What's new with Microsoft Cloud App Security?

Applies to: Microsoft Cloud App Security

This article is updated frequently to let you know what's new in the latest release of Cloud App Security.

RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader: https://docs.microsoft.com/api/search/rss?search=%22This+article+is+updated+frequently+to+let+you+know+what%27s+new+in+the+latest+release+of+Cloud+App+Security%22&locale=en-us

Important

Threat protection product names from Microsoft are changing. Read more about this and other updates here. We'll be using the new names in future releases.

Note

Deprecation reminder: In release 198, we added a new checkbox to Session policies that treats any data that can't be scanned as a match for the policy. This feature replaces both Treat encrypted as match, and Treat files that cannot be scanned as match, in addition to adding new functionality. New policies will contain the new checkbox by default, deselected by default. Pre-existing policies will be migrated to the new checkbox on May 30. Policies with either or both options selected will have the new option selected by default; all other policies will have it deselected.

Cloud App Security release 203

June 13, 2021

  • Expose verified publisher indicating in O365 OAuth apps
    Cloud App Security now surfaces whether a publisher of an Office 365 OAuth app has been verified by Microsoft to enable higher app trust. This feature is in a gradual rollout. For more information, see Working with the OAuth app page.

  • Azure Active Directory Cloud App Security admin
    A Cloud App Security admin role has been added to Azure Active Directory (AAD), allowing the assignment of global admin capabilities to Cloud App Security alone via AAD. For more information, see Office 365 and Azure AD roles with access to Cloud App Security.

  • Export custom tag and app domains per discovered app
    Export to CSV in the discovered apps page now include the application's custom app tags and associated web domains. For more information, see Working with discovered apps.

    Important

    Enhanced proxy URL for access controls (gradual rollout)
    Starting in early July 2021, we will change our access endpoint from <mcas-dc-id>.access-control.cas.ms to access.mcas.ms. Make sure you update your network appliance rules before the end of June, as this can lead to access issues. For more information, see Access and session controls

Cloud App Security release 200, 201, and 202

May 30, 2021

  • Authentication Context (Step-Up Authentication) in public preview
    We've added the ability to protect users working with proprietary and privileged assets by requiring Azure AD Conditional Access policies to be reassessed in the session. For example, if a change in IP address is detected because an employee in a highly sensitive session has moved from the office to the coffee shop downstairs, step-up can be configured to reauthenticate that user. For more information, see Require step-up authentication (authentication context) upon risky action.

Cloud App Security release 199

April 18, 2021

  • Service Health Dashboard availability
    The enhanced Cloud App Security Service Health Dashboard is now available within the Microsoft 365 Admin portal for users with Monitor service health permissions. Learn more about Microsoft 365 Admin roles. In the dashboard, you can configure notifications, allowing relevant users to stay updated with the current Cloud App Security status. To learn how to configure email notifications and additional information about the dashboard, see How to check Microsoft 365 service health.

  • AIP support deprecated
    Label management from the Azure Information Protection portal (classic) is deprecated beginning April 1, 2021. Customers without AIP extended support should migrate their labels to Microsoft Information Protection to continue using sensitivity labels in Cloud App Security. Without migration to Microsoft Information Protection or AIP extended support, file policies with sensitivity labels will be disabled. For more information, see Understanding Unified Labeling migration.

  • DLP near real-time rollout completed for Dropbox, ServiceNow, AWS, and Salesforce
    New near real-time file scanning is available in Dropbox, ServiceNow and Salesforce. New near real-time S3 bucket discovery is available in AWS. For more information, see Connect apps.

  • Public preview for overriding privilege sensitivity labels
    Cloud App Security supports overriding sensitivity labels for files that were labeled outside Cloud App Security. For more information, see Apply labels directly to files.

  • Extended Advanced Hunting events
    We've expanded the available events in Cloud App Security. Microsoft 365 Defender Advanced Hunting now includes telemetry from Microsoft OneDrive, SharePoint Online, Office 365, Dynamics 365, Dropbox, Power BI, Yammer, Skype for Business, and Power Automate, in addition to Exchange Online and Teams, which were available until now. For more information, see Apps and services covered.

Cloud App Security release 198

Released April 4, 2021

  • Exclusion of Azure Active Directory groups entities from discovery
    We've added the ability to exclude discovered entities based on imported Azure Active Directory groups. Excluding AAD groups will hide all discovery-related data for any users in these groups. For more information, see Exclude entities.

  • API connector support for ServiceNow Orlando and Paris versions
    We have added support for the ServiceNow API connector to the Orlando and Paris versions. For more information, see Connect ServiceNow to Microsoft Cloud App Security.

  • Always apply the selected action even if data cannot be scanned
    We've added a new checkbox to Session policies that treats any data that can't be scanned as a match for the policy.

    Note

    Deprecation notice: this feature replaces both Treat encrypted as match, and Treat files that cannot be scanned as match, in addition to adding new functionality. New policies will contain the new checkbox by default, deselected by default. Pre-existing policies will be migrated to the new checkbox on May 30. Policies with either or both options selected will have the new option selected by default; all other policies will have it deselected.

Cloud App Security release 197

Released March 21, 2021

  • Status page deprecation notice
    On April 29, Cloud App Security will deprecate the service health status page, replacing it with the Service Health Dashboard within the Microsoft 365 Admin portal. The change aligns Cloud App Security with other Microsoft services and provides an enhanced service overview.

    Note

    Only users with Monitor service health permissions can access the dashboard. For more information, see About admin roles.

    In the dashboard, you can configure notifications, allowing relevant users to stay updated with the current Cloud App Security status. To learn how to configure email notifications and additional information regarding dashboard, see How to check Microsoft 365 service health.

  • OAuth app consents link
    We've added the ability to scope activity investigations to specific OAuth app's consent activities directly from the OAuth app view. For more information, see How to investigate suspicious OAuth apps.

Cloud App Security release 195 and 196

Released March 7, 2021

  • Enhanced Shadow IT discovery with Microsoft Defender for Endpoint
    We've further improved our Defender for Endpoint integration by leveraging enhanced signals for the Defender agent, providing more accurate app discovery and organizational user context.

    To benefit from the latest enhancements, make sure your organizational endpoints are updated with the latest Windows 10 updates:

  • Configurable session lifetime
    We're enabling customers to configure a shorter session lifetime for Conditional Access App Control. By default, sessions proxied by Cloud App Security have a maximum lifetime of 14 days. For more information about shortening session lifetimes, contact us at mcaspreview@microsoft.com.

Cloud App Security release 192, 193, and 194

Released February 7, 2021

  • Updates to Policies page
    We've updated the Policies page, adding a tab for every policy category. We also added an All policies tab to give you a complete list of all your policies. For more information about the policy categorization, see Policy types.

  • Enhanced Office 365 OAuth apps export
    We've enhanced the Office 365 OAuth apps activities export to CSV file with the Redirect URL of the OAuth apps. For more information about exporting OAuth app activities, see OAuth app auditing.

  • Updates to the portal interface
    In the coming months, Cloud App Security will be updating its User Interface to provide a more consistent experience across Microsoft 365 security portals. Learn more

Cloud App Security release 189, 190, and 191

Released January 10, 2021

  • New anomaly detection: Suspicious addition of credentials to an OAuth app
    We've extended our anomaly detections to include suspicious addition of privileged credentials to an OAuth app. The new detection is now available out-of-the-box and automatically enabled. The detection can indicate that an attacker has compromised the app and is using it for malicious activity. For more information, see Unusual addition of credentials to an OAuth app.

  • Enhanced auditing for Shadow IT discovery activities
    We've updated the auditing for Shadow IT activities to include actions performed by administrators. The following new activities are now available in the activity log and can be used as part of your Cloud App Security investigation experience.

    • Tagging or untagging apps
    • Creating, updating, or deleting log collectors
    • Creating, updating, or deleting data sources
  • New Data Enrichment REST API endpoints
    We've added the following Data Enrichment API endpoints enabling you to fully manage your IP address ranges using the API. Use our sample management script to help you get started. For more information about ranges, see Working with IP ranges and tags.

Cloud App Security release 187 and 188

Released November 22, 2020

  • New Shadow IT integration with Menlo Security
    We've added native integration with Menlo Security providing you with Shadow IT visibility into app use and control over app access. For more information, see Integrate Cloud App Security with Menlo Security.

  • New Cloud Discovery WatchGuard log parser
    Cloud App Security Cloud Discovery analyzes a wide range of traffic logs to rank and score apps. Now Cloud Discovery includes a built-in log parser to support the WatchGuard format. For a list of supported log parsers, see Supported firewalls and proxies.

  • New permission for Cloud Discovery global admin role
    Cloud App Security now allows users with the Cloud Discovery global admin role to create API tokens and use all Cloud Discovery related APIs. For more information about the role, see Built-in Cloud App Security admin roles.

  • Enhanced sensitivity slider: Impossible travel
    We've updated the sensitivity slider for impossible travel to configure different sensitivity levels for different user scopes, allowing enhanced control over the fidelity of alerts for user scopes. For example, you can define a higher sensitivity level for administrators than for other users in the org. For more information about this anomaly detection policy, see Impossible travel.

  • Enhanced proxy URL suffix for session controls (gradual rollout)
    On June 7, 2020, we started gradually rolling out our enhanced proxy session controls to use one unified suffix that doesn't include named regions. For example, users will see <AppName>.mcas.ms suffix instead of <AppName>.<Region>.cas.ms. If you routinely block domains in your network appliances or gateways, make sure you allowlist all the domains listed under Access and session controls.

Cloud App Security release 184, 185, and 186

Released October 25, 2020

  • New enhanced alert monitoring and management experience
    As part of our ongoing improvements to monitoring and managing alerts, the Cloud App Security Alerts page has been improved based on your feedback. In the enhanced experience, the Resolved and Dismissed statuses are replaced by the Closed status with a resolution type. Learn more

  • New global severity setting for signals sent to Microsoft Defender for Endpoints
    We've added the ability to set the global severity setting for signals sent to Microsoft Defender for Endpoint. For more information, see How to integrate Microsoft Defender for Endpoint with Cloud App Security.

  • New security recommendations report
    Cloud App Security provides you with security configuration assessments for your Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP) giving you insights into security configuration gaps in your multi-cloud environment. Now you can export detailed security recommendation reports to help you monitor, understand, and customize your cloud environments to better protect your organization. For more information about exporting the report, see Security recommendations report.

  • Enhanced proxy URL suffix for session controls (gradual rollout)
    On June 7, 2020, we started gradually rolling out our enhanced proxy session controls to use one unified suffix that doesn't include named regions. For example, users will see <AppName>.mcas.ms suffix instead of <AppName>.<Region>.cas.ms. If you routinely block domains in your network appliances or gateways, make sure you allowlist all the domains listed under Access and session controls.

  • Updates to the Cloud App Catalog
    We've made the following updates to our Cloud App Catalog:

    • Teams Admin Center has been updated as a standalone app
    • Microsoft Office 365 Admin Center has been renamed to Office Portal
  • Terminology update
    We've updated the term machine to device as part of the general Microsoft effort to align terminology across products.

Cloud App Security release 182 and 183

Released September 6, 2020

  • Access and session controls for Azure portal GA
    Conditional Access App Control for the Azure portal is now generally available. For information about configuring these controls, see the Deployment guide.

Cloud App Security release 181

Released August 9, 2020

  • New Cloud Discovery Menlo Security log parser
    Cloud App Security Cloud Discovery analyzes a wide range of traffic logs to rank and score apps. Now Cloud Discovery includes a built-in log parser to support the Menlo Security CEF format. For a list of supported log parsers, see Supported firewalls and proxies.

  • Azure Active Directory (AD) Cloud App Discovery name displays in portal
    For Azure AD P1 and P2 licenses, we've updated the product name in the portal to Cloud App Discovery. Learn more about Cloud App Discovery.

Cloud App Security release 179 and 180

Released July 26, 2020

  • New anomaly detection: Suspicious OAuth app file download activities
    We've extended our anomaly detections to include suspicious download activities by an OAuth app. The new detection is now available out-of-the-box and automatically enabled to alert you when an OAuth app downloads multiple files from Microsoft SharePoint or Microsoft OneDrive in a manner that is unusual for the user.

  • Performance improvements using proxy caching for Session Controls (gradual rollout)
    We've made additional performance improvements to our session controls, by improving our content caching mechanisms. The improved service is even more streamlined and provides increased responsiveness when using session controls. Note that session controls don't cache private content, aligning with the appropriate standards to only cache shared (public) content. For more information, see How session control works.

  • New feature: Save security configuration queries
    We've added the ability to save queries for our security configuration dashboard filters for Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). This can help make future investigations even simpler by reusing common queries. Learn more about Security configuration recommendations.

  • Enhanced anomaly detection alerts
    We've extended the information we provide for anomaly detection alerts to include a mapping to the corresponding MITRE ATT&CK tactic. This mapping will help you understand the phase and impact of the attack and assist with your investigations. Learn more about How to investigate anomaly detection alerts.

  • Enhanced detection logic: Ransomware activity
    We've updated the detection logic for Ransomware activity to provide improved accuracy and reduced alert volume. For more information about this anomaly detection policy, see Ransomware activity.

  • Identity Security Posture reports: Tags visibility
    We've added entity tags to Identity Security Posture reports providing additional insights about entities. For example, the Sensitive tag can help you identify risky users and prioritize your investigations. Learn more about Investigating risky users.

Cloud App Security release 178

Released June 28, 2020

  • New security configurations for Google Cloud Platform (gradual rollout)
    We've expanded our multi-cloud security configurations to provide security recommendations for Google Cloud Platform, based on the GCP CIS benchmark. With this new capability, Cloud App Security provides organizations with a single view for monitoring the compliance status across all cloud platforms, including Azure subscriptions, AWS accounts, and now GCP projects.

  • New app connectors GA
    We've added the following app connectors to our portfolio of generally available API connectors, giving you more visibility into and control over how your apps are used in your organization:

  • New real-time malware detection GA
    We've expanded our session controls to detect potential malware using Microsoft Threat Intelligence upon file uploads or downloads. The new detection is now generally available out-of-the-box and can be configured to automatically block files identified as potential malware. For more information, see Block malware on upload.

  • Enhanced access and session controls with any IdP GA
    Access and session controls support for SAML apps configured with any identity provider is now generally available. For information about configuring these controls, see the Deployment guide.

  • Risky machine investigation enhancement
    Cloud App Security provides the ability to identify risky machines as part of your shadow IT discovery investigation. Now, we've added the Microsoft Defender Advanced Threat Protection Machine risk level to the machines page giving analysts more context when investigating machines in your organization. For more information, see Investigate devices in Cloud App Security.

  • New feature: Self-service disable app connector (gradual rollout)
    We've added the ability to disable app connectors directly in Cloud App Security. For more information, see Disable app connectors.

Cloud App Security release 177

Released June 14, 2020

  • New real-time malware detection (preview, gradual rollout)
    We've expanded our session controls to detect potential malware using Microsoft Threat Intelligence upon file uploads or downloads. The new detection is now available out-of-the-box and can be configured to automatically block files identified as potential malware. For more information, see Block malware on upload.

  • New access token support for access and session controls
    We've added the ability to treat access token and code requests as logins when onboarding apps to access and session controls. To use tokens, select the settings cog icon, select Conditional Access App Control, edit the relevant app (three dots menu > Edit app), select Treat access token and code requests as app logins, and then select Save. For more information about onboarding apps, see Onboard and deploy any app and Deploy featured apps.

  • Enhanced proxy URL suffix for session controls (gradual rollout)
    On June 7, 2020, we started gradually rolling out our enhanced proxy session controls to use one unified suffix that doesn't include named regions. For example, users will see <AppName>.mcas.ms suffix instead of <AppName>.<Region>.cas.ms. If you routinely block domains in your network appliances or gateways, make sure you allowlist all the domains listed under Access and session controls.

  • New documentation
    Cloud App Security documentation has been expanded to include the following new content:

Cloud App Security release 176

Released May 31, 2020

  • New activity privacy feature
    We've enhanced your ability to granularly determine which users you want to monitor with the ability to make activities private. This new feature enables you to specify users based on group membership whose activities will be hidden by default. Only authorized admins have the option to choose to view these private activities, with each instance being audited in the governance log. For more information, see Activity privacy.

  • New integration with Azure Active Directory (Azure AD) Gallery
    We've leveraged our native integration with Azure AD to give you the ability to navigate directly from an app in the Cloud App Catalog to its corresponding Azure AD Gallery app, and manage it in the gallery. For more information, see Manage apps with Azure AD Gallery.

  • New feedback option available in selected policies
    We're interested in receiving your feedback and learning how we can help. So now a new feedback dialog gives you the opportunity to help improve Cloud App Security, when creating, modifying, or deleting a file, anomaly detection, or session policy.

  • Enhanced proxy URL suffix for session controls (gradual rollout)
    Starting June 7, 2020, we are gradually rolling out our enhanced proxy session controls to use one unified suffix that doesn't include named regions. For example, users will see <AppName>.mcas.ms suffix instead of <AppName>.<Region>.cas.ms. If you routinely blocklist domains in your network appliances or gateways, make sure you allowlist all the domains listed under Access and session controls.

  • Performance improvements for Session Controls (gradual rollout)
    We've made significant network performance improvements to our proxy service. The improved service is even more streamlined and provides increased responsiveness when using session controls.

  • New risky activity detection: Unusual failed logon
    We've expanded our current capability to detect risky behavior. The new detection is now available out-of-the-box and automatically enabled to alert you when an unusual failed login attempt is identified. Unusual failed login attempts may be an indication of a potential password-spray brute force attack (also known as the low and slow method). This detection impacts the overall investigation priority score of the user.

  • Enhanced table experience
    We've added the ability to resize table column widths so that you can widen or narrow columns to customize and improve the way you view tables. You also have the option to restore the original layout by selecting the table settings menu and choosing Default width.

Cloud App Security release 175

Released May 17, 2020

  • New Shadow IT Discovery integration with Corrata (preview)
    We've added native integration with Corrata providing you with Shadow IT visibility into app use and control over app access. For more information, see Integrate Cloud App Security with Corrata.

  • New Cloud Discovery log parsers
    Cloud App Security Cloud Discovery analyzes a wide range of traffic logs to rank and score apps. Now Cloud Discovery includes a built-in log parser to support Corrata and Cisco ASA with FirePOWER 6.4 log formats. For a list of supported log parsers, see Supported firewalls and proxies.

  • Enhanced dashboard (gradual rollout) As part of our ongoing improvements to the portal design, we are now gradually rolling out the improved Cloud App Security dashboard. The dashboard has been modernized based on your feedback and offers an enhanced user experience with updated content and data. For more information, see Gradual deployment of our enhanced dashboard.

  • Enhanced governance: Confirm User Compromised for anomaly detections
    We've expanded our current governance actions for anomaly policies to include Confirm User Compromised allowing you to proactively protect your environment from suspicious user activity. For more information, see Activity governance actions.

Cloud App Security release 173 and 174

Released April 26, 2020

  • New SIEM agent CEF format for alerts
    As part of our effort to enrich the alert information provided in the CEF files used by generic SIEM servers, we've extended the format to include the following client fields:
    • IPv4 address

    • IPv6 address

    • IP address location

      For more information, see CEF file format.

  • Enhanced detection logic: Impossible travel
    We've updated the detection logic for impossible travel to provide improved accuracy and reduced alert volume. For more information about this anomaly detection policy, see Impossible travel.

Cloud App Security release 172

Released April 5, 2020

  • Enhanced access and session controls with any IdP (preview)
    Access and session controls now support SAML apps configured with any identity provider. The public preview of this new feature is now gradually rolling out. To configure these controls, see the Deployment guide.

  • New bulk deanonymization of users and machines
    We've expanded and simplified the process of deanonymizing one or more users and machines under investigation. For more information about bulk deanonymization, see How data anonymization works.

Cloud App Security release 170 and 171

Released March 22, 2020

  • New anomaly detection: Unusual region for cloud resource (preview)
    We've expanded our current capability to detect anomalous behavior for AWS. The new detection is now available out-of-the-box and automatically enabled to alert you when a resource is created in an AWS region where the activity is not normally performed. Attackers often leverage an organization's AWS credits to perform malicious activities such as crypto-mining. Detecting such anomalous behavior can help mitigate an attack.

  • New activity policy templates for Microsoft Teams
    Cloud App Security now provides the following new activity policy templates enabling you to detect potentially suspicious activities in Microsoft Teams:

    • Access level change (Teams): Alerts when a team's access level is changed from private to public.
    • External user added (Teams): Alerts when an external user is added to a team.
    • Mass deletion (Teams): Alerts when a user deletes a large number of teams.
  • Azure Active Directory (Azure AD) Identity Protection Integration
    You can now control the severity of Azure AD Identity Protection alerts that are ingested into Cloud App Security. Additionally, if you haven't already enabled the Azure AD Risky sign-in detection, the detection will be automatically enabled to ingest high severity alerts. For more information, see Azure Active Directory Identity Protection integration.

Cloud App Security release 169

Released March 1, 2020

  • New detection for Workday
    We've expanded our current anomalous behavior alerts for Workday. The new alerts include the following user geolocation detections:

  • Enhanced Salesforce log collection
    Cloud App Security now supports Salesforce's hourly event log. Hourly event logs give you accelerated, near real-time monitoring of user activities. For more information, see Connect Salesforce.

  • Support for AWS security configuration using a master account
    Cloud App Security now supports using a master account. Connecting your master account allows you to receive security recommendations for all member accounts across all regions. For more information about connecting with a master account, see How to connect AWS Security configuration to Cloud App Security.

  • Session controls support for modern browsers
    Cloud App Security session controls now includes support for the new Microsoft Edge browser based on Chromium. While we'll continue supporting the most recent versions of Internet Explorer and the legacy version of Microsoft Edge, the support will be limited and we recommend using the new Microsoft Edge browser.

Cloud App Security release 165, 166, 167, and 168

Released February 16, 2020

  • New block unsanctioned apps with Microsoft Defender ATP
    Cloud App Security has extended its native integration with Microsoft Defender Advanced Threat Protection (ATP). You can now block access to apps marked as unsanctioned using Microsoft Defender ATP's network protection capability. For more information, see Block access to unsanctioned cloud apps.

  • New OAuth app anomaly detection
    We've expanded our current capability to detect malicious OAuth app consent. The new detection is now available out-of-the-box and automatically enabled to alert you when a potentially malicious OAuth app is authorized in your environment. This detection leverages Microsoft security research and threat intelligence expertise to identify malicious apps.

  • Log collector updates
    The Docker-based log collector was enhanced with the following important updates:

    • Container OS version upgrade

    • Java security vulnerabilities patches

    • Syslog service upgrade

    • Stability and performance improvements

      We strongly recommend that you upgrade your environment to this new version. For more information, see Log collector deployment modes.

  • Support for ServiceNow New York
    Cloud App Security now supports the latest version (New York) of ServiceNow. To learn about securing ServiceNow, see Connect ServiceNow to Microsoft Cloud App Security.

  • Enhanced detection logic: Impossible travel
    We've updated the detection logic for impossible travel to provide enhanced coverage and better accuracy. As part of this update, we also updated the detection logic for impossible travel from corporate networks.

  • New threshold for activity policies
    We've added a threshold for activity policies to help you manage the volume of alerts. Policies that trigger a large volume of matches for several days are automatically disabled. If you receive a system alert about this, you should try refining policies by adding additional filters or, if you're using policies for reporting purposes, consider saving them as queries instead.

Next steps

If you run into any problems, we're here to help. To get assistance or support for your product issue, please open a support ticket.