Applies to: Microsoft Cloud App Security
App connectors leverage the APIs of app providers to enable greater visibility and control by Microsoft Cloud App Security over the apps you connect to.
Microsoft Cloud App Security leverages the APIs provided by the cloud provider, each service has its own framework and API limitations. Microsoft Cloud App Security worked with the services to optimize the usage of the APIs and to ensure the best performance. Taking into account the different limitations the services impose on the APIs (such as throttling, API limits, dynamic time-shifting API windows, etc.), the Cloud App Security engines leverage the allowed capacity. Some operations, such as scanning of all files in the tenant, require a large amount of APIs and therefore are spread over a longer period. Expect some policies to run for several hours or several days.
Cloud App Security supports multiple instances of the same connected app. If you have multiple instances of, for example, Salesforce (one for sales, one for marketing) you will be able to connect them both to Cloud App Security and manage them from the same console to create granular policies and deeper investigation. This support applies only to API connected apps, not to Cloud Discovered apps or Proxy connected apps.
How it works
Cloud App Security is deployed with system admin privileges to allow full access to all objects in your environment.
The App Connector flow is as follows:
- Cloud App Security scans and saves Authentication permissions.
- Cloud App Security requests the user list. The first time this is performed, it may take some time until the scan completes. After the user scan is over, Cloud App Security moves on to activities and files. As soon as the scan starts, some activities will be available in Cloud App Security.
- After completion of the user request, Cloud App Security periodically scans users, groups, activities and files. All activities will be available after the first full scan.
This may take some time, depending on the size of the tenant, the number of users and the size and number of files that need to be scanned.
Depending on the app you are connecting to (see table, below) API connection enables the following:
Visibility into users, accounts, profile information, status (suspended, active, disabled) groups, and privileges.
Visibility into user activities, admin activities, log on activity.
Scanning of unstructured data using two processes -periodically (every 12 hours) and in real-time scan (triggered each time a change is detected).
Visibility into issued tokens and their permissions.
Ability to suspend users, revoke passwords, etc.
Ability to quarantine files, including files in trash, and overwrite files.
App permission governance:
Ability to remove tokens.
The following table lists, per cloud app, which abilities are supported with App connectors:
|Office 365||Box||Okta||G Suite||Service Now||Salesforce||Dropbox||AWS|
|Privileges||✔||✔||Not supported by provider||✔||✔||✔||✔|
|User governance||✔||✔||✔||Coming soon||Coming soon||Coming soon|
|Log on activity||✔||✔||✔||✔||✔||✔||✔||✔|
|User activity||✔*||✔||✔||✔ - requires Google Unlimited||Partial||Supported with Salesforce Shield||✔||Not applicable|
|Periodic file scan||✔||✔||Not applicable||✔||✔||✔||✔||Not applicable|
|Near-realtime file scan||✔||✔||Not applicable||✔ - requires Google Unlimited||Coming soon|
|Sharing control||✔||✔||Not applicable||✔||Not applicable||✔|
|Quarantine||✔||✔||Not applicable||Coming soon||Coming soon|
|View app permissions||✔||Not supported by provider||Not applicable||✔||✔||Not supported by provider|
|Revoke app permissions||✔||Not applicable||✔||✔||Not applicable|
|Apply Azure Information Protection labels||✔||✔||✔|
For some apps, it may be necessary to white list IP addresses to enable Cloud App Security to collect logs and provide access for the Cloud App Security console. For more information see Network requirements.
For each app that you want to connect with the Cloud App Security API integration, we recommend creating an admin service account dedicated to Cloud App Security.
To get updates when URLs and IP addresses are changed, subscribe to the RSS as explained in: Office 365 URLs and IP address ranges.
To use App Connectors, you need to make sure you have the following for each specific app:
|Box||Enterprise||It is strongly recommended that you connect to Box as an Admin. Connecting as a Co-admin will result in only partial data visibility. If you connect as a Co-admin, make sure to select all permissions.|
|G Suite||G Suite Unlimited preferred
G Suite Enterprise (minimally)
|Office 365||Global Admin|
|AWS||Newly created user|
|Okta||Enterprise (not trial)||Admin|
|ServiceNow||Eureka and up||Admin +RestAPI role|
Cloud App Security is deployed in Azure and fully integrated with ExpressRoute. All interactions with the Cloud App Security apps and traffic sent to Cloud App Security, including upload of discovery logs, is routed via ExpressRoute public peering for improved latency, performance and security. There are no configuration steps required from the customer side.
For more information about Public Peering, see ExpressRoute circuits and routing domains.