連線應用程式Connect apps

適用於:Microsoft Cloud App SecurityApplies to: Microsoft Cloud App Security

應用程式連接器使用應用程式提供者的 API,讓 Microsoft Cloud App Security 對您所連線的應用程式有更好的可見性和控制。App connectors use the APIs of app providers to enable greater visibility and control by Microsoft Cloud App Security over the apps you connect to.

Microsoft Cloud App Security 會利用雲端提供者所提供的 API。Microsoft Cloud App Security leverages the APIs provided by the cloud provider. 每個服務都有自己的架構和 API 限制,例如節流、API 限制、動態時間偏移 API 視窗等等。Each service has its own framework and API limitations such as throttling, API limits, dynamic time-shifting API windows, and others. Microsoft Cloud App Security 會使用服務來最佳化 API 的使用,並提供最佳效能。Microsoft Cloud App Security worked with the services to optimize the usage of the APIs and to provide the best performance. 考慮服務加諸在 API 上的不同限制,Cloud App Security 引擎會使用允許容量。Taking into account different limitations services impose on the APIs, the Cloud App Security engines use the allowed capacity. 有些作業 (例如掃描租用戶中的所有檔案) 可能需要許多 API,才能分散在較長的時間內進行。Some operations, such as scanning all files in the tenant, require numerous APIs so they're spread over a longer period. 請預期某些原則會執行長達幾個小時或幾天。Expect some policies to run for several hours or several days.

多個執行個體支援Multi-instance support

Cloud App Security 支援同一個已連線應用程式有多個執行個體。Cloud App Security supports multiple instances of the same connected app. 例如,若您擁有超過一個 Salesforce 執行個體 (其中一個用於銷售,另外一個則用於行銷),您可以將這兩個執行個體連線到 Cloud App Security。For example, if you have more than one instance of Salesforce (one for sales, one for marketing) you can connect both to Cloud App Security. 您可以從相同主控台管理不同執行個體,來建立細微原則及更深入的調查。You can manage the different instances from the same console to create granular policies and deeper investigation. 這項支援僅適用於與 API 連線的應用程式,而不適用於雲端探索的應用程式或與 Proxy 連線的應用程式。This support applies only to API connected apps, not to Cloud Discovered apps or Proxy connected apps.

注意

不支援 Office 365 和 Azure 的多重實例。Multi-instance is not supported for Office 365 and Azure.

運作方式How it works

Cloud App Security 部署時具有系統管理員權限,能夠完整存取您環境中的所有物件。Cloud App Security is deployed with system admin privileges to allow full access to all objects in your environment.

App 連線程式流程如下所示︰The App Connector flow is as follows:

  1. Cloud App Security 可掃描並儲存驗證權限。Cloud App Security scans and saves authentication permissions.
  2. Cloud App Security 要求使用者清單。Cloud App Security requests the user list. 首次進行要求時,可能需要一些時間等待掃描完成。The first time the request is done, it may take some time until the scan completes. 使用者掃描完成後,Cloud App Security 會移至活動和檔案。After the user scan is over, Cloud App Security moves on to activities and files. 掃描啟動時,Cloud App Security 中會有幾個可用的活動。As soon as the scan starts, some activities will be available in Cloud App Security.
  3. 在完成使用者要求後,Cloud App Security 會定期掃描使用者、群組、活動及檔案。After completion of the user request, Cloud App Security periodically scans users, groups, activities, and files. 所有的活動在首次完整掃描後皆可供使用。All activities will be available after the first full scan.

此連線可能需要一些時間,視租用戶大小、使用者數目,以及需掃描的檔案數目及大小而定。This connection may take some time depending on the size of the tenant, the number of users, and the size and number of files that need to be scanned.

根據您連線的應用程式,API 連線會啟用下列項目:Depending on the app to which you're connecting, API connection enables the following items:

  • 帳戶資訊 - 能查看使用者、帳戶、設定檔資訊、狀態 (已暫止、使用中、已停用) 群組和權限。Account information - Visibility into users, accounts, profile information, status (suspended, active, disabled) groups, and privileges.

  • Audit 軌跡 -使用者活動、管理活動、登入活動的可見度。Audit trail - Visibility into user activities, admin activities, sign-in activities.

  • 資料掃瞄 - 使用兩個處理序定期 (每隔 12 小時) 和即時掃描 (每次偵測到變更時觸發) 掃描非結構化資料。Data scan - Scanning of unstructured data using two processes -periodically (every 12 hours) and in real-time scan (triggered each time a change is detected).

  • 應用程式權限 - 能查看發出的權杖及其權限。App permissions - Visibility into issued tokens and their permissions.

  • 帳戶控管 - 能夠暫止使用者、撤銷密碼等。Account governance - Ability to suspend users, revoke passwords, etc.

  • 資料控管 - 能夠隔離檔案 (包括垃圾桶中的檔案),以及能夠覆寫檔案。Data Governance - Ability to quarantine files, including files in trash, and overwrite files.

  • 應用程式權限控管 - 能夠移除權杖。App permission governance - Ability to remove tokens.

下表列出,針對雲端應用程式,應用程式連接器支援的功能︰The following table lists, per cloud app, which abilities are supported with App connectors:

AWSAWS BoxBox DropboxDropbox GcpGCP G SuiteG Suite Office 365Office 365 OktaOkta Service NowService Now SalesforceSalesforce WebexWebex WorkdayWorkday
列出帳戶List accounts 主體 G Suite 連接Subject G Suite connection
列出群組List groups 主體 G Suite 連接Subject G Suite connection 提供者不支援Not supported by provider
列出許可權List privileges 主體 G Suite 連接Subject G Suite connection 提供者不支援Not supported by provider 提供者不支援Not supported by provider
使用者治理User governance 即將推出Coming soon 主體 G Suite 連接Subject G Suite connection 即將推出Coming soon 即將推出Coming soon 提供者不支援Not supported by provider
登入活動Log on activity 主體 G Suite 連接Subject G Suite connection
使用者活動User activity 不適用Not applicable ✔ - 需要 Google Business 或 Enterprise✔ - requires Google Business or Enterprise PartialPartial Salesforce Shield 予以支援Supported with Salesforce Shield
管理活動Administrative activity PartialPartial 提供者不支援Not supported by provider
DLP-定期掃描DLP - Periodic scan 不適用Not applicable 不適用Not applicable 提供者不支援Not supported by provider
DLP-近乎即時的掃描DLP - Near real-time scan 不適用Not applicable ✔-需要 Google Business Enterprise✔ - requires Google Business Enterprise 不適用Not applicable 提供者不支援Not supported by provider
共用控制Sharing control 不適用Not applicable 不適用Not applicable 不適用Not applicable 提供者不支援Not supported by provider
檔案治理File governance 不適用Not applicable 不適用Not applicable 提供者不支援Not supported by provider
檢視應用程式權限View app permissions 不適用Not applicable 提供者不支援Not supported by provider 即將推出Coming on 不適用Not applicable 不適用Not applicable 不適用Not applicable 不適用Not applicable
撤銷應用程式權限Revoke app permissions 不適用Not applicable 提供者不支援Not supported by provider tao-ming 即將推出ming soon 不適用Not applicable 不適用Not applicable 不適用Not applicable 不適用Not applicable
套用 Azure 資訊保護標籤Apply Azure Information Protection labels 不適用Not applicable 不適用Not applicable 不適用Not applicable 不適用Not applicable 不適用Not applicable

必要條件Prerequisites

  • 針對某些應用程式,可能需要允許清單 IP 位址,才能讓 Cloud App Security 收集記錄,並提供 Cloud App Security 主控台的存取權。For some apps, it may be necessary to allow list IP addresses to enable Cloud App Security to collect logs and provide access for the Cloud App Security console. 如需詳細資訊,請參閱 網路需求For more information, see Network requirements.

  • 對於您要連接到 Cloud App Security API 整合的每個應用程式,建議您建立專用於 Cloud App Security 的管理服務帳戶。For each app that you want to connect with the Cloud App Security API integration, we recommend creating an admin service account dedicated to Cloud App Security.

注意

若要在 URL 和 IP 位址變更時取得更新,請訂閱 RSS,如 Office 365 URL 與 IP 位址範圍中所述。To get updates when URLs and IP addresses are changed, subscribe to the RSS as explained in: Office 365 URLs and IP address ranges.

若要使用應用程式連接器,您需要確定針對每個特定應用程式,您具有下列項目︰To use App Connectors, you need to make sure you have the following things for each specific app:

應用程式App 授權類型License type UserUser
AzureAzure 全域管理員Global Admin
AWSAWS 新建立的使用者Newly created user
BoxBox EnterpriseEnterprise 強烈建議您以系統管理員身分連接到 Box。以共同管理員方式連接會導致只有部分資料可見度。It's strongly recommended that you connect to Box as an Admin. Connecting as a Coadmin will result in only partial data visibility. 如果您以共同管理員身分連線,請務必選取所有權限。If you connect as a Coadmin, make sure to select all permissions.
DropboxDropbox 商務/企業版Business/Enterprise 管理Admin
GitHubGitHub GitHub Enterprise CloudGitHub Enterprise Cloud 擁有者Owner
GcpGCP 請參閱 CONNECT GCP 必要條件See the connect GCP prerequisites
G SuiteG Suite 建議使用 G Suite Business 或 EnterpriseG Suite Business or Enterprise preferred

G Suite Enterprise (最低)G Suite Enterprise (minimally)
進階管理員Super Admin
Office 365Office 365 全域管理員Global Admin
OktaOkta 企業版 (非試用版)Enterprise (not trial) 管理Admin
SalesforceSalesforce 管理Admin
ServiceNowServiceNow Eureka 與更新版本Eureka and up Admin + RestAPI 角色Admin + RestAPI role
WebexWebex 系統管理員 + 合規性管理員Admin + Compliance Admin
WorkdayWorkday 查看 Connect Workday 必要條件See the connect Workday prerequisites

ExpressRouteExpressRoute

Cloud App Security 部署在 Azure 中並完全整合到 ExpressRouteCloud App Security is deployed in Azure and fully integrated with ExpressRoute. 與 Cloud App Security apps 和傳送至 Cloud App Security 的流量(包括上傳探索記錄檔)的所有互動,都會透過 ExpressRoute 公用對等互連 路由,以改善延遲、效能和安全性。All interactions with the Cloud App Security apps and traffic sent to Cloud App Security, including upload of discovery logs, is routed via ExpressRoute public peering for improved latency, performance, and security. 客戶端不需要任何組態步驟。There are no configuration steps required from the customer side. 如需公用對等互連的詳細資訊,請參閱 ExpressRoute 線路和路由網域For more information about Public Peering, see ExpressRoute circuits and routing domains.

停用應用程式連接器Disable app connectors

注意

  • 停用 app connector 之前,如果您想要重新啟用連接器,請確定您有可用的連接詳細資料。Before disabling an app connector, make sure you have the connection details available as you will need them if you want to re-enable the connector.
  • 這些步驟不能用來停用 Azure 連接器。These steps cannot be used to disable the Azure connector.

若要停用已連線的應用程式:To disable connected apps:

  1. 在 [ 已連線的應用程式 ] 頁面的相關列中,按一下三個點,然後選取 [停用] 應用程式連線程式In the Connected apps page, in the relevant row, click the three dots and select Disable App connector.
  2. 在快顯視窗中,按一下 [ 停用應用程式連線程式實例 ] 以確認動作。In the pop-up, click Disable App connector instance to confirm the action.

停用之後,連接器實例將會停止取用連接器中的資料。Once disabled, the connector instance will stop consuming data from the connector.

重新啟用應用程式連接器Re-enable app connectors

若要重新啟用已連線的應用程式:To re-enable connected apps:

  1. 在 [ 已連線的應用程式 ] 頁面的相關列中,按一下三個點,然後選取 [ 編輯應用程式]。In the Connected apps page, in the relevant row, click the three dots and select Edit app. 這會啟動新增連接器的程式。This starts the process to add a connector.
  2. 使用相關 API 連接器指南中的步驟來新增連接器。Add the connector using the steps in the relevant API connector guide. 例如,如果您要重新啟用 GitHub,請使用 Connect GitHub Enterprise 雲端中的步驟 Cloud App Security。For example, if you are re-enabling GitHub, use the steps in Connect GitHub Enterprise Cloud to Cloud App Security.

後續步驟Next steps

若您遇到任何問題,我們隨時提供協助。If you run into any problems, we're here to help. 若要取得產品問題的協助或支援,請建立支援票證To get assistance or support for your product issue, please open a support ticket.

請觀賞這部影片!Check out this video!