You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-xdr/pilot-deploy-defender-cloud-apps.md
+6-6Lines changed: 6 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,7 +7,7 @@ f1.keywords:
7
7
- NOCSH
8
8
ms.author: bcarter
9
9
author: brendacarter
10
-
ms.date: 01/12/2025
10
+
ms.date: 03/14/2025
11
11
ms.localizationpriority: medium
12
12
manager: dansimp
13
13
audience: ITPro
@@ -201,13 +201,13 @@ In this illustration, some apps are sanctioned for use. Sanctioning is a simple
201
201
202
202
One of the most powerful protections you can configure is Conditional access app control. This protection requires integration with Microsoft Entra ID. It allows you to apply Conditional Access policies, including related policies (like requiring healthy devices), to cloud apps you've sanctioned.
203
203
204
-
You might already have SaaS apps added to your Microsoft Entra tenant to enforce multi-factor authentication and other conditional access policies. Microsoft Defender for Cloud Apps natively integrates with Microsoft Entra ID. All you must do is configure a policy in Microsoft Entra ID to use conditional access app control in Defender for Cloud Apps. This routes network traffic for these managed SaaS apps through Defender for Cloud Apps as a proxy, which allows Defender for Cloud Apps to monitor this traffic and to apply session controls.
204
+
You might already have SaaS apps added to your Microsoft Entra tenant to enforce multifactor authentication and other conditional access policies. Microsoft Defender for Cloud Apps natively integrates with Microsoft Entra ID. All you must do is configure a policy in Microsoft Entra ID to use conditional access app control in Defender for Cloud Apps. This routes network traffic for these managed SaaS apps through Defender for Cloud Apps as a proxy, which allows Defender for Cloud Apps to monitor this traffic and to apply session controls.
205
205
206
206
:::image type="content" source="media/eval-defender-xdr/m365-defender-mcas-architecture-e.svg" alt-text="A diagram that shows the architecture for Defender for Cloud Apps conditional access app control." lightbox="media/eval-defender-xdr/m365-defender-mcas-architecture-e.svg":::
207
207
208
208
In this illustration:
209
209
210
-
- SaaS apps are integrated with the Microsoft Entra tenant. This integration allows Microsoft Entra ID to enforce conditional access policies, including multi-factor authentication.
210
+
- SaaS apps are integrated with the Microsoft Entra tenant. This integration allows Microsoft Entra ID to enforce conditional access policies, including multifactor authentication.
211
211
- A policy is added to Microsoft Entra ID to direct traffic for SaaS apps to Defender for Cloud Apps. The policy specifies which SaaS apps to apply this policy to. After Microsoft Entra ID enforces any conditional access policies that apply to these SaaS apps, Microsoft Entra ID then directs (proxies) the session traffic through Defender for Cloud Apps.
212
212
- Defender for Cloud Apps monitors this traffic and applies any session control policies that have been configured by administrators.
213
213
@@ -229,16 +229,16 @@ For sample policies, see [Recommended Microsoft Defender for Cloud Apps policies
229
229
230
230
Once you have session policies configured, apply them to your cloud apps to provide controlled access to those apps.
231
231
232
-
:::image type="content" source="media/eval-defender-xdr/m365-defender-office-architecture.svg" alt-text="A diagram that shows how cloud apps are accessed via session control policies with Defender for Cloud Apps." lightbox="media/eval-defender-xdr/m365-defender-office-architecture.svg":::
232
+
:::image type="content" source="media/eval-defender-xdr/m365-defender-mcas-architecture-d.svg" alt-text="A diagram that shows how cloud apps are accessed via session control policies with Defender for Cloud Apps." lightbox="media/eval-defender-xdr/m365-defender-office-architecture.svg":::
233
233
234
234
In the illustration:
235
235
236
-
- Access to sanctioned cloud apps from users and devices in your organization is routed through Defender for Cloud Apps.
236
+
- Access to sanctioned cloud apps from users and devices in your organization is routed through Defender for Cloud Apps where session policies can be applied to specific apps.
237
237
- Cloud apps that you have not sanctioned or explicitly unsanctioned are not affected.
238
238
239
239
Session policies allow you to apply parameters to how cloud apps are used by your organization. For example, if your organization is using Salesforce, you can configure a session policy that allows only managed devices to access your organization's data at Salesforce. A simpler example could be configuring a policy to monitor traffic from unmanaged devices so you can analyze the risk of this traffic before applying stricter policies.
240
240
241
-
For more information, see [Conditional access app control in Microsoft Defender for Cloud Apps](/defender-cloud-apps/proxy-intro-aad).
241
+
For more information, see [Create Microsoft Defender for Cloud Apps session policies](/defender-cloud-apps/session-policy-aad).
0 commit comments