Microsoft Defender for Cloud Apps topics Microsoft Defender for Cloud Apps topics Sun, 22 May 2022 20:53:48 GMT MicrosoftDefenderCloudApps 2022-05-22T20:53:48Z Configure policy for block download files <P>Hi Team.</P><P>I have requirement, for all Information Protection users for block download files with specific label.</P><P>&nbsp;</P><P>I have Microsoft Information Protection deployment with several labels. I need that emails with specific label, block download files using Microsoft Outlook client.</P><P>&nbsp;</P><P>I have performed the following configurations:</P><P>Policy in Conditional Access for Session - Use Conditional Access App Control.</P><P>In Microsoft Defender for Cloud Apps - create policy for session.</P><P>&nbsp;</P><P>Test:</P><P>When send email with attach file with MIP label - Recipient open email in Outlook Web - not permit download files (policy perfect working), but, this policy not working for Outlook client.</P><P>&nbsp;</P><P>Comments:</P><P>In MDCApps:</P><P>Apps scope - Office 365 (not include Outlook client)</P><P>Users scope: only internal users.</P><P>&nbsp;</P><P>Two questions:</P><P>How can i integrate Outlook client in this policy?</P><P>How can I integrate external users in this policy?</P><P>&nbsp;</P><P>Thanks,</P> Tue, 17 May 2022 16:56:08 GMT CarlosMorales 2022-05-17T16:56:08Z Activity Log limited to 3 days <P>Since Azure support is currently taking over a week to respond to tickets, I am hoping someone here might have an insight on this matter. We have not made any explicit changes to our policies but at some point in the past week, we've lost the ability to see the full 30 days worth of Activity Logs. It is locked to just the past three days regardless of the filters that I set.</P><P>&nbsp;</P><P>Has Microsoft changed something or is there some setting out there that controls this?</P> Mon, 16 May 2022 20:25:11 GMT Lintonen 2022-05-16T20:25:11Z Test Impossible Travel Alert <P>Hello there</P><P>&nbsp;</P><P>I am trying to test the Impossible Travel Alert in the Microsoft Defender for Cloud Apps.</P><P>For that, I use the NordVPN to login from 2 different Countries and to generate the Impossible Travel. Somehow, no Impossible Travel Alert is generated. I just get the alert "Risky sign-in: Anonymous IP adress". Could it be, that this is because I use NordVPN and that the Impossible Travel Alert gets surpressed by the Risky sign-in Alert?</P><P>&nbsp;</P><P>Thanks for your Help</P> Wed, 11 May 2022 09:34:14 GMT malvinportner 2022-05-11T09:34:14Z How to stop an app from going through the reverse proxy? <P>I have 2 apps. Let's call them "SharePoint" and "Expense App". I want SharePoint access to go through the reverse proxy so I make a Azure AD conditional access policy, apply it to SharePoint sign-ins, and everything is working great. I can go to SharePoint and it is proxied and I can go straight to Expense App without the proxy and that works fine as well. However, when I click on a link in SharePoint to go to Expense App then it sends that through the proxy too and that breaks parts of Expense App. I found Expense App listed as "Connected" under "Conditional Access App Control apps" in the "Connected Apps" section of the Microsoft Defender for Cloud Apps portal. I tried removing it thinking that would solve the problem but it soon reappears. I believe that is due to Expense App being configure for SSO in Azure AD and Defender for Cloud Apps automatically discovering it.<BR />Is there any way for me to get around this?</P> Wed, 04 May 2022 20:05:02 GMT j_r_beer 2022-05-04T20:05:02Z Change Severity for a built-in anomaly detection policy <P>Hi guys</P><P>&nbsp;</P><P>I tried to edit some built-in anomaly detection policies in Microsoft Defender for Cloud Apps, but I could not find a way to change the&nbsp;Severity for an individual policy.&nbsp;</P><P>&nbsp;</P><P>Is there a&nbsp; way to do this?</P> Fri, 29 Apr 2022 09:32:42 GMT malvinportner 2022-04-29T09:32:42Z Cloud App Security files policies governance actions failure <P>Hello guys</P><P>&nbsp;</P><P>I was playing around with files policies and the governance actions for certain apps and I was trying out making files private and removing any external users but they all fail with the error "Failed to rescan file". I couldn't find any information on why this error occures and how to fix it so I would appreciate any ideas on how to get it to work.</P><P>&nbsp;</P><P>best regards</P><P>&nbsp;</P> Thu, 28 Apr 2022 08:56:42 GMT thezero 2022-04-28T08:56:42Z SAML App Integration with MDCA for CAAC - idp ADFS <P>Hi All,</P><P>We have web application which is currently authenticated with ADFS and want to integrate with MDCA for conditional access app control policy.</P><P>We are following below microsoft docs to integrate ADFS idp apps but no luck, we are not getting any application activity on MDCA portal. we have added and onboarded the app to session monitoring.</P><P>The application is not registered/integrated with Azure AD.</P><P>&nbsp;</P><P>We did ADFS configuration as well as application side SAML SSO configuration changes.</P><P><A href="#" target="_blank"></A></P><P>&nbsp;</P><P>If anyone have done this before then suggest what we are missing in configuration.</P><P>&nbsp;</P><P>Thanks.</P> Sat, 23 Apr 2022 02:38:13 GMT Mdrafik-Shaikh 2022-04-23T02:38:13Z Question on controlling WeTransfer download/upload <P>Hi Community,&nbsp;</P><P>&nbsp;</P><P>Quick ask from customer:</P><P>&nbsp;</P><P><SPAN>Is it possible to block WeTransfer download but allow the upload only?</SPAN></P><P>&nbsp;</P><P><SPAN>Thanks!</SPAN></P> Wed, 20 Apr 2022 17:17:18 GMT SB V 2022-04-20T17:17:18Z MCAS (or now Microsoft Defender for Cloud Apps) policy alerts syncing to Microsoft Sentinel <P>I have a couple of session policies (block downloads/block malware uploads) and one access policy (blocking access from unmanaged devices) set up in MCAS (or now Microsoft Defender for Cloud Apps).</P><P>&nbsp;</P><P>An issue I have is that the policies ONLY forward alerts to Microsoft Sentinel, when they are closed in MCAS. They are not 'raising' alerts for any other possible trigger.</P><P>&nbsp;</P><P>The alerts syncing is switched on in MCAS (or Microsoft Defender for Cloud Apps) AND SecurityAlert logs appear in Sentinel.</P><P>&nbsp;</P><P>Has anyone come across this where NOT all Alerts in MCAS are sent on to a SIEM such as Sentinel?</P><P>&nbsp;</P><P>WHAT is the best practice to ensure alerts are triggered in an MCAS policy? Is this primarily defined from rule definitions, alert thresholds, filter and governance actions, policy severity settings?</P><P>&nbsp;</P><P>Thanks in advance</P> Tue, 19 Apr 2022 08:27:43 GMT JMSHW0420 2022-04-19T08:27:43Z MDCA Connector in Sentinel does not produce incidents <P>Hello folks,</P><P>&nbsp;</P><P>I have enabled the MDCA connector in Sentinel and while it has generated enough metrics (refer screenshot), I am not seeing any incidents in Sentinel from this connector whereas I have adequate amount of recent alerts in MDCA. Also, one unusual thing is that when I reconfigured the SIEM agent in MDCA, the option to add says 'Azure Sentinel' and not 'Microsoft Sentinel' (screenshot attached).</P><P>Please share your insights on this.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Yash_Mudaliar_0-1649509760540.png" style="width: 400px;"><img src=";px=400" role="button" title="Yash_Mudaliar_0-1649509760540.png" alt="Yash_Mudaliar_0-1649509760540.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Yash_Mudaliar_1-1649510056094.png" style="width: 400px;"><img src=";px=400" role="button" title="Yash_Mudaliar_1-1649510056094.png" alt="Yash_Mudaliar_1-1649510056094.png" /></span></P><P>&nbsp;</P> Sat, 09 Apr 2022 13:15:39 GMT Yash_Mudaliar 2022-04-09T13:15:39Z Risky sign-in event: Anomalous Token <P>Hello,<BR />Could someone tell me what the Risky sign-in event refers to: Anomalous Token that is related to the Address this IP corresponds to Microsoft exchange online but for some reason it is taken as an abnormal event, according to the validated events it is only communication to sharepoint, is there any type of new configuration generated that involves this IP? And how could I delete this IP so that it does not generate events again?</P> Wed, 30 Mar 2022 19:00:38 GMT carlito_27 2022-03-30T19:00:38Z Connecting Azure Devops activity logs to Defender for Cloud Apps <P>The relationship between Azure Devops( and Azure Active Directory and it's conditional access policy is interesting if you have the devops portal connected to AAD.&nbsp;</P><P>&nbsp;</P><P>CAP policy appears to apply to Azure DevOps if applied to the Azure Management Portal itself.&nbsp;</P><P>&nbsp;</P><P>I am looking for a way to get log activity from Azure DevOps to Defender for Cloud Apps for analytics of suspicious insider behaviors.&nbsp; &nbsp;(mass downloads for example)</P><P>&nbsp;</P><P>The normal connection methods don't quite seem to apply?<BR /><BR />Any help would be great.</P> Wed, 23 Mar 2022 22:34:53 GMT JesseDemaree 2022-03-23T22:34:53Z Defender for Cloud Apps User Pseudoanonymization Disabled <P>Hello, everyone,</P><P>Is it possible to permanently display the entities (users) as names in the dashboard without pseudonymization ?</P><P>&nbsp;</P><P>Thanks in advice</P><P>Soufiane</P> Wed, 23 Mar 2022 18:38:15 GMT Soufiane_Barhmouni 2022-03-23T18:38:15Z MCAS and ServiceNow causing False Positive Impossible Travel alerts <P class="">Hi All,</P><P class="">We integrated ServiceNow with Cloud App Security and we are experiencing a volume of impossible travel alerts.</P><P class="">How does this happen?</P><OL class=""><LI><P class="">A user(XYZ) is in ServiceNow and is logged in from India . This user(XYZ) is working on a ServiceNow ticket and updates the work notes on user(ABC) (who resides in Brazil).</P></LI><LI><P class="">An impossible travel alert is generated in MCAS for User(ABC)&nbsp;from Brazil with an impossible travel to India.</P></LI></OL><P class="">Is there any configuration that needs to be adjustment to reduce these false-positive alerts?</P> Mon, 21 Mar 2022 07:27:19 GMT Mazhar1675 2022-03-21T07:27:19Z Can i block uploads to cloud apps? <P>Hi everyone,</P><P>&nbsp;</P><P>Does anyone know if possible to block uploads to certain cloud apps using Defender for Cloud Apps?</P><P>&nbsp;</P><P>For example block uploads to Onedrive (personal) or Google Drive (Personal) or Dropbox (personal).</P><P>&nbsp;</P><P>I have seen that before that the endpoint client was able to identity personal versions of cloud apps and then block HTTP(S)/HTML POST commands.</P><P>&nbsp;</P><P>The reason why only blocking uploads could be that customers and/or partners use such services. so we would want to allow our staff to download things that are sent to them but not to upload anything.</P><P>&nbsp;</P><P>Best regards</P> Fri, 18 Mar 2022 16:40:12 GMT RippieUK 2022-03-18T16:40:12Z Microsoft Defender_ Distribution groups. <P>Hello,</P><P>&nbsp;</P><P>I want to ask something.</P><P>Can Microsoft Defender catch threats in emails forwarded from a&nbsp;distribution group.&nbsp;&nbsp;</P><P>&nbsp;</P><P>Thank you for your answers.</P> Thu, 17 Mar 2022 11:36:56 GMT Panagiotis8020 2022-03-17T11:36:56Z CloudAppSecrity: Application whitelisting <P>We have a custom-built EXE that is flagged as malicious in Defender for cloudapps, but isn’t.&nbsp; However, it’s blocked because CloudAppSecrity thinks it’s malicious.&nbsp; How do we fix this, so it’s recognized as not malicious?&nbsp;</P> Thu, 10 Mar 2022 08:55:16 GMT Kiran_Dasari 2022-03-10T08:55:16Z Confusing Evidence <P>I have a Stale Externally shared files involving one user incident that shows User Activity (1), but when I look at the Users Activities tab in M365 Defender is says "No user activities found". Has anyone else seen this type of inconsistency? Is this a known bug?</P> Tue, 08 Mar 2022 13:36:03 GMT Dean Gross 2022-03-08T13:36:03Z Not all web traffic showing in Defender for Cloud Apps <P>We are starting to use Defender for Cloud Apps using Defender for Endpoint for log upload. We are not seeing all user traffic in Defender for Cloud Apps - for example if I go to - my PC is not being added to the list of people who went to</P><P>&nbsp;</P><P>Any thoughts on where I can look for what is going wrong?</P> Fri, 04 Mar 2022 13:26:46 GMT xraider365 2022-03-04T13:26:46Z inaccessible via MCAS <P>With a conditional access policy applied admins are unable to reach; It is redirected to <A href="#" target="_blank"></A>&nbsp;and yields a blank white screen.</P><P>There is only 1 conditional access policy.</P><P>It's settings are:</P><P>All users (with 4 admins excluded).</P><P>All Cloud Apps.</P><P>3 Conditions selected</P><UL><LI>Device Platforms<UL><LI>Include Any Device, Exclude macOS and Linux</LI></UL></LI><LI>Locations<UL><LI>Any location</LI></UL></LI><LI>Access Controls<UL><LI>Grant Access, Require MFA</LI><LI>Require one of the selected controls</LI></UL></LI><LI>Session<UL><LI>Sign-in Frequency 7 days</LI><LI>Use Conditional Access App Control (Monitor Only).&nbsp; I have tried to REMOVE this setting but it comes back all by itself.</LI></UL></LI></UL><P>&nbsp;</P> Wed, 02 Mar 2022 18:28:13 GMT ProgentCT 2022-03-02T18:28:13Z