Using Microsoft Defender for Cloud Apps to Protect Microsoft 365 Content

Posted on by Tony Redmond

Automation Through Policy Ensures Protection is Applied

Microsoft Cloud App Security (MCAS – now renamed Microsoft Defender for Cloud Apps) is a cloud access security broker (CASB) that can ingest and act upon Office 365 audit information. The current set of supported apps include:

  • SharePoint Online.
  • OneDrive for Business.
  • Exchange Online.
  • Teams.
  • Dynamics 365.

MCAS is designed to give administrators insight into security-related events for a tenant. Given the number of events that even a small Office 365 tenant can generate, automation through policies that act when specific criteria are matched is the best way to manage common conditions. For example, what action should happen when someone shares a file outside the tenant or creates a new document in a confidential site.

If Azure Information Protection is integrated with MCAS, MCAS retrieves the list of available labels from Azure (or Office 365 sensitivity labels if you use them) in the tenant hourly and adding a protection label to Office documents and PDF files is a supported action. Using this capability means that you can automatically apply protection to files matching policy criteria as users interact with them in Office 365. On the basis that it should not override a decision made by a user, MCAS only applies a label if protection doesn’t already exist on a file.

Depends on Office 365 Audit Events

MCAS protection isn’t applied immediately files are added to Office 365. Instead, as MCAS ingests events from the Office 365 audit log, it looks for events (like document creation or modification) matching the criteria set in its policies and applies labels as necessary. The elapsed time between something happening in Office 365 and a response occurring in MCAS depends on the ingestion of audit events from Office 365 and the processing of those events in MCAS queues. Depending on the load on the service, the exact time will vary. For example, it might take between ten and twenty minutes before MCAS applies a label to a new file created in a SharePoint document library.

Viewing Protected Files

The actions taken by MCAS to label files are visible in the Investigate section of its dashboard. In Figure 1 you can see the label icon alongside many file names together with an exclamation icon to show that the file was processed by a policy. If you find that an important file hasn’t been protected, you can add the protection from the MCAS dashboard by selecting Apply classification label from the […] menu.

Viewing protected files in the MCAS dashboard
Figure 1: Viewing protected files in the MCAS dashboard

At the top of the MCAS dashboard, you can see filters to build queries to identify activity for specific applications, users, data ranges, and so on.

Extra Cost for Extra Value

It’s unusual to find valuable capabilities offered for free in the cloud and MCAS is no different. You need to license MCAS before it will ingest information from Office 365 and you need to license Azure Information Protection before you can connect labels (even if they are managed in the Office 365 Security and Compliance Center) to MCAS. However, the cost of licensing MCAS might be insignificant for organizations who need the assurance that highly confidential information is protected. We can assume that users will remember to apply sensitivity labels to their documents, but computers are much more reliable when it comes to mundane tasks like labeling. If you’re concerned about securing Office 365 content, especially Office documents and PDFs stored in SharePoint Online and OneDrive for Business, the combination of Office 365 Sensitivity Labels and MCAS is hard to ignore.

Need to know more about how rights management works in Azure Information Protection and Office 365 Sensitivity Labels? Look no further than Chapter 24 of the Office 365 for IT Pros eBook.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.