cloud, and with the rapid adoption of SaaS applications, Identity Driven Security becomes the new front-end protection gate that can enforce set of controls when accessing cloud apps. Microsoft Conditional Access is a brilliant offering from Microsoft that helps restricting and controlling access to SaaS applications based on rich set of conditions.

Moreover, Intune and configuration manager help managing and applying security policies to devices and mobile apps. This is sometimes called Management as a Service, and Intune provides unique device and application protection capabilities, so that corporate data are always protected on devices, and compliance rules can be enforced before granting access.

Azure Information Protection helps protecting the data itself by providing rich set of right management and encryption controls via labeling, encryption and document tracking capabilities. Azure AD Identity Protection from the other side helps mitigating risky authentications and can identify users at risks based on their authentication behavior.

Moreover, Microsoft Advanced threat Protection family of products like Azure Advanced Threat Protection, Windows Defender ATP and Office 365 ATP, help mitigating zero-day attacks and detecting lateral movements inside corporate networks.

As the new security trend is based on AI, machine learning and detecting anomalies, it is obvious that there is opportunity to apply the same thing to end user’s collaboration experience inside Office 365. A user can access Office 365 from a managed device, providing the correct credential, with no detected risk on his authentication session, but still his actions inside Office 365 from collaboration perspective can be considered suspicious. This can be in the form of mass file download from his OneDrive or sharing sensitive documents to eternal collaborators. This new type of collaboration-based behavior analysis is what Microsoft cloud app security can provide as one of its many services.

Furthermore, shadow IT is becoming a nightmare for IT admins, as end users are not afraid anymore to use third party unapproved SaaS applications, to help them get the work done. While detecting such applications is one challenge, having the ability to give a risk score for such applications is not an easy task. Microsoft provides the Cloud App Catalog as part of their cloud app security service, to help IT admin sanction or un-sanction cloud apps based on a risk score, where each app gets a risk score based on comprehensive set of check lists.

Finally, it is obvious that sometimes employees need to access third party cloud applications. So far, all what IT admins can do is ensure end users are accessing those applications from trusted networks, managed devices, or even by using strong authentication. But what about having visibility on what end users are doing after they are cleared for accessing that cloud app? What IT admins need is a broker that can sit between end users and the cloud app, and act as a guardian that can monitor what is happening during that session, and perhaps applying controls according to a predefined set of conditions. This is where Microsoft cloud app security offering can help in.

Microsoft Cloud App Security CAS 1


Microsoft Cloud App Security – CASB

Microsoft cloud app security is a cloud service from Microsoft, and a critical component of the Microsoft cloud security stack. It is licensed under the Enterprise Mobility and Security offering and requires E5 for almost of all its services. It provides a comprehensive solution to give organizations improved visibility into cloud activities, uncover shadow IT, assess risks, enforce polices, investigate suspicious activities and stop threats. By doing that, it gives organizations the comfort level of moving to the cloud, while maintaining control of critical data.

What is great about this offering is that no agent is required on end user’s devices, ensuring the discovery process of cloud app does not block end users from being productive. The key components of Microsoft cloud app security are:

  • Cloud Discovery & Shadow IT.
  • Sanctioned and unsanctioned apps & the Cloud App Catalog.
  • Conditional Access Session Control.
  • Policy Controls.

Microsoft Cloud App Security CAS 129

App connectors

Microsoft cloud app security uses app connectors, which are APIs from other cloud app providers, to do deep integration, threat protection, government actions and policy enforcement. When this happen, cloud app security can query the cloud app API for activity logs, and start scanning data, accounts, and cloud content.

Shadow IT & Cloud App Discovery

Employees nowadays are more familiar with technology than before. They are not afraid from discovering third party solutions to solve a problem they are facing at work. Moreover, IT teams are usually busy or slow when it comes to responding to end-user needs or customization. Even worse, security teams nowadays are programmed to say “NO” for almost everything, because they want to protect their network.

We usually find this happening more and more recently when employees need to share large files from people outside the organization, and since security teams are not helping, they will go and use Dropbox or the consumer OneDrive. This is known as Shadow IT, as unapproved applications are being used by end users to satisfy their needs without consulting with IT or security.

To better handle this situation, IT teams need to do two things, and to do them very well. First, they need to discover and get insight about the use of shadow IT inside their organization. Second, they need rank each application by giving it a risk score, to see if it is safe to use the application or not.

Microsoft cloud app security maintain a Cloud App Catalog that can help scoring cloud apps based on their risk level. Microsoft has a team of analysts who work on classifying over 15,000 cloud apps and give a rank or score for each app based on industry standards. For each of those cloud apps, Microsoft will give a risk score that can quickly give IT admins the information they need to approve or disapprove the use of this app in their environment.

How this work is straightforward. You need at least one EMS E5 license to start using the Cloud App Discovery feature of Microsoft Cloud App Security. Next, you install a connector on your network to collect internet logs from your firewalls and proxies. That connector will send the log data to Microsoft cloud app discovery service, which will then process the log files, and display for you a detailed dashboard.

Microsoft Cloud App Security CAS 2

Here is an example of how the Microsoft cloud app discovery processes the logs from on-premises firewalls and proxy, to display a dashboard showing what SaaS applications end users are using. The dashboard shows what SaaS applications each end user is using, number of files being downloaded and uploaded, and the size of files per user. This become handy if you are running an Office 365 adoption program, as you can identify users who are using box or Google Drive for external collaboration, and then asking them to use OneDrive for Business instead.

Microsoft Cloud App Security CAS 14

For each SaaS application discovered, Microsoft cloud app security will show a risk score based on set of rules, to help identifying the risk of using that app inside your organization. Here is a look of how this looks like when investigating Google spreadsheeta app:

Microsoft Cloud App Security CAS 29

You can also browse all apps inside the cloud app catalog, and filter by category or risk score.

Microsoft Cloud App Security CAS 15

Session Control

One of the great features of Microsoft cloud app security is the ability to act as a reverse proxy to inspect traffic going to other cloud apps. This feature is called Conditional Access App Control. By integrating with Azure Active Directory Conditional Access, cloud apps that uses Azure Active Directory for authentication, and in certain conditions defined by the IT admin, Microsoft Cloud App Security can place itself inline when accessing cloud apps. In this scenario, traffic from end users will be proxied through Microsoft cloud app security first, to inspect traffic and enforce certain rules and actions, before passing the traffic to the cloud app. This gives IT admin the capability of:

  • Avoid data leaks and blocking file downloads from the cloud app.
  • Possibly apply Azure Information Protection labels upon file downloads.
  • Control access from unmanaged devices and risky IPs.

If an organization is using the famous cloud app called Box, and single sign on using Azure AD is configured, then using Azure AD conditional access rules, IT admin can configure a rule that the session must be monitored by Microsoft cloud app security if end users are connected from un-managed devices. Then from the cloud app security admin portal, IT admins can restrict file downloads for any document that is labeled as Conditional by Azure Information Protection, or even apply an Azure Information Protection label for any downloaded content. Here is a great video showing how this works.

Office 365 rich insights

Since Microsoft operates Office 365, their cloud app security service can connect to Office 365, and give you comprehensive set of insights and policy enforcement engine. Office 365 is considered one of the most popular connected apps in Microsoft CAS, as it provides two-way flow of communications:

  • Office 365 to Microsoft Cloud App Security: logs are being sent through this channel.
  • Microsoft Cloud App Security to Office 365: Both information protection and threat protection happen here via a strong policy enforcement engine and behavior analytics.

Microsoft Cloud App Security CAS 3

Usually, you can view Office 365 logs from the Security and Compliance Center> Search & Investigation > Audit Log Search. While this gives the ability to see extensive raw information about every action happening across Office 365 services, they do not provide a logical grouping of activities that are related to each other and are displayed without a clear context.

On the other hand, if various log settings are enabled in Office 365 (mailbox auditing for example), then Microsoft Cloud App Security can connect to Office 365 logs and make more sense of that data. So, when you open the cloud app security admin portal, you can click on SharePoint Online, and you will land on an overview page showing some general information about SharePoint Online usage inside your organization.

Microsoft Cloud App Security CAS 4

You will also get an overview on the type of files inside SharePoint Online:

Microsoft Cloud App Security CAS 5

File Investigation

Imagine that you have full visibility on each file, folder and document inside SharePoint Online, whether it was uploaded to MS Teams, OneDrive for Business or to a communication site. File Investigation gives you insights on all files inside SharePoint Online as shown below. For each file, you can see a lot of information about it, including any collaborators on that file.  You can even filter by file owner, access level, file type and even a matched CAS policy. The interesting filter is the Access Level filter. By using the (Public) access level filter, a list of documents/folders that anyone on the internet can access will be returned.

Microsoft Cloud App Security CAS 30

For each file in the file instigation section, couple of actions are made available right away. View Hierarchy action shows the file structure for this document and all parent folders. This become handy when you see a document called (Budget.pdf), and you have no idea about the context of this document. Knowing that it is inside a folder called (Annual 2018) gives you more information about the context of this document.

Make Private and Remove a Collaborator gives you the ability to quickly restrict access to the document, by making it private so that only the owner can access it, or remove a specific collaborator. This is extremely important functionality when doing an investigation.

Microsoft Cloud App Security CAS 32

Notice that for each file, you can quickly see the owner of the file, number of collaborators, and any policies that are applied. Clicking the collaborators value will list for you who has access to this document.

Microsoft Cloud App Security CAS 11

What is really powerful is the ability to quickly remove external collaborators from any file, directly from the action sub-menu as shown below:

Microsoft Cloud App Security CAS 13

There are a lot more that can be done inside Microsoft cloud app security, like the ability to filter by Activity Type. You can easily filter by (CompanyLinkCreated) activity inside SharePoint Online, and see all the share links created across your SharePoint Online with “Inside Company” access level. For each link, you can dig deeper and see who created the link, from which device and IP, and even you can move context to he user who created the link and continue investigating the user himself.

Microsoft Cloud App Security CAS 28

 Exchange Online Insights

My favorite feature of Microsoft cloud app security is the ability to see all Exchange logs in one place. Same as File Investigation, you can easily filter Exchange logs by Activity Type. As attackers usually start by creating a mailbox forward inbox rule when compromising the identity of a user, you can filter by (New-InboxRule) and see who created a forward Inbox Rule.

Microsoft Cloud App Security CAS 21

Policy Control

Microsoft cloud app security can enforce policies based on user’s behavior. For example, IT admins can quickly identity suspicious behavior inside Office 365 if a user is doing mass download or connecting using tor browser. IT admins can quickly identify such suspicious activities to further investigate. There are a lot of default policy templates that are available right away, and they are classified according to a risk category as shown below.

Microsoft Cloud App Security CAS 17

You can also create your own policy from the Control section of Microsoft cloud app security, and you can pick one of many policy categories.

Microsoft Cloud App Security CAS 20

Here is an example of a suspicious activity from an anonymous proxy alert. We can see great details about this alert generated by John Smith, and quickly identify that his account is locked out due to logon failures.

Microsoft Cloud App Security CAS 25

We can even drill down and see from where this action actually happened, and by clicking on the Location, Microsoft cloud app security will send us to a Bing map showing the exact location of the IP who generated this suspicious activity.

Microsoft Cloud App Security CAS 26

Trust and Compliance

What is great about Microsoft cloud products is their commitment to achieve higher level of compliance. Microsoft cloud app security is certified for ISO, HIPPA, CSA STAR, EU model clauses and more.

Since privacy is a big issue, Microsoft cloud apps security does not store file content during content inspection, only the metadata of the file records are stored. Data retention is also communicated by Microsoft as per the following:

  • Activity logs: 180 days.
  • Discovery data: 80 days.
  • Alerts: 190 days.



Here is a video I published on my YouTube channel. It is about “How to secure your modern workplace with Microsoft Advanced Threat Protection”. Please subscribe to the channel to get updates on my new videos.

“I will introduce you to Microsoft 365’s threat protection services and demonstrate how Microsoft 365’s threat protection leverages strength of signal, integration, machine learning and AI to help secure the modern workplace from a advanced persistent threats or APT.”