Importing user groups from connected apps

Note

  • We've renamed Microsoft Cloud App Security. It's now called Microsoft Defender for Cloud Apps. In the coming weeks, we'll update the screenshots and instructions here and in related pages. For more information about the change, see this announcement. To learn more about the recent renaming of Microsoft security services, see the Microsoft Ignite Security blog.

  • Microsoft Defender for Cloud Apps is now part of Microsoft 365 Defender. The Microsoft 365 Defender portal allows security admins to perform their security tasks in one location. This will simplify workflows, and add the functionality of the other Microsoft 365 Defender services. Microsoft 365 Defender will be the home for monitoring and managing security across your Microsoft identities, data, devices, apps, and infrastructure. For more information about these changes, see Microsoft Defender for Cloud Apps in Microsoft 365 Defender.

When you connect apps using API connectors, Microsoft Defender for Cloud Apps enables you to import user groups, for example from Office 365 and Azure Active Directory. There are two types of user groups:

  • Automatic groups: Automatic groups are created by default by Microsoft Defender for Cloud Apps. For example, there's an automatic user group called External that combines all users from all apps who are external to your organization and have access to files or were in user activities in your tenant. The following automatic groups exist in Defender for Cloud Apps:

    • External
    • Dropbox administrator
    • Office 365 administrator
    • Google Workspace administrator
    • Box administrator
    • All Salesforce standard and custom profiles, for example, Salesforce System Administrator. See the full list here.
  • Imported groups: You can import any group from your connected apps. For example, you can import user groups from Office 365 (Active Directory) and other connected apps. These groups enable you to look for threats in your org, not by looking at the whole org or at a specific user, but by looking at a specific group.

    Typical scenarios that use imported user groups include:

    • Investigating which docs the HR people look at.
    • Check if there's something unusual happening in the executive group.
    • Find if someone from the admin group performed an activity outside the US.

How to import user groups

  1. In the menu bar, select the settings icon settings icon. and select User groups.

  2. Select Import user group.

    Import user groups.

  3. Select the app from which to import the user group. The list of apps will depend on which App Connectors you deployed.

  4. Select the group to import. The list of available groups will be a list of all the existing user groups in the app itself. If you want to add a new group, you have to do it directly in the app itself. Then, when the group appears in the list here, select it.

  5. You can select the option to be notified by email when the import process is complete.

  6. Select Import. After you import a group, Defender for Cloud Apps automatically syncs the group members, just like Active Directory Connect.

  7. After the import is complete, from the User groups page you can select a specific group to view a list of all the members of the group. Select any member of the group to further drill down into the details of a specific account. You can view which apps they use and a summary of the account including graphs of the user and their activity.

Importing groups enables you to select those groups as filters when investigating in the Activity log and when creating policies.

Note

  • The maximum number of imported user groups is 500.
  • Only active users will be imported as part of the imported group. Any suspended, deleted, or disabled users will be ignored.
  • There may be a short delay until imported user groups are available in filters.
  • Only activities performed after importing a user group will be tagged as having been performed by a member of the user group.
  • After the initial sync, groups are usually updated every hour. However, due to various factors there could be times where this might take several hours.

For more information on using the User group filters, see Activities.

Next steps

If you run into any problems, we're here to help. To get assistance or support for your product issue, please open a support ticket.