Day 10 #100DaysOfCloud

Microsoft Cloud App Security is a Cloud Access Security Broker. It discovers and provides visibility into users’ app usage, identifies anomalous behaviour and controls access.

In line with last weeks post regarding SIEM integration, I wanted to explore MCAS to show what’s available out of the box.

MCAS Prerequisites


Both Azure AD Premium P1 and P2 come with access to MCAS. If you use Premium P1, functionality is limited to Discovery only, whereas Premium P2 (included in M365 E5) has the full functionality we’ll be exploring in this series of posts.

Privileged Security Roles

Configuring MCAS requires Global Admin or Compliance Admin roles.

Networking and Access

In order to send data to the cloud service, devices or endpoints in the organisation will need to be able to reach specific web services. Specific IP addresses and DNS names are provided here

Accessing MCAS

To access MCAS, open Edge and visit the MCAS Portal. You’ll start with your MCAS Dashboard.

Configuring MCAS Settings

The default settings are good to start with. To take a look at the available options, head to the Settings cog (top right).

Settings within MCAS

Enabling Information Protection

The Files setting option allows you to enable MCAS to view files in SaaS apps.


MCAS provides quite a few template policies out of the box.
In this section, I’ll enable a policy that will detect a mass download by a single user.
For example if a user downloads 10 files in 1 minute, that could be considered suspicious. MCAS allows us to respond to that activity in a number of ways.

If the activity is detected, we can respond in the following ways:

Trying it out… some prerequites

There are some prerequisites to testing out this policy. Firstly, we need to make sure that the app we’re looking to monitor is connected or onboarded to MCAS.

Trying it out…

In this demonstration, my test user downloads a heap of files from Sharepoint

Within a few minutes, an activity appears in MCAS

MCAS alert

Investigate and Respond

With the activity being reported to the MCAS dashboard, I am able to take a more indepth look at what happened

By clicking Resolution Options near the top, I can opt to view some more informaiton about the user, activity, or perform a Governance action.

Resolution options

In this instance, I’ll choose to require the user to sign in again, which gives the following warning:


This action takes about a minute to complete, showing the following progress icon whilst it works.

Request processing

Once complete, Lee’s download-marathon is interupted:

Re-sign in required

Automating the response

Whilst it’s useful to be able to respond to this type of activity manually, it would be a good idea to set up the automated governance actions available in the policy. If you aren’t sure that the activity would always warranty a governance response, then modify the policy such that it would warrant a governance response. For example, rather than a policy that detects 10 downloads in 1 minute, create one that detects 50 downloads in 1 minute, which automatically forces a fresh sign-in.


As you can see, Microsoft Cloud App Security (MCAS) is a must-have for all cloud-enabled organisations.

Leave a Reply