Transcription
Microsoft Cloud Security for EnterpriseArchitectsMicrosoft and customer security responsibilitiesSecurity in the cloud is a partnershipThe security of your Microsoft cloud services is a partnership betweenyou and Microsoft.MicrosoftYouMicrosoft cloud services arebuilt on a foundation of trustand security. Microsoft providesyou security controls andcapabilities to help you protectyour data and applications.You own your data and identitiesand the responsibility forprotecting them, the security ofyour on-premises resources, andthe security of cloud componentsyou control (varies by service type).Microsoft’s Trusted Cloud principlesSecuritySafeguarding your data with state-of-the-arttechnology, processes, and encryption is our priority.Privacy &ControlPrivacy by design with a commitment to use customers’information only to deliver services and not foradvertisements.ComplianceThe largest portfolio of compliance standards andcertifications in the industry.TransparencyWe explain what we do with your data, and how it issecured and managed, in clear, plain language.The responsibilities and controls for the security of applications and networks vary by the service type.SaaSPaaSIaaSMicrosoft operates and securesthe infrastructure, host operatingsystem, and application layers.Data is secured at datacentersand in transit between Microsoftand the customer.Microsoft operates and secures theinfrastructure and host operatingsystem layers.Microsoft operates and securesthe base infrastructure andhost operating system layers.You control access and secure yourdata, identities, and applications,including applying any infrastructurecontrols available from the cloudservice.You control access and securedata, identities, applications,virtualized operating systems,and any infrastructure controlsavailable from the cloudservice.Software as a ServicePlatform as a ServiceYou control access and secureyour data and identities, includingconfiguring the set of applicationcontrols available in the cloudservice.You control all application code andconfiguration, including sample codeprovided by Microsoft or other sources.Keys to successEnterprise organizations benefit from taking a methodical approach to cloudsecurity. This involves investing in core capabilities within the organizationthat lead to secure environments.Governance &Security PolicyIdentity Systems andIdentity ManagementMicrosoft recommends developingpolicies for how to evaluate, adopt, anduse cloud services to minimize creationof inconsistencies and vulnerabilitiesthat attackers can exploit.Identity services provide thefoundation of security systems. Mostenterprise organizations use existingidentities for cloud services, and theseidentity systems need to be secured ator above the level of cloud services.Ensure governance and securitypolicies are updated for cloud servicesand implemented across theorganization: Identity policies Data policies Compliance policies anddocumentationAdministrative PrivilegeManagementYour IT administrators have controlover the cloud services and identitymanagement services. Consistentaccess control policies are adependency for cloud security.Privileged accounts, credentials, andworkstations where the accounts areused must be protected andmonitored.February 2022Infrastructure as a ServiceThreat AwarenessOrganizations face a variety of securitythreats with varying motivations.Evaluate the threats that apply to yourorganization and put them into contextby leveraging resources like threatintelligence and Information Sharingand Analysis Centers (ISACs).Your responsibility for security is based on the type of cloud service. Thefollowing chart summarizes the balance of responsibility for bothMicrosoft and the customer.ResponsibilityPaaSIaaSOn-premData governance &rights managementClient endpointsAccount & accessmanagementIdentity & directoryinfrastructureApplicationNetwork controlsOperating systemData ProtectionPhysical hostsYou own your data and control how itshould be used, shared, updated, andpublished.Physical networkYou should classify your sensitive dataand ensure it is protected andmonitored with appropriate accesscontrol policies wherever it is storedand while it is in transit.SaaSPhysical datacenterMicrosoft 2022 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com.Customer
Microsoft Cloud Security for EnterpriseArchitectsOverviewSafeguard your SaaS, PaaS, and IaaS services and data from Microsoft orother vendors with a comprehensive set of cloud security services.Best togetherLeverages cross-product design and integration.Built-inIncluded in Microsoft 365, Windows 11 or 10, Edge, and Azure.AI-poweredMicrosoft analyzes trillions of security signals a day and responds to new threats.Transparent to usersMost security functions are behind the scenes so your workers can focus on getting things done.ExtensibleIncludes support for third-party cloud services, cloud and on-premises apps, and security products.Microsoft security pillarsIdentity and device accessThreat protectionInformation protectionCloud app protectionEnsure that your users, their devices, andthe apps they are using are identified,authenticated, and restricted accordingto policies you create.Stop attacks across your entireorganization with AI that stitchessignals together and tells youwhat’s most important, allowingyou to respond swiftly.Discover, classify, and protectsensitive information whereverit lives or travels and ensurecompliance with regulatoryrequirements.Install, monitor, protect, anddetect when applications inyour subscription are threatsto your resources.LicensingMicrosoft 365Enterprise MobilitySecurity (EMS)E3E5E3E5aaaaaaaaaaaaaaaaaaaaaaaaaIdentity and device accessAzure Active Directory Premium P1, Windows Hello, Credential Guard, Direct AccessAzure Active Directory Premium P2Azure AD Identity ProtectionaMicrosoft IntuneThreat protectionaMicrosoft Advanced Threat Analytics, Windows Defender Antivirus, Device GuardMicrosoft Defender for Office 365, Microsoft Defender for Endpoint, Microsoft 365 DefenderMicrosoft Defender for IdentityaInformation protectionSensitivity labelsMicrosoft 365 data loss preventionMicrosoft Defender for Cloud AppsaaaWindows 11 or 10 EnterpriseFull feature set for identity and access management, threat protection, and information protectionAdditional Azure servicesMicrosoft Defender for CloudMicrosoft SentinelProvides threat protection for workloads running in Azure, onpremises, and in other clouds. Integrated with Azure SecurityCenter.A cloud-native security information and event manager(SIEM) platform that uses built-in AI to help analyze largevolumes of data across an enterprise.Security solutionsMicrosoft 365 and SaaS appsAzure AD and Intuneaa aaZero Trust identity anddevice accessFebruary 2022Ransomware protection for yourMicrosoft 365 tenantInformation protection for dataprivacy regulationsSecure collaboration 2022 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com.
Microsoft Cloud Security for EnterpriseArchitectsIdentity and device accessA well-planned and executed identity infrastructure provides stronger security and protected accessby authenticated users and devices to your productivity workloads and their data.Key componentsAzure Active Directory (Azure AD) for user sign-ins and restrictionsMulti-factor authentication (MFA)Requires user sign-ins to supply an additional verification of identity.Conditional AccessAnalyzes sign-in signals to make decisions about allowed access and to enforce organization policies.Azure AD Identity ProtectionDetects potential vulnerabilities affecting your organization's identities and automates remediation of risks.Microsoft Intune for device health and restrictionsDevice enrollmentManage your workforce's devices and apps and how they access your company data.Device compliance policiesRequire users and devices to meet organization health requirements to help protect organizational data.App protection policiesUse rules to ensure an organization's data remains safe or contained in a managed app for both enrolled andpersonal devices.Access and restrictions for cloud appsAccess policiesDefine which users and devices are allowed to access a cloud app and its data.PermissionsDefine what each allowed user and device is allowed to do within a cloud app and to its data.ArchitectureSignalDecisionEnforcementAzure AD User name Device type Device nameConditional AccessDefender for Cloud AppsConditional Access AppControlMicrosoft IntuneAzure AD Identity Protection: Device enrollment Device policies App protection policies Location Leaked credentials Behavioral analytics User risk-based ConditionalAccess policies Client applicationA user sign-in eventincludes a set of signalsabout the user, thedevice, and other factors.Evaluation data Group membership App infoMicrosoft 365cloud apps Intune app protectionpolicy restrictions Defender for CloudApps App ControlrestrictionsThird-party SaaS andPaaS cloud apps Intune MAM policies Azure Resource Device info Microsoft Threat intelligence infoManager Azure AD App ProxyMobile appsAzure portalOn-premises appsGrant access With MFA requirement After password change With device compliance requirementDeny accessAzure AD uses the signals and additional evaluation data withConditional Access, Azure AD Identity Protection, Defender forCloud Apps App Control, and Intune policies to decide to grantaccess, require additional sign-in steps, or deny access.Along with the sign-in session are restrictions from Intuneapp protection and MAM, Defender for Cloud Apps AppControl, Azure Resource Manager, and Azure ADApplication Proxy, which can enforce access to cloud andon-premises apps and resources.Cloud apps can also use the attributes of the sign-insession to enforce their own restrictions, such as denyingaccess to a sensitive resource from an unmanaged device.Solution: Zero Trust identity and device access configurationsDeploy Zero Trust-basedsecure access to Microsoft365 for enterprise cloud appsand services, other SaaSservices, and on-premisesapplications published withAzure AD Application Proxy.February 2022 2022 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com.
Microsoft Cloud Security for EnterpriseArchitectsThreat protectionMicrosoft provides comprehensive threat detection and remediation across Microsoft and thirdparty cloud apps and on-premises apps and the centralization of signals for analysis and threatdetection and response. The building blocks are Microsoft Defender and Microsoft Sentinel.See prerequisite information forMicrosoft 365 Defender andMicrosoft Sentinel for regionaland government cloudavailability.Microsoft DefenderUse Microsoft 365 Defender and Microsoft Defender for Cloud to stop attacks across infrastructure and cloudplatforms, protecting Azure and hybrid resources including virtual machines, databases, containers, and IoT.Microsoft 365 Defender portalMicrosoft 365 DefenderMicrosoft 365 DefenderUnified pre- and post-breach enterprise defense suite that nativelycoordinates detection, prevention, investigation, and responseacross endpoints, identities, email, and applications to provideintegrated protection against sophisticated attacks.Microsoft Defender for IdentityLeverages your on-premisesActive Directory Domain Services(AD DS) signals to identify, detect,and investigate advanced threats,compromised identities, andmalicious insider actions.Microsoft Defender for Office 365Safeguards your organizationagainst malicious threats posed byemail messages, links (URLs), andcollaboration tools. Providesprotection against malware,phishing, spoofing, and otherattack types.Microsoft Defender for EndpointProtects your organization’sendpoints (devices) fromcyberthreats, advanced attacks,and data breaches.Microsoft Defender for CloudAppsProvides rich visibility, controlover data travel, andsophisticated analytics toidentify and combatcyberthreats across all yourMicrosoft and third-party cloudservices.Azure Security CenterMicrosoft Defender for CloudMicrosoft Defender for CloudAdvanced, intelligent, protection of your Azure and hybridresources and workloads. Protect your non-Azure servers and yourvirtual machines in other clouds (such as AWS and GCP).Azure-based resourcesServer VMsSQLContainersNetwork trafficIndustrial IoTAzure AppServicesMicrosoft SentinelA cloud-native security information and event management (SIEM) and security orchestration automatedresponse (SOAR) solution that provides intelligent security analytics across your entire organization,powered by AI based on intelligence from decades of Microsoft experience.Workbooks to visualize dataAnalytics to correlate alerts intoincidentsPlaybooks for automation andorchestrationInvestigation tools to find theroot cause of a threatHunting search and query toolsContinued on next pageConnectorsMicrosoft cloud servicesMicrosoft 365 DefenderMicrosoft Defender for IdentityMicrosoft Defender for Cloud AppsMicrosoft Defender for EndpointMicrosoft Defender for Office 365Microsoft Defender for CloudThird-party services,appliances, and solutionsAWS CloudTrailCisco UmbrellaF5 BIG-IPPalo Alto NetworksMany othersConnect your security informationand event information toMicrosoft Sentinel withconnectors for Microsoft andthird-parties.MicrosoftSentinel
Components and relationshipsSignals and security portalsYour subscriptions in the Microsoft cloudThird-partySaaS andPaaS appsOtherSaaS andPaaS appsMicrosoftDefenderfor CloudAppsMicrosoft 365MicrosoftDefender forOffice 365Azure ADand Azure ADIdentityProtectionCloud securityand threatintelligenceMicrosoftDefender forIdentityMicrosoftDefender forEndpointAzure ServicesSQLServer VMsStorageNetwork TrafficIndustrial IoTAzure App ServicesAzure StorageAzure DNSAzure ResourceManagerAzure Key VaultAzure App ServiceMicrosoft Defender forCloudMicrosoft 365 DefenderSignalsMicrosoft 365 Defender portalSignals from sign-ins, Windows11 or 10 desktops, and Office365 and other cloud apps feedinto the components ofMicrosoft 365 Defender.Azure Security CenterSignals from Azure servicesfeed into MicrosoftDefender for Cloud.The Azure Security Centershows the aggregatesecurity posture and detailsof incidents and alerts.The Microsoft 365 Defenderportal shows the aggregatesecurity posture and details ofincidents and alerts.SEIM data and Microsoft SentinelYour subscriptions in the Microsoft cloudThird-partySaaS andPaaS appsOtherSaaS andPaaS appsMicrosoftDefenderfor CloudAppsMicrosoft 365MicrosoftDefender forOffice 365Azure ADand Azure ADIdentityProtectionCloud securityand threatintelligenceMicrosoftDefender forIdentityMicrosoftDefender forEndpointAzure ServicesSQLServer VMsStorageNetwork TrafficIndustrial IoTAzure App ServicesAzure StorageAzure DNSAzure ResourceManagerAzure Key VaultAzure App ServiceMicrosoft Defender forCloudSIEM dataMicrosoft 365 DefenderSIEM dataMicrosoft Sentinel in the Azure portalMicrosoft 365 Defender andMicrosoft Defender for Cloud sendSIEM log data through a series ofMicrosoft Sentinel connectors.Microsoft Sentinel in the Azureportal shows the aggregate securityposture and details of incidents andalerts.Continued on next page
Microsoft Defender for Cloud AppsIdentify and combat cyberthreats across all your cloud services with Microsoft’s cloud access security broker (CASB) thatprovides multifunction visibility, control over data travel, and sophisticated analytics.Control the use of Shadow ITIdentify the cloud apps, IaaS, and PaaSservices used by your organization.Investigate usage patterns, assess therisk levels and business readiness.Manage them to ensure security andcompliance.Protect your sensitive informationanywhere in the cloudProtect against cyberthreatsand anomaliesAssess the compliance of yourcloud appsUnderstand, classify, and protect theexposure of sensitive information at rest.Leverage out-of-the box policies andautomated processes to apply controls inreal-time across all your cloud apps.Detect unusual behavior acrosscloud apps to identify ransomware,compromised users or rogueapplications, analyze high-riskusage and remediate automaticallyto limit the risk to yourorganization.Assess if your cloud apps meetrelevant compliance requirementsincluding regulatory compliance andindustry standards. Prevent dataleaks to non-compliant apps, andlimit access to regulated data.Key uses in your organizationDiscover and manage shadow ITBlock downloads of sensitive informationDetect suspicious user activityManage cloud platform securityInvestigate risky usersProtect your files with admin quarantineInvestigate risky Oauth appsApply Azure Information Protection labels automaticallyDiscover and protect sensitive informationExtend governance to endpoint remediationProtect any app in your organization in real timeConditional Access App ControlWith Conditional Access App Control, user app access and sessions are monitored andcontrolled in real time based on access and session policies. This allows you to:Prevent data exfiltrationMonitor user sessions for complianceProtect on downloadBlock accessPrevent upload of unlabeled filesBlock custom activitiesBlock potential malwareDefender for Cloud Apps integrationMicrosoft Defenderfor EndpointSignalsIT-managedWindows 11 or10 deviceDevice traffic informationMicrosoft 365Third partyIdPsApp connectorsThird-party SaaSand PaaS appsFirewall/proxyMicrosoftDefender forCloud AppsPolicy evaluationCloud app traffic logsSignalsAzure ADConditionalAccessMicrosoft 365DefenderSentinel connector for SIEM dataMicrosoftSentinelDefender for Cloud Apps is a central collection point for appinformation, cloud app traffic logs from network edge devices,device traffic information from Defender for Endpoint, and sign-ininformation from Azure AD and other identity providers (IdPs).Continued on next pageDefender for Cloud Apps uses Azure AD Conditional Access forConditional Access App Control, sends signals to Microsoft 365Defender, and sends SIEM data to Microsoft Sentinel.
Defender for Cloud Apps architectureYour subscriptions in the Microsoft cloudRequests for app activityCloudapptrafficThird-partySaaS andPaaS appsOtherSaaS andPaaS appsMicrosoft nder for Cloud Appsuses edge device traffic logsto discover apps and obtainsinformation from cloud appson cloud app traffic throughapp connectors.Defender for CloudApps portalCloud discoveryThe Defender for Cloud Appsportal provides aggregatesecurity posture and thedetails of incidents andalerts.Defender for Cloud AppsArchitecture for Conditional Access App ControlConditional Access App Control uses a reverse proxyarchitecture and allows user app access and sessionsto be monitored and controlled in real time based onaccess and session policies.Your subscription in the Microsoft cloudAppconnectorsThird-partySaaS andPaaS appsCloudapptrafficYourorganizationFebruary 2022Firewall/proxyMicrosoft 365OtherSaaS andPaaS appsClouddiscoveryReverse proxy for ConditionalAccess App Control(access and session controls)Defender for Cloud Apps 2022 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com.
Microsoft Cloud Security for EnterpriseArchitectsInformation protectionDiscover, classify, and protect sensitive information wherever it lives or travels.Microsoft Information Protection (MIP)Sensitivity labelingMicrosoft 365 Data Loss Prevention (DLP)Defender for Cloud AppsHelps you classify, label, and protect your data.Help prevent accidental or inappropriate sharing ofinformation with DLP policies.Discover and protect sensitive informationacross multiple locations and devices.Classify, protect, and monitor your documents and emails.Know your dataProtect your dataUnderstand your data landscape and identifyimportant data across your hybrid environment.Monitor and remediateApply flexible protection actions, such asencryption, access restrictions, and visualmarkings.See what’s happening with your sensitivedata and gain more control over it.Information protection for Microsoft 365Protection for Microsoft 365 services, the data stored within them, and individual files and email:ResourceWhat determines who can access?What can they do?How is it encrypted?TeamsTeams access listsActions and methods of accessallowed by policy in the labelService encryption or Customer KeySharePoint sites andOneDrive foldersAccess listsActions and methods of accessallowed by policy in the labelService encryption or Customer KeyExchange emailSensitivity label with permissionsActions allowed by rightsgranted to user with the labelPer-email encryption using either Microsoftmanaged or tenant-managed keysFiles (protection thattravels with the file)Sensitivity label with permissionsActions allowed by rightsgranted to user with the labelPer-file encryption using either Microsoftmanaged or tenant-managed keysSensitivity labelingSensitivity labels allow people in your organization to collaborate with others both inside and outside the organization byplacing labels that classify and protect your organization's content, such as files and email messages. Key features include:Applies encryption, permissions, and content markings to filesand emailSupport for containers that include Teams, Microsoft 365 Groups,and SharePoint sitesSupport for content in Office apps across differentplatforms and devicesBuilt-in labels that do not require a separate installed clientSupport for third-party apps and services and the content inthem with the MIP SDKSupport for Power BI data and assets for Azure PurviewCloud service-side auto-labeling polices for documents andemailsClassification with or without using any protection settingsRunning auto-labeling policies in simulation modeSupport for Conditional Access for unmanaged devices andexternal usersContent Explorer and Activity Explorer to monitor labeling anduser actionsAzure Information Protection (AIP) client can label file types notsupported by built-in labelingLabel scopesMicrosoft 365Container label For teams, SharePoint sites,AttachmentsMicrosoft 365 groupsAzure Purview Settings for privacy, externaluser access and sharing, accessfrom unmanaged devicesContent label Documents and email Settings for permissions,encryption, content marking,sensitivity awareness, andcontent tracking and revocationAzure Purview labelContinued on next pageTeamsSharePointor OneDriveDocumentsExchangeemailPowerBI(data)- Azure assets- Multi-cloudassetsThird-party apps- Content(with Defenderfor Cloud Appsor the MIP SDK)
Here’s how labels of different scope are used for Microsoft 365:Microsoft 365Sensitivity labelsContainerLabels created by asecurity administratorContentSharePoint siteContentlabelSitefolderDocumentsContainer labels are manuallyapplied to SharePoint sites,groups, or teamsContent labels on files and emails are: Manually applied orauto-labeled by services Embedded and travel withthe file and emailDLP policiesDLP policies can identify and protectfiles and email with a content labelProtect files and email withthe content labelHere’s the recommended structure of labels and sublabels:Sensitivity labelsLeastrestrictiveLabel A Ordering labels from least to mostrestrictive is more intuitive for yourusers. It is also used by Microsoft 365 todetermine when to prompt users forjustifying why they changed a label toone that is less restrictive. The order of sublabels is used whenauto-labeling. When content matchesconditions for multiple labels, the lastsublabel of the last label is applied. Client-side auto-labeling will neverapply a label on a document alreadylabeled with a higher-sensitivity label.SublabelsSublabel A-1Ordered listSublabel A-2Ordered listLabel B. .MostrestrictiveContinued on next pageLabel nSublabel A-n
Here’s how sensitivity labels are applied todifferent sets of files:Your Microsoft 365 E3 or E5 subscriptionSharePointTeamsBuilt-in labels,auto-labeled, ormanually appliedLabels appliedwith the AIP clientOneDriveExchangeWord, Excel, PowerPoint filesOutlook emailsOther filesYourorganizationNon-Microsoft365 filesThird-party Microsoft 365 appsOther filesDLPDetect, warn, and block risky, inadvertent, or inappropriate sharingof data containing personal or confidential information, bothinternally and externally: Personal information such as personally identifying information(PII) for compliance with regional privacy regulations.Confidential information based on sensitivity labels (in preview)Locations where DLP appliesMicrosoft Teams ChannelconversationsChat messagesFiles shared inchannelconversations andchat messagesSharePoint andOneDriveExchange Email bodyAttachments Files onSharePoint sitesand OneDrivefoldersFiles on TeamssitesOn-premisesscannerEndpoint DLP Files in use onWindows 11 or10 devices Defender forCloud AppsFiles in onpremisesfolders and onpremisesSharePointfolders Files in yourcloudenvironmentDLP policies in the Microsoft 365 compliance centerDLP uses policies that define how to handle data with sensitive information types withwell-known formats for PII, such as credit card numbers. They have this structure:Policy ALocationsDLP policy evaluation:Rule A-1ConditionsWhen content is evaluatedagainst rules, the rules areprocessed in priority order.ExceptionsIf content matches multiplerules, the rules areprocessed in priority orderand the most restrictiveaction is enforced.OrderedlistRule A-2OrderedlistPolicy B. .Match any or all:Condition A-1-aCondition A-1-b Condition A-1-nActionsRule A-nRestrict access orencrypt the content inMicrosoft 365 locations.Restrict 3rd party apps.User notificationsUser overridesPolicy nIncident reportsRule priorityContinued on next page
How DLP works for files saved in SharePoint and ExchangeFile creationDLP eventsDLP processing3421User creates a file Adds datacorrespondingto a sensitivedata type Adds sensitivitylabelUser saves thefile in SharePointor OneDrive andDLP scans thefile contentsUser: Sends an emailBased on matching DLPpolicies for sensitive data typesand sensitivity labels, DLP can: Posts a message or afile to a Teams chat orchannelAllow Shares a file inSharePoint or OneDriveShow policy tipBlockSend email notificationSolution: Information protection for data privacy regulationsProtect, manage, and provide rightsand control over personal informationstored in your IT infrastructure,including both on-premises and in thecloud to comply with regional dataprivacy regulations.Deployment pathFebruary 2022 2022 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at CloudAdopt@microsoft.com.
Microsoft Cloud Security for EnterpriseArchitectsCloud app protectionWith cloud app protection, you can more securely install apps in your subscription, restrict andmonitor their use, and detect when they become threats to your resources.The Microsoft cloud app ecosystemDevelopmentBuild apps on a platform that supports a range of services and continuous collaboration and delivery.DeploymentRegister an app in Azure AD and make it available to your users to install and use.Threat protection and detectionAnalyze alerts and incidents exposed in security portals for quick response and remediation.Secure accessUse Zero Trust to ensure strong authentication for users and compliant devices.GovernanceInventory, add, remove, and detect inactive or over-permissioned apps for removal.Shared security signalingDo comprehensive cross-service analysis of alerts and their correlation and combination as incidents.Consistent incident responseexperienceUse the common design of security portals as a consistent way to respond to app-based threats.ComponentsThree Microsoft services included with Microsoft 365 E5 or with additional licenses provide protectionfor apps in the Microsoft cloud.AppsAll Microsoft cloud apps,which includes: Azure ADwith AzureAD IdentityProtection Microsoft 365 apps(included with Microsoft365 and third-party)Other Microsoft and thirdparty cloud apps App consent activityUser-to-app sign-in usageand permissionsWeak credential detectionApp roles and groupsassignedRequirements All Microsoft cloud apps MicrosoftDefenderfor CloudAppsAppgovernanceadd-onInsightsApp consent activity byusersApp metadata All Microsoft cloud apps thatare OAuth-enabled andaccess Microsoft 365 datathrough the Microsoft GraphAPIs Microsoft 365 graph APIactivity by resource anddata typeView new or risky appsthat access Microsoft 365APIs in the tenant Primary threatsDetectionsMonitor user consent andworkflowsMonitor user assignmentImpose just-in-time appaccessUse Azure AD ConditionalAccess for app-to-appRequire authenticationmethods for apps andservice principalsRevoke app’s accesstoken Alert on app's metadatavalues (for example, ahigh permissioned appwith an admin consentand infrequent use)Revoke an app's accesstoken on alert Restrict the type of dataan app can access inMicrosoft 365Alert on apps that gooutside predefined APIactivity Malicious apps (forexample, consentphishing)Overprivileged apps androle assignmentsUnused appsAggregated app risk(across all signals)Service PrincipalcompromiseOffice 365 audit logbased OAuth appdetectionsOAuth app metadatabased detections (suchas homoglyphs andinsecure URLs)Anomalous behavioractivity by applicationsAPI activity-based appcompromise or maliciousbehaviorAPI inactivity andinactive graphpermissionsComponents for app protectionAttacker uses illicit app consent grant to access user data Azure ADDefender for Cloud AppsInsiders or attackers with compromised credentials use apps to access data Azure AD with Azure AD Identity ProtectionDefender for Cloud AppsMalicious apps use the Microsoft 365 app platform
Microsoft and customer security responsibilities The security of your Microsoft cloud services is a partnership between you and Microsoft. Keys to success Enterprise organizations benefit from taking a methodical approach to cloud security. This involves investing in core capabilities within the organization that lead to secure environments.File Size: 523KB
