Study Guide Series: Exam MS-500 – Implement and Manage Microsoft Cloud App Security (Part 4)

This post is part of the overall MS-500 Exam Study Guide. Links to each topic as they are posted can be found here.

This post will cover the following exam topics listed under the “Implement and Manage Microsoft Cloud App Security” section:

  • Configure Cloud App Security connectors and Oauth apps
  • Configure Cloud App Security policies and templates

In the previous post we saw how we can integrate apps into MCAS to provide insights and control using app connectors. We will continue with app integrations now and look at Oauth apps and how we can configure policies in MCAS to monitor and control the activates in our cloud apps.

Configure Cloud App Security Connectors and Oauth Apps

When we grant permissions to an app to access our profile or directory, these apps are registered in our tenant as Oauth apps (App Registrations). These apps generally request access from a user or admin to access data in the tenant to provide functionality to extend or compliment Microsoft services.

One example of this is the Office 365 Mover service. We can see these apps available under the “OAuth Apps” page in the “Investigate” section of MCAS. We see a full list of the apps registered in our tenancy and can manage them from here.

On this page we can filter the list by app, user, state (If it is approved or blocked in MCAS), Community user (How often it’s used), Permissions (the permissions that are assigned to the app) and the level of permissions assigned.

We can also perform some tasks on the apps themselves. We can view the details and logs of the app. Access any published details for the app. We can also approve or block the app directly from here which will either allow or disallow the app to gain access.

Configure Cloud App Security Policies and Templates

We have already looked at connected apps and how we can integrate them into our MCAS deployment but it’s important to know we don’t need to stop there. We can also integrate featured third-party apps (and even non-featured apps with some work) into MCAS for use with our Session and Access policies.

To prepare the environment for this, I have integrated Dropbox for Business into the Azure Active Directory instance as an Enterprise app. This allows us to configure SSO via AAD and to route authentication through Conditional Access. From Conditional access, we then configure Conditional Access App Control to route traffic via MCAS.

To get started, we create a new Conditional Access policy for the app(s) we have integrated and enable Conditional Access App Control. The details of this policy are below:

Now when users hit this policy, their access URL for Dropbox will be updated to use the MCAS proxy. This means that our session is running through MCAS and our policies can be applied.

Once this policy is configured and a user logs in for the first time to our app (Dropbox in this case) we will see the app appear in the “Conditional Access App Control” page under the “Connected Apps” page.

From here we can click the “Session Control” option to bring us to the the policies page.

Creating a policy

To create a session control policy, select the “Create policy” option on the policies page and choose from the following policy types:

  • Access Policy – Access policies control if a user will gain access to a specific app based on the criteria we specify
  • Activity Policy – Create an alert based on specific activities and allows us to trigger automated playbooks and admin actions to respond
  • App Discovery Policy – Create alerts for new apps discovered in the organization
  • Cloud Discovery Anomaly Detection Policy – Create an alert for anomalies detected in Cloud Discovery continuous reports
  • File Policy – Allow us to automate actions based on specific criteria discovered in files in our environment
  • OAuth app policy – Allows us to automate a response to Oauth apps being discovered matching particular criteria
  • Session policy – Allows us to control the functionality that is permitted within the users session to an app


In this post we’ve looked at connecting Oauth apps, creating conditional access policies to leverage MCAS for Conditional Access App Control and looked at the different policies we can create. In the next post we will finish our exploration of MCAS by creating a policy, seeing the effects and then look at how to manage alerts etc. day to day. For more information on the content here, check out the Microsoft documents below:

Protect with Microsoft Cloud App Security Conditional Access App Control | Microsoft Docs

Control which third-party cloud OAuth apps get permissions | Microsoft Docs

Investigate risky OAuth apps | Microsoft Docs

Deploy Cloud App Security Conditional Access App Control for any apps | Microsoft Docs

Connect Dropbox to Cloud App Security | Microsoft Docs

2 thoughts on “Study Guide Series: Exam MS-500 – Implement and Manage Microsoft Cloud App Security (Part 4)

  1. Pingback: Study Guide Series – Exam MS-500: Microsoft 365 Security Administration – Sean McAvinue

  2. Pingback: Study Guide Series: Exam MS-500 – Implement and Manage Microsoft Cloud App Security (Part 5) – Sean McAvinue

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s