Microsoft Defender for Cloud Apps topics https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/bd-p/MicrosoftDefenderCloudApps Microsoft Defender for Cloud Apps topics Sun, 22 May 2022 20:53:48 GMT MicrosoftDefenderCloudApps 2022-05-22T20:53:48Z Configure policy for block download files https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/configure-policy-for-block-download-files/m-p/3388398#M2019 <P>Hi Team.</P><P>I have requirement, for all Information Protection users for block download files with specific label.</P><P>&nbsp;</P><P>I have Microsoft Information Protection deployment with several labels. I need that emails with specific label, block download files using Microsoft Outlook client.</P><P>&nbsp;</P><P>I have performed the following configurations:</P><P>Policy in Conditional Access for Session - Use Conditional Access App Control.</P><P>In Microsoft Defender for Cloud Apps - create policy for session.</P><P>&nbsp;</P><P>Test:</P><P>When send email with attach file with MIP label - Recipient open email in Outlook Web - not permit download files (policy perfect working), but, this policy not working for Outlook client.</P><P>&nbsp;</P><P>Comments:</P><P>In MDCApps:</P><P>Apps scope - Office 365 (not include Outlook client)</P><P>Users scope: only internal users.</P><P>&nbsp;</P><P>Two questions:</P><P>How can i integrate Outlook client in this policy?</P><P>How can I integrate external users in this policy?</P><P>&nbsp;</P><P>Thanks,</P> Tue, 17 May 2022 16:56:08 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/configure-policy-for-block-download-files/m-p/3388398#M2019 CarlosMorales 2022-05-17T16:56:08Z Activity Log limited to 3 days https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/activity-log-limited-to-3-days/m-p/3382997#M2015 <P>Since Azure support is currently taking over a week to respond to tickets, I am hoping someone here might have an insight on this matter. We have not made any explicit changes to our policies but at some point in the past week, we've lost the ability to see the full 30 days worth of Activity Logs. It is locked to just the past three days regardless of the filters that I set.</P><P>&nbsp;</P><P>Has Microsoft changed something or is there some setting out there that controls this?</P> Mon, 16 May 2022 20:25:11 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/activity-log-limited-to-3-days/m-p/3382997#M2015 Lintonen 2022-05-16T20:25:11Z Test Impossible Travel Alert https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/test-impossible-travel-alert/m-p/3356365#M2011 <P>Hello there</P><P>&nbsp;</P><P>I am trying to test the Impossible Travel Alert in the Microsoft Defender for Cloud Apps.</P><P>For that, I use the NordVPN to login from 2 different Countries and to generate the Impossible Travel. Somehow, no Impossible Travel Alert is generated. I just get the alert "Risky sign-in: Anonymous IP adress". Could it be, that this is because I use NordVPN and that the Impossible Travel Alert gets surpressed by the Risky sign-in Alert?</P><P>&nbsp;</P><P>Thanks for your Help</P> Wed, 11 May 2022 09:34:14 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/test-impossible-travel-alert/m-p/3356365#M2011 malvinportner 2022-05-11T09:34:14Z How to stop an app from going through the reverse proxy? https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/how-to-stop-an-app-from-going-through-the-reverse-proxy/m-p/3314099#M2010 <P>I have 2 apps. Let's call them "SharePoint" and "Expense App". I want SharePoint access to go through the reverse proxy so I make a Azure AD conditional access policy, apply it to SharePoint sign-ins, and everything is working great. I can go to SharePoint and it is proxied and I can go straight to Expense App without the proxy and that works fine as well. However, when I click on a link in SharePoint to go to Expense App then it sends that through the proxy too and that breaks parts of Expense App. I found Expense App listed as "Connected" under "Conditional Access App Control apps" in the "Connected Apps" section of the Microsoft Defender for Cloud Apps portal. I tried removing it thinking that would solve the problem but it soon reappears. I believe that is due to Expense App being configure for SSO in Azure AD and Defender for Cloud Apps automatically discovering it.<BR />Is there any way for me to get around this?</P> Wed, 04 May 2022 20:05:02 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/how-to-stop-an-app-from-going-through-the-reverse-proxy/m-p/3314099#M2010 j_r_beer 2022-05-04T20:05:02Z Change Severity for a built-in anomaly detection policy https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/change-severity-for-a-built-in-anomaly-detection-policy/m-p/3298581#M2009 <P>Hi guys</P><P>&nbsp;</P><P>I tried to edit some built-in anomaly detection policies in Microsoft Defender for Cloud Apps, but I could not find a way to change the&nbsp;Severity for an individual policy.&nbsp;</P><P>&nbsp;</P><P>Is there a&nbsp; way to do this?</P> Fri, 29 Apr 2022 09:32:42 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/change-severity-for-a-built-in-anomaly-detection-policy/m-p/3298581#M2009 malvinportner 2022-04-29T09:32:42Z Cloud App Security files policies governance actions failure https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/cloud-app-security-files-policies-governance-actions-failure/m-p/3297449#M2008 <P>Hello guys</P><P>&nbsp;</P><P>I was playing around with files policies and the governance actions for certain apps and I was trying out making files private and removing any external users but they all fail with the error "Failed to rescan file". I couldn't find any information on why this error occures and how to fix it so I would appreciate any ideas on how to get it to work.</P><P>&nbsp;</P><P>best regards</P><P>&nbsp;</P> Thu, 28 Apr 2022 08:56:42 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/cloud-app-security-files-policies-governance-actions-failure/m-p/3297449#M2008 thezero 2022-04-28T08:56:42Z SAML App Integration with MDCA for CAAC - idp ADFS https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/saml-app-integration-with-mdca-for-caac-idp-adfs/m-p/3292809#M2005 <P>Hi All,</P><P>We have web application which is currently authenticated with ADFS and want to integrate with MDCA for conditional access app control policy.</P><P>We are following below microsoft docs to integrate ADFS idp apps but no luck, we are not getting any application activity on MDCA portal. we have added and onboarded the app to session monitoring.</P><P>The application is not registered/integrated with Azure AD.</P><P>&nbsp;</P><P>We did ADFS configuration as well as application side SAML SSO configuration changes.</P><P><A href="#" target="_blank">https://docs.microsoft.com/en-us/defender-cloud-apps/proxy-idp-adfs</A></P><P>&nbsp;</P><P>If anyone have done this before then suggest what we are missing in configuration.</P><P>&nbsp;</P><P>Thanks.</P> Sat, 23 Apr 2022 02:38:13 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/saml-app-integration-with-mdca-for-caac-idp-adfs/m-p/3292809#M2005 Mdrafik-Shaikh 2022-04-23T02:38:13Z Question on controlling WeTransfer download/upload https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/question-on-controlling-wetransfer-download-upload/m-p/3290482#M2003 <P>Hi Community,&nbsp;</P><P>&nbsp;</P><P>Quick ask from customer:</P><P>&nbsp;</P><P><SPAN>Is it possible to block WeTransfer download but allow the upload only?</SPAN></P><P>&nbsp;</P><P><SPAN>Thanks!</SPAN></P> Wed, 20 Apr 2022 17:17:18 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/question-on-controlling-wetransfer-download-upload/m-p/3290482#M2003 SB V 2022-04-20T17:17:18Z MCAS (or now Microsoft Defender for Cloud Apps) policy alerts syncing to Microsoft Sentinel https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/mcas-or-now-microsoft-defender-for-cloud-apps-policy-alerts/m-p/3288997#M2001 <P>I have a couple of session policies (block downloads/block malware uploads) and one access policy (blocking access from unmanaged devices) set up in MCAS (or now Microsoft Defender for Cloud Apps).</P><P>&nbsp;</P><P>An issue I have is that the policies ONLY forward alerts to Microsoft Sentinel, when they are closed in MCAS. They are not 'raising' alerts for any other possible trigger.</P><P>&nbsp;</P><P>The alerts syncing is switched on in MCAS (or Microsoft Defender for Cloud Apps) AND SecurityAlert logs appear in Sentinel.</P><P>&nbsp;</P><P>Has anyone come across this where NOT all Alerts in MCAS are sent on to a SIEM such as Sentinel?</P><P>&nbsp;</P><P>WHAT is the best practice to ensure alerts are triggered in an MCAS policy? Is this primarily defined from rule definitions, alert thresholds, filter and governance actions, policy severity settings?</P><P>&nbsp;</P><P>Thanks in advance</P> Tue, 19 Apr 2022 08:27:43 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/mcas-or-now-microsoft-defender-for-cloud-apps-policy-alerts/m-p/3288997#M2001 JMSHW0420 2022-04-19T08:27:43Z MDCA Connector in Sentinel does not produce incidents https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/mdca-connector-in-sentinel-does-not-produce-incidents/m-p/3280704#M1992 <P>Hello folks,</P><P>&nbsp;</P><P>I have enabled the MDCA connector in Sentinel and while it has generated enough metrics (refer screenshot), I am not seeing any incidents in Sentinel from this connector whereas I have adequate amount of recent alerts in MDCA. Also, one unusual thing is that when I reconfigured the SIEM agent in MDCA, the option to add says 'Azure Sentinel' and not 'Microsoft Sentinel' (screenshot attached).</P><P>Please share your insights on this.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Yash_Mudaliar_0-1649509760540.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/362568iA4E83595BDC26DDE/image-size/medium?v=v2&amp;px=400" role="button" title="Yash_Mudaliar_0-1649509760540.png" alt="Yash_Mudaliar_0-1649509760540.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Yash_Mudaliar_1-1649510056094.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/362569i8E2403B48AA4CCDF/image-size/medium?v=v2&amp;px=400" role="button" title="Yash_Mudaliar_1-1649510056094.png" alt="Yash_Mudaliar_1-1649510056094.png" /></span></P><P>&nbsp;</P> Sat, 09 Apr 2022 13:15:39 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/mdca-connector-in-sentinel-does-not-produce-incidents/m-p/3280704#M1992 Yash_Mudaliar 2022-04-09T13:15:39Z Risky sign-in event: Anomalous Token https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/risky-sign-in-event-anomalous-token/m-p/3271886#M1991 <P>Hello,<BR />Could someone tell me what the Risky sign-in event refers to: Anomalous Token that is related to the Address 52.97.13.101? this IP corresponds to Microsoft exchange online but for some reason it is taken as an abnormal event, according to the validated events it is only communication to sharepoint, is there any type of new configuration generated that involves this IP? And how could I delete this IP so that it does not generate events again?</P> Wed, 30 Mar 2022 19:00:38 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/risky-sign-in-event-anomalous-token/m-p/3271886#M1991 carlito_27 2022-03-30T19:00:38Z Connecting Azure Devops activity logs to Defender for Cloud Apps https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/connecting-azure-devops-activity-logs-to-defender-for-cloud-apps/m-p/3265285#M1986 <P>The relationship between Azure Devops(dev.azure.com) and Azure Active Directory and it's conditional access policy is interesting if you have the devops portal connected to AAD.&nbsp;</P><P>&nbsp;</P><P>CAP policy appears to apply to Azure DevOps if applied to the Azure Management Portal itself.&nbsp;</P><P>&nbsp;</P><P>I am looking for a way to get log activity from Azure DevOps to Defender for Cloud Apps for analytics of suspicious insider behaviors.&nbsp; &nbsp;(mass downloads for example)</P><P>&nbsp;</P><P>The normal connection methods don't quite seem to apply?<BR /><BR />Any help would be great.</P> Wed, 23 Mar 2022 22:34:53 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/connecting-azure-devops-activity-logs-to-defender-for-cloud-apps/m-p/3265285#M1986 JesseDemaree 2022-03-23T22:34:53Z Defender for Cloud Apps User Pseudoanonymization Disabled https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/defender-for-cloud-apps-user-pseudoanonymization-disabled/m-p/3265091#M1984 <P>Hello, everyone,</P><P>Is it possible to permanently display the entities (users) as names in the dashboard without pseudonymization ?</P><P>&nbsp;</P><P>Thanks in advice</P><P>Soufiane</P> Wed, 23 Mar 2022 18:38:15 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/defender-for-cloud-apps-user-pseudoanonymization-disabled/m-p/3265091#M1984 Soufiane_Barhmouni 2022-03-23T18:38:15Z MCAS and ServiceNow causing False Positive Impossible Travel alerts https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/mcas-and-servicenow-causing-false-positive-impossible-travel/m-p/3262341#M1983 <P class="">Hi All,</P><P class="">We integrated ServiceNow with Cloud App Security and we are experiencing a volume of impossible travel alerts.</P><P class="">How does this happen?</P><OL class=""><LI><P class="">A user(XYZ) is in ServiceNow and is logged in from India . This user(XYZ) is working on a ServiceNow ticket and updates the work notes on user(ABC) (who resides in Brazil).</P></LI><LI><P class="">An impossible travel alert is generated in MCAS for User(ABC)&nbsp;from Brazil with an impossible travel to India.</P></LI></OL><P class="">Is there any configuration that needs to be adjustment to reduce these false-positive alerts?</P> Mon, 21 Mar 2022 07:27:19 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/mcas-and-servicenow-causing-false-positive-impossible-travel/m-p/3262341#M1983 Mazhar1675 2022-03-21T07:27:19Z Can i block uploads to cloud apps? https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/can-i-block-uploads-to-cloud-apps/m-p/3261252#M1980 <P>Hi everyone,</P><P>&nbsp;</P><P>Does anyone know if possible to block uploads to certain cloud apps using Defender for Cloud Apps?</P><P>&nbsp;</P><P>For example block uploads to Onedrive (personal) or Google Drive (Personal) or Dropbox (personal).</P><P>&nbsp;</P><P>I have seen that before that the endpoint client was able to identity personal versions of cloud apps and then block HTTP(S)/HTML POST commands.</P><P>&nbsp;</P><P>The reason why only blocking uploads could be that customers and/or partners use such services. so we would want to allow our staff to download things that are sent to them but not to upload anything.</P><P>&nbsp;</P><P>Best regards</P> Fri, 18 Mar 2022 16:40:12 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/can-i-block-uploads-to-cloud-apps/m-p/3261252#M1980 RippieUK 2022-03-18T16:40:12Z Microsoft Defender_ Distribution groups. https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/microsoft-defender-distribution-groups/m-p/3259884#M1979 <P>Hello,</P><P>&nbsp;</P><P>I want to ask something.</P><P>Can Microsoft Defender catch threats in emails forwarded from a&nbsp;distribution group.&nbsp;&nbsp;</P><P>&nbsp;</P><P>Thank you for your answers.</P> Thu, 17 Mar 2022 11:36:56 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/microsoft-defender-distribution-groups/m-p/3259884#M1979 Panagiotis8020 2022-03-17T11:36:56Z CloudAppSecrity: Application whitelisting https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/cloudappsecrity-application-whitelisting/m-p/3253339#M1975 <P>We have a custom-built EXE that is flagged as malicious in Defender for cloudapps, but isn’t.&nbsp; However, it’s blocked because CloudAppSecrity thinks it’s malicious.&nbsp; How do we fix this, so it’s recognized as not malicious?&nbsp;</P> Thu, 10 Mar 2022 08:55:16 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/cloudappsecrity-application-whitelisting/m-p/3253339#M1975 Kiran_Dasari 2022-03-10T08:55:16Z Confusing Evidence https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/confusing-evidence/m-p/3250209#M1974 <P>I have a Stale Externally shared files involving one user incident that shows User Activity (1), but when I look at the Users Activities tab in M365 Defender is says "No user activities found". Has anyone else seen this type of inconsistency? Is this a known bug?</P> Tue, 08 Mar 2022 13:36:03 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/confusing-evidence/m-p/3250209#M1974 Dean Gross 2022-03-08T13:36:03Z Not all web traffic showing in Defender for Cloud Apps https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/not-all-web-traffic-showing-in-defender-for-cloud-apps/m-p/3247439#M1969 <P>We are starting to use Defender for Cloud Apps using Defender for Endpoint for log upload. We are not seeing all user traffic in Defender for Cloud Apps - for example if I go to etsy.com - my PC is not being added to the list of people who went to Etsy.com.</P><P>&nbsp;</P><P>Any thoughts on where I can look for what is going wrong?</P> Fri, 04 Mar 2022 13:26:46 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/not-all-web-traffic-showing-in-defender-for-cloud-apps/m-p/3247439#M1969 xraider365 2022-03-04T13:26:46Z admin.microsoft.com inaccessible via MCAS https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/admin-microsoft-com-inaccessible-via-mcas/m-p/3242674#M1967 <P>With a conditional access policy applied admins are unable to reach admin.microsoft.com.&nbsp; It is redirected to <A href="#" target="_blank">https://admin.microsoft.com.mcas.ms</A>&nbsp;and yields a blank white screen.</P><P>There is only 1 conditional access policy.</P><P>It's settings are:</P><P>All users (with 4 admins excluded).</P><P>All Cloud Apps.</P><P>3 Conditions selected</P><UL><LI>Device Platforms<UL><LI>Include Any Device, Exclude macOS and Linux</LI></UL></LI><LI>Locations<UL><LI>Any location</LI></UL></LI><LI>Access Controls<UL><LI>Grant Access, Require MFA</LI><LI>Require one of the selected controls</LI></UL></LI><LI>Session<UL><LI>Sign-in Frequency 7 days</LI><LI>Use Conditional Access App Control (Monitor Only).&nbsp; I have tried to REMOVE this setting but it comes back all by itself.</LI></UL></LI></UL><P>&nbsp;</P> Wed, 02 Mar 2022 18:28:13 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/admin-microsoft-com-inaccessible-via-mcas/m-p/3242674#M1967 ProgentCT 2022-03-02T18:28:13Z