Dec 17 2019 05:49 AM
Dec 17 2019 05:49 AM
I've reviewed the documentation @ https://docs.microsoft.com/en-us/cloud-app-security/governance-discovery in relation to blocking unsanctioned apps - specifically using MDATP on Win10 endpoints.
The documentation doesn't mention anything about governance when using MDATP - Is the functionality similar to the integration with Zscaler and iBoss, where once an app is tagged as unsanctioned it is blocked on the endpoint for all users?
Is there any way to provide greater granularity to the process - ie allow an app for some users and not for others or is it a binary choice for the entire organisation?
Dec 18 2019 02:03 AM
Dec 18 2019 11:48 AM
@PJR_CDF when you create a Policy in MCAS, you can apply a Filter so that the scope of the policy is limited to a Group of users
Dec 19 2019 12:09 AM - edited Dec 19 2019 12:12 AM
Thanks @Dean Gross
I can see how you can scope/filter some policy types to specific users and groups, but the exact scenario I am looking for as an example is, say I have a group of users I want to allow access to Jira for and block for all other users.
If I tag Jira as an unsanctioned app in the Cloud app catalog, I assume this blocks it for all users.
How can I create a policy to block for all users except a specific group?
If I search the cloud app catalog for atlassian Jira and choose "create policy from search" to scope the policy to Jira specifically, the criteria you can choose from to build your filter within the policy doesn't include the ability to add user or group scoping filters as shown in the attached screen grab.
I cant see that scoping sanctioned and unsanctioned apps per user/group is possible in this manner
If I create an access control policy I can scope the policy to specific users but the apps I can choose from are only the apps I have onboarded to Azure AD, not the entire list of apps from the cloud app catalog.
Dec 19 2019 10:35 AM
Dec 20 2019 02:20 AM
Hi @Dean Gross
Once an app has been onboarded/registered in Azure AD I could use a Conditional Access App Control policy to control access but I guess that would only work if the user was attempting to login to the app using their Azure AD credentials?
I think the sanction/unsanctioned function of MCAS is more applicable in scenarios where the decision of if an app allowed is more black and white, whereas the scenarios I am imagining are the ones that are more grey with some users needing access and others not (ie Twitter accessible just for users in Marketing and not visible or accessible in any way for other users). These perhaps also stray a little into more traditional firewall / access control / web filter type solutions as well.
Thanks for taking the time with your suggestions
Dec 20 2019 12:52 PM
Dec 22 2019 10:38 AM
Dec 22 2019 10:43 AM
The feature for blocking MCAS unsanctioned apps by leveraging MDATP is now in public preview and can be easily enabled in your tenants. In the following docs link, you'll find more details about it. Please contact me directly with any question you might have.
Re scope of control, currently an app will be blocked globally, down the road we will be adding more granular controls, to create a more focused blocking policies.
Jan 02 2020 01:49 PM
You said "down the road we will be adding more granular controls". Is there a public roadmap for this feature? I do not see anything in the Microsoft 365 Roadmap outside of the existing unsanctioned app filtering. Any information would be appreciated.
Jan 07 2020 05:07 AM
Hi @Bill Brennan,
This feature is included in our Q1CY20 roadmap which was not yet published.
I will be able to provide more details on timelines soon.
Dec 07 2020 01:59 PM
@KrisDeb I was just curious how you were successful in getting it working with more granular control of the 'Unsanctioned App'? It would be nice to have a 'Exclude' from the Unsanctioned App so certain end users can still use the app. If not, what other ways is this possible?
Jan 22 2021 07:34 AM
@Danny Kadyshevitch - Are there any updates in regards to the granularity for excluding users or devices from Unsanctioned apps so some users would still be able to access the app and still be blocked for all other users?
Jan 24 2021 12:11 AM
We are planning to add device group based exclusion/inclusion in 2021 H1 CY.
User group based exclusion is planned as well, no ETA currently.
Jan 24 2021 08:48 AM
@Boris_Kacevich Many thanks for the update. If we would at least have the possibility to add a device to multiple device groups in MDATP, that would have solved this exclusion/inclusion problem. Is this something that's on the road map as well, to be able to add a device to more than one single group in MDATP?
Jan 25 2021 04:13 AM
As we rely on the MDE (Microsoft Defender for Endpoints - previously MDATP) capabilities and to have better visibility for this request, I suggest raising this request with the MDE team.
Jan 25 2021 09:27 PM
@PJR_CDF You can register the Indicator to allow the URL with a specific device group.
Jan 26 2021 12:58 AM
@shoando - That would not be a solution for us due to the limitations that a device can be a member of only one device group. Because we are also using MDATP web content filtering and we have the web content filtering policies deployed to several device groups for granularity. So you can imagine that if a user has the device in a group where a web content filtering policy is applied that for example blocks all categories but allows access to web mail, and the same user wants access to an Unsanctioned app (that's blocked via indicator on all devices) we cannot achieve this as if we do an allow indicator for that unsanctioned app and apply it to the group of devices that permits web mail access via web content filtering that would give access to the unsanctioned app to all devices in that group. And since a device can be a member of only one group we cannot do this.
And this example is just for one user. Imagine when you have 300 users that each want to access 30-40 different unsanctioned apps :). Hope the above makes sense.