Applies to: Microsoft Cloud App Security
Microsoft Cloud App Security enables you to scope your deployment. Scoping allows you to select certain user groups to be monitored for apps or excluded from monitoring.
Include or exclude user groups
You may not want to use Microsoft Cloud App Security for all the users in your organization. Scoping is especially useful when you want to limit your deployment because of license restrictions. You may also need to limit because of compliance regulations requiring you not monitor users from certain countries. For example, use scoped deployment to only monitor US-based employees. Alternatively, you can avoid showing any activities for your users based in Germany.
To scope your deployment, you must first import user groups to Microsoft Cloud App Security. By default, you'll see the following groups:
Application user group - A built-in group that enables you to see activities performed by Office 365 and Azure AD applications.
External users group - All users who aren't members of any of the managed domains you configured for your organization.
Setting an include rule will automatically exclude all groups not within the included group. For example, if you set a rule to include all members of the US-office groups, any groups who aren't part of that group won't be monitored.
Excluded user groups override included user groups. Meaning that if you include the user group "UK-employees" but exclude "Marketing", marketing members from the UK won't be monitored even if they're members of the group UK-employees.
In the menu bar, click the settings cog and select Scoped deployment.
To scope your deployment to include or exclude specific groups, you must first import user groups into Microsoft Cloud App Security.
To set specific groups to be monitored by Microsoft Cloud App Security, in the Include tab, click the plus icon.
In the Create new include rule dialog, do the following steps:
Under Type rule name, give the rule a descriptive name.
Under Select user groups, select all the groups you want to monitor with Cloud App Security.
Select whether you want to apply this rule to all connected apps or only to Specific apps. If you select Specific apps, the rule will only affect monitoring of the apps you select. For example, if you select the group UI team users and Box, Cloud App Security will only monitor Box activity for users in your UI team users group and for all other apps, Cloud App Security will monitor all activities for all users.
To set specific groups to be excluded from monitoring, in the Exclude tab, click the plus icon.
In the Create new Exclude rule dialog, set the following parameters:
Under Type rule name, give the rule a descriptive name. Under Select user groups, select all the groups you don't want Cloud App Security to monitor.
Select whether you want to apply this rule to all connected apps or only to Specific apps. If you select Specific apps, Cloud App Security will stop monitoring the group you selected only for the apps you select. That means that if you select the group UI team users and Active Directory, Cloud App Security will monitor all user activity except Active Directory activities that are performed by UI team users.
Example results for include and exclude rules
The include and exclude rules you create work together to scope the overall monitoring performed by Microsoft Cloud App Security. Here's an example of include and exclude rules you can create, and the final result of what Microsoft Cloud App Security monitors after these rules are running.
If you create the following rules:
- Exclude user group "Germany all users"
- Include for user group "Global sales" only Office 365 activities
- Include for user group "Sales managers" only Power BI activities
- Salesforce is connected to Microsoft Cloud App Security and no rules are set for it
The following user activities are monitored:
|User||Group membership||Activities monitored|
|Adriana||Germany all users
|Alain||Global sales||Office 365 and all subapps except Power BI|
|Office 365 and all subapps|
|Raymond||Sales managers||Power BI only|
Other apps will not be affected by the group scoping in these rules. In the example, for Salesforce, all activities are monitored for all user groups.