Microsoft Secure Score Series – 08 – Use Cloud App Security to detect anomalous behavior

In this series, I’ll be covering the Microsoft Secure Score improvement actions. Although Microsoft does a great job on telling you what to do, some actions have a much bigger impact and need to be balanced against business needs. Some actions might not even have value for your organization. In the end, Microsoft Secure Score is meant to strengthen your security, not a contest to reach the highest score possible. In this series, I’ll pick out random actions and try to make it as simple as possible, backed with notes from the field.

Articles in this series can be read separately since they are written at random order. The articles vary in case of impact and complexity and cover multiple categories. Here is a list of all the articles in this series:

01 – What is Microsoft Secure Score?

02 – Require MFA for administrative roles

03 – Enable Password Hash Sync if hybrid

04 – Ensure all users can complete multi-factor authentication for secure access

05 – Enable self-service password reset

06 – Enable policy to block legacy authentication

07 – Turn on sign-in risk policy

08 – Use Cloud App Security to detect anomalous behavior

09 – Do not allow users to grant consent to unmanaged applications

10 – Discover trends in shadow IT application usage

11 – Turn on user risk policy

12 – Turn on customer lockbox feature

13 – Set automated notifications for new and trending cloud applications in your organization

14 – Designate more than one global admin

(Placeholder) 15 – Secure Score and Graph API


Use Cloud App Security to detect anomalous behavior

Cloud App Security anomaly detection policies provide User & Entity Behavior analytics (UEBA) and advanced threat detection across your cloud environment.


Today we take a look at Cloud App Security. I recently wrote a blog about the new activity policies in Cloud App Security, so if your organization uses Teams, you should definitely take a look a that one.

The improvement action we’re talking about has no user impact and might no increase your score right away. But if you dó own Microsoft Cloud App Security licenses, and you never have seen the portal before, this is a good moment to get started.

What is Microsoft Cloud App Security?

As stated in the Microsoft docs, Microsoft Cloud App Security is a Cloud Access Security Broker that supports various deployment modes including log collection, API connectors, and reverse proxy. It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyber threats across all your Microsoft and third-party cloud services.

Microsoft Cloud App Security natively integrates with leading Microsoft solutions and is designed with security professionals in mind. It provides simple deployment, centralized management, and innovative automation capabilities.

Most of the people I talk to refer to MCAS as “the tool to discover Shadow IT”. And true that is! But MCAS is so much more. To give you an idea what’s possible; with Microsoft Cloud App Security you can:

  • Enforce access and session controls on your organization’s apps based on any condition in Conditional Access
  • Detect if your users’ credentials are leaked
  • Detect unusual file deletion activity
  • Detect suspicious inbox forwarding
  • Control access and session from Bring Your Own Devices
  • Ingest 3rd party firewall logs

How to get there?

There are a couple of ways to access your Cloud App Security portal. You can go to https://security.microsoft.com and look for the More resources button. You’ll see the button to access your portal. Or use https://aka.ms/mcasportal or https://portal.cloudappsecurity.com/

Take note of the URL of the MCAS portal and save it to your bookmarks for later use.

If MCAS is not used before, you might have to do some additional setup. To start you have to connect your apps.

  1. From the settings cog, select App connectors.
  2. Click the plus sign to add an app and select an app.
  3. Follow the configuration steps to connect the app.

When you log in, you’ll land on the Dashboard page. Here you have a brief overview of all your alerts.

At the left panel, head over to the Alerts section. Here you’ll find all the alerts. You can apply filters on severity, category, and app for example.

Get started today!

If you have the licenses to use Microsoft Cloud App Security, don’t hesitate and start today! MCAS can give you great insight into users activities. Try to create your first policy based on a template to get started.

  1. Go to Control > Templates.
  2. Select a policy template from the list, and then choose (+) Create policy.
  3. Customize the policy (select filters, actions, and other settings), and then choose Create.
  4. On the Policies tab, choose the policy to see the relevant matches (activities, files, alerts). Tip: To cover all your cloud environment security scenarios, create a policy for each risk category.

Wrap things up

To see if you are eligible to use MCAS, please take a look a the Licensing Datasheet. If you don’t have access to Microsoft Cloud App Security, please take a look at this blog I wrote earlier to give you an idea of what is possible.

For now, stay safe!

Leave a Reply

Your email address will not be published. Required fields are marked *