Importing user groups from connected apps

Applies to: Microsoft Cloud App Security

When you connect apps using API connectors, Microsoft Cloud App Security enables you to import user groups, for example from Office 365 and Azure Active Directory. There are two types of user groups:

  • Automatic groups
    Automatic groups are created by default by Microsoft Cloud App Security. For example, there's an automatic user group called External that combines all users from all apps who are external to your organization and have access to files or were in user activities in your tenant. The following automatic groups exist in Cloud App Security:

    • External
    • Dropbox administrator
    • Office 365 administrator
    • G Suite administrator
    • Box administrator
    • All Salesforce standard and custom profiles, for example, Salesforce System Administrator. See the full list here.
  • Imported groups
    You can import any group from your connected apps. For example, you can import user groups from Office 365 (Active Directory) and other connected apps. These groups enable you to look for threats in your org, not by looking at the whole org or at a specific user, but by looking at a specific group.

Typical scenarios that use imported user groups include:

  • Investigating which docs the HR people look at
  • Check if there's something unusual happening in the executive group
  • Find if someone from the admin group performed an activity outside the US.

How to import user groups

  1. In the menu bar, click the settings icon settings icon and select User groups.

  2. Click Import user group.

    Import user groups

  3. Select the app from which to import the user group. The list of apps will depend on which App Connectors you deployed.

  4. Select the group to import. The list of available groups will be a list of all the existing user groups in the app itself. If you want to add a new group, you have to do it directly in the app itself. Then, when the group appears in the list here, select it.

  5. Depending on the size of the group, import can take up to an hour. You can select the option to be notified by email when the import process is complete.

  6. Click Import. After you import a group, Cloud App Security automatically syncs the group members, just like Active Directory Connect.

  7. After the import is complete, from the User groups page you can click on a specific group to view a list of all the members of the group. Click on any member of the group to further drill down into the details of a specific account. You can view which apps they use and a summary of the account including graphs of the user and their activity.

Importing groups enables you to select those groups as filters when investigating in the Activity log and when creating policies.

Note

  • Only activities performed after importing a user group will be tagged as having been performed by a member of the user group.
  • After the initial sync, groups are updated every hour.

For more information on using the User group filters, see Activities.

Next steps

Set up Cloud Discovery

Premier customers can also create a new support request directly in the Premier Portal.