The Modern Workplace Conference Paris 2022 will be held online from January 24 to 26, focusing on the evolution of enterprise security in the cloud age. It discusses challenges like managing sensitive information and controlling access to cloud applications, highlighting Microsoft's security solutions. Attendees can expect insights on zero trust identity management, threat protection, and best practices for cloud app security.

2. Modern Workplace
Conference Paris 2022
online
#MWCP22 Coming soon!
Share. Discover.
Explore.
Partager. Découvrir.
Explorer.
Modern Workplace
Conference Paris 2022
online
#MWCP22 24,25,26 Jan 2022

3. Suivez-nous tout au long de l’année !
Follow us all year round!
https://aos.community
https://twitter.com/mwcparis
#MWCP22
https://modern-workplace.pro
https://twitter.com/aOSComm
https://www.linkedin.com/company/
ams-community
https://www.linkedin.com/company/
mwcp
https://www.facebook.com/
modernworkplaceconferenceparis
https://www.facebook.com/
aOSCommunity (FR)
https://www.facebook.com/
aosComm (EN)

4. Vignesh Ganesan
Enterprise Cloud Architect & Technology Strategist
NGUNGU JOEL
Etudiant

5. About Me

6. Let’s get
started

7. • User chooses apps (unsanctioned, shadow IT)
• User can access resources from anywhere
• Data is shared by user and cloud apps
• IT has limited visibility and protection
• Only sanctioned apps are installed
• Resources accessed via managed devices/networks
• IT had layers of defense protecting internal apps
• IT has a known security perimeter
Life with cloud
Life before cloud
On-premises
Storage, corp data Users
How the cloud changed the enterprise?

8. Cloud services require a new approach to security

9. Enterprise-class technology
Secure identities to
reach zero trust
Identity & access
management
Security
management
Strengthen your security
posture with insights
and guidance
Threat
protection
Help stop damaging
attacks with integrated and
automated security
Locate and classify
information anywhere
it lives
Information
protection
Infrastructure security

11. Microsoft Defender for Cloud Apps
Discover and
assess risks
Control access
in real time
Detect
threats
Protect your
information
Identify cloud apps on your
network, gain visibility into shadow
IT, and get risk assessments and
ongoing analytics.
Manage and limit cloud app
access based on conditions and
session context, including user
identity, device, and location.
Identify high-risk usage and
detect unusual behavior using
Microsoft threat intelligence
and research.
Get granular control over data
and use built-in or custom
policies for data sharing and
data loss prevention.
Threat detection: Microsoft Intelligent Security Graph, Office ATP
Information Protection: Office 365 & Azure Information Protection
Identity: Azure AD and Conditional Access
To your cloud apps
Extend Microsoft security
+ more

12. Microsoft Defender for Cloud Apps

13. TOP CASB USE CASES
Office 365
Salesforce Azure
Box
AWS
Dropbox
Facebook
Twitter
YouTube

14. Case study
A company named Contoso is using Microsoft 365 for collaborating within themselves and other
organizations . All their employees are currently on WFH due to COVID.
Challenges
• Users are downloading sensitive information to their personal PC
• Users are downloading company confidential files to their personal PC
• Users are uploading PII information to SPO
• Customer’s PII data is being copied and shared with a competitor
• Legal regulations state that Contract Employees/Contingent employees shouldn’t have access
to Office 365 from their personal PC
• Contoso would also like to control sharing of sensitive information from 3rd party apps such as
Box
• Block risky sign-ins

15. 1. All the users in Contoso have a Microsoft 365 license and an Azure AD P1 license assigned to them .
2. They all have an Intune compliant/ Hybrid Azure AD joined PC given to them
3. Contoso is currently using cloud apps such as Office 365 , Box & Workplace by Facebook
4. Contoso has rolled out AIP & DLP for all its users and they also have Azure AD conditional access policies
configured
Contoso’s Current setup

16. Conditional Access App control

17. Cloud apps & services

18. Require MFA
Allow access
Deny access
Force password reset
******
Monitor and control access to cloud apps
Defender for
Cloud Apps
Limit access
Policy
Proxy

19. CONDITIONAL ACCESS APP CONTROL
Microsoft Azure
Active Directory
Analyze Session Risk
Check device
compliance with Intune
Check
location
Check user
behavior
Check user
organization
Enforce Relevant Policies with Conditional Access App Control
Protect downloads
from unmanaged
devices with AIP
Monitor and alert on
actions when user
activity is suspicious
Enforce read-only mode
in applications for
partner (B2B) users
Require MFA and define
session timeouts for
unfamiliar locations
BOX.US.CAS.MS
Defender for Cloud Apps integrates with:
• Azure Active Directory
• Azure Information Protection
• Microsoft Intune
to help protect any app in your
organization.
MICROSOFT DEFENDER FOR CLOUD APPS

20. Access policy and Session policy
Access policies enable real-time
monitoring and control over
access to cloud apps based on
user, location, device, and app
Session policies enable real-time session-
level monitoring, affording you granular
visibility into cloud apps and the ability to
take different actions depending on the
policy set for a user session
CONDITIONAL ACCESS APP CONTROL
Prerequisites
Azure AD Premium P1 license, or the license required by your identity provider (IdP) solution
The relevant apps should be deployed with Conditional Access App Control
Make sure you have configured your IdP solution to work with Defender for Cloud Apps
App URL: myapp.com
Replaced URL : myapp.com.mcas.ms

21. Conditional Access App Control – Architecture
User
SSO
Azure AD
(IdP)
SAML Auth Request
Is there an Azure
AD Conditional
Access policy
matching this
request?
No
Yes
Yes
No
Yes
No
Data flow
Azure
Information
Protection
Is content inspection
enabled for this session
policy? OR is the
Protect on Download
action selected?
Yes User attempts file download
Block file
download
and monitor
Protect file
download
and monitor
Monitor
No
Is there a CAS
Session Policy
matching this
request?
Is there a
CAS Access
Policy that
blocks this
request?
ACCESS DENIED
.US.CAS.MS

22. Challenge 1: Users are downloading sensitive information to
their personal PC

23. Challenge 2: Users are downloading company confidential
files to their personal PC

24. Challenge 3:Users are uploading PII information to SPO

25. Challenge 4 : Customer’s PII data is being copied and shared
with a competitor

26. Challenge 5 : Legal regulations state that Contract
Employees/Contingent employees shouldn’t have access to
Office 365 from their personal PC

27. Challenge 6 : Contoso would also like to control sharing of
sensitive information from 3rd party apps such as Box

28. Challenge 7 : Block risky sign-ins

29. Users are downloading
sensitive information
to their personal PC
Users are downloading
company confidential
files to their personal
PC
Users are uploading PII
information to SPO
Customer’s PII data is
being copied and
shared with a
competitor
Legal regulations state that
Contract
Employees/Contingent
employees shouldn’t have
access to Office 365 from
their personal PC
Contoso would also like
to control sharing of
sensitive information
from 3rd party apps such
as Box
Microsoft Defender for Cloud Apps (Conditional Access App Control )
Block risky sign-ins

30. LICENSING OPTIONS
Microsoft CAS
CASB for any cloud app
EMS E5
Office 365 CAS
CASB for Office 365
Office 365 E5
CAS Discovery
Discovery of Shadow IT
AAD P1 (EMS E3)

31. Ref
• https://docs.microsoft.com/en-us/defender-cloud-apps/
• https://techcommunity.microsoft.com/t5/security-compliance-and-
identity/announcing-microsoft-defender-for-cloud-apps/ba-p/2835842
• https://docs.microsoft.com/en-us/defender-cloud-apps/proxy-intro-aad
• https://docs.microsoft.com/en-us/defender-cloud-apps/access-policy-aad
• https://docs.microsoft.com/en-us/defender-cloud-apps/session-policy-aad
• https://docs.microsoft.com/en-us/defender-cloud-apps/proxy-deployment-aad
• https://docs.microsoft.com/en-us/defender-cloud-apps/proxy-deployment-any-
app
• https://www.aka.ms/mcaslicensing
• https://docs.microsoft.com/en-us/defender-cloud-apps/editions-cloud-app-
security-o365

32. Merci pour
votre
attention !
Thanks
for your
attention!