You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- cron: "25 5,11,17,22 * * *"# Times are UTC based on Daylight Saving Time. Need to be adjusted for Standard Time. Scheduling at :25 to account for queuing lag.
Copy file name to clipboardExpand all lines: .github/workflows/StaleBranch.yml
+8-3Lines changed: 8 additions & 3 deletions
Original file line number
Diff line number
Diff line change
@@ -2,12 +2,17 @@ name: (Scheduled) Stale branch removal
2
2
3
3
permissions:
4
4
contents: write
5
-
5
+
6
+
# This workflow is designed to be run in the days up to, and including, a "deletion day", specified by 'DeleteOnDayOfMonth' in env: in https://github.com/MicrosoftDocs/microsoft-365-docs/blob/workflows-prod/.github/workflows/Shared-StaleBranch.yml.
7
+
# On the days leading up to "deletion day", the workflow will report the branches to be deleted. This lets users see which branches will be deleted. On "deletion day", those branches are deleted.
8
+
# The workflow should not be configured to run after "deletion day" so that users can review the branches were deleted.
9
+
# Recommendation: configure cron to run on days 1,15-31 where 1 is what's configured in 'DeleteOnDayOfMonth'. If 'DeleteOnDayOfMonth' is set to something else, update cron to run the two weeks leading up to it.
Copy file name to clipboardExpand all lines: CloudAppSecurityDocs/activity-filters-queries.md
+1-32Lines changed: 1 addition & 32 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -135,7 +135,7 @@ Defender for Cloud Apps also provides you with **Suggested queries**. Suggested
135
135
- Successful log in - Filters all your activities to display only those activities that involve successful sign-ins, including impersonate action, impersonate sign-in, single sign-o sign-ins, and sign-in from a new device.
136
136
137
137
138
-
138
+
139
139
Additionally, you can use the suggested queries as a starting point for a new query. First, select one of the suggested queries. Then, make changes as needed and finally select **Save as** to create a new **Saved query**.
140
140
141
141
### Query activities six months back
@@ -184,37 +184,6 @@ Reports that include private activities are marked with an Eye icon in the repor
Copy file name to clipboardExpand all lines: CloudAppSecurityDocs/attack-paths.md
+9-7Lines changed: 9 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -10,9 +10,6 @@ ms.date: 03/23/2025
10
10
[Microsoft Security Exposure Management](/security-exposure-management/microsoft-security-exposure-management) helps you to manage your company's attack surface and exposure risk effectively. By combining assets and techniques, [attack paths](/security-exposure-management/review-attack-paths) illustrate the end-to-end paths that attackers can use to move from an entry point within your organization to your critical assets.
11
11
Microsoft Defender for Cloud Apps observed an increase in attackers using OAuth applications to access sensitive data in business-critical applications like Microsoft Teams, SharePoint, Outlook, and more. To support investigation and mitigation, these applications are integrated into the attack path and attack surface map views in Microsoft Security Exposure Management.
12
12
13
-
### Critical Asset Management - Service Principals
14
-
15
-
Microsoft Defender for Cloud Apps defines a set of critical privilege OAuth permissions. OAuth applications with these permissions are considered high-value assets. If compromised, an attacker can gain high privileges to SaaS applications. To reflect this risk, attack paths treat service principals with these permissions as target goals.
16
13
17
14
### Prerequisites
18
15
@@ -44,21 +41,26 @@ Alternatively, you can use one of the following **Entra ID roles**:
44
41
>[!NOTE]
45
42
> Currently available in commercial cloud environments only. Microsoft Security Exposure Management data and capabilities are currently unavailable in U.S Government clouds - GCC, GCC High, DoD, and China Gov.
46
43
47
-
## View permissions for critical assets
44
+
### Critical Asset Management - Service Principals
45
+
46
+
Microsoft Defender for Cloud Apps defines a set of critical privilege OAuth permissions. OAuth applications with these permissions are considered high-value assets. If compromised, an attacker can gain high privileges to SaaS applications. To reflect this risk, attack paths treat service principals with these permissions as target goals.
47
+
48
+
#### View permissions for critical assets
48
49
49
50
To view the full list of permissions, go to the [Microsoft Defender portal](https://security.microsoft.com) and navigate to Settings > Microsoft Defender XDR > Rules > Critical asset management.
50
51
51
52
:::image type="content" source="media/saas-securty-initiative/screenshot-of-the-critical-asset-management-page.png" alt-text="Screenshot of the Critical asset management page in the Defender XDR portal." lightbox="media/saas-securty-initiative/Screenshot-of-the-critical-asset-management-page.png":::
52
53
53
-
> [!NOTE]
54
-
> OAuth apps appear in the attack path surface map only when specific conditions are detected.
55
-
> For example, an OAuth app may appear in the attack path only if a vulnerable component with an easily exploitable entry point is detected that allows lateral movement to service principals with high privileges.
56
54
57
55
## Investigation user flow: View attack paths involving OAuth applications
58
56
59
57
Once you understand which permissions represent high-value targets, use the following steps to investigate how these applications appear in your environment’s attack paths.
60
58
For smaller organizations with a manageable number of attack paths, we recommend following this structured approach to investigate each attack path:
61
59
60
+
> [!NOTE]
61
+
> OAuth apps show in the attack path surface map only when specific conditions are detected.
62
+
> For example, an OAuth app might appear in the attack path if a vulnerable component with an easily exploitable entry point is detected. This entry point allows lateral movement to service principals with high privileges.
63
+
62
64
1. Go to Exposure Management > Attack surface > Attack paths.
Copy file name to clipboardExpand all lines: CloudAppSecurityDocs/caac-known-issues.md
+3Lines changed: 3 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -51,6 +51,9 @@ For example, assume that a session policy is configured to prevent downloading f
51
51
52
52
Session policies don't protect external business-to-business (B2B) collaboration users in Microsoft Teams applications.
53
53
54
+
## Session Controls with Non-Interactive Tokens
55
+
Some applications utilize non-interactive access tokens to facilitate seamless redirection between apps within the same suite or realm. When one application is onboarded to Conditional Access App Control and the other is not, session controls may not be enforced as expected. For example, if the Teams client retrieves a non-interactive token for SharePoint Online (SPO), it can initiate an active session in SPO without prompting the user for reauthentication. As a result, the session control mechanism cannot intercept or enforce policies on these sessions. To ensure consistent enforcement, it's recommended to onboard all relevant applications, such as Teams, alongside SPO.
56
+
54
57
## Limitations for sessions that the reverse proxy serves
55
58
56
59
The following limitations apply only on sessions that the reverse proxy serves. Users of Microsoft Edge can benefit from in-browser protection instead of using the reverse proxy, so these limitations don't affect them.
0 commit comments