Inhalt

Data Protection Made a Breeze: MDA integration in Edge for Business

Microsoft Defender for Cloud Apps is one of the many puzzle pieces of the Microsoft XDR solution that helps you to secure your corporate environment. While Defender for Endpoint and Defender for Office 365 may be the more prominent names in this puzzle, Defender for Cloud Apps has a few aces up it’s sleeve that help you to protect access to corporate data on a complete other level.

Many of you might already know the cloud discovery capabilities, which help you to get a deep insight into your companies usage of Software as a Service solutions.

But the hidden champion is the Conditional Access App Control feature.

Conditional Access App Control

Using this feature you can, depending on conditions you can define in a Conditional Access policy, steer users not directly to the regular endpoint of the application, but to a service that functions like a reverse proxy. This way every interaction sent from the user to the SaaS will be first terminated there and you can add additional protections, logging and controls, that otherwise would not be possible.

Session policies

Supported controls that can be configured through these session policies include blocking the user to upload/download files or prevent copy/paste of website data.

This way you can keep your companies data from being extracted on an unmanaged device or from a unknown location while still allowing read only access for the user.

Reverse proxy

As with every reverse proxy based solution the traffic must route through an additional hop before it can terminate at the final service. This can introduce additional latency and some controls, that solely rely on the uncontrolled web browser, might not always work as expected. The user might still be able to open the developer tools and inspect the source code of the website, the network traffic and more.

Therefore Microsoft introduced, in public preview, a new way to provide fast and secure access:

The integration of those features in Edge for Business.

This solved the dilemma of the reverse proxy and since Microsoft now controls the browser as well as the session policies, it’s possible to enforce them directly on the endpoint. This extends the protection by disabling the developer tools when accessing corporate data. As mentioned before, if not disabled, the developer tools can be a security issue if essential data like session or access token are exposed in the network data.

Removing the reverse proxy also reduces the latency and therefor your users will have a much better experience, while you are still in full control. And neither the admin nor the user has to think about it. As long as the users uses Edge they benefit and if the user switches browsers they are still secure, behind the reverse proxy.

Enable Edge for Business integration

Enabling the new experience is as easy as the switch of a button. Head over to security.microsot.com → System Settings → Cloud apps → Edge for Business integration and enable the feature.

/data-protection-breeze-mda-integration-edge-business/images/mda-edgeforbusiness-turn-on.png
Enable Edge for Business integration

By default the user will receive a customizable message if the don’t access the published app through Microsoft Edge, acting like a nudge. Since you are able to change the message text this could be a more appropriate text for your users.

/data-protection-breeze-mda-integration-edge-business/images/mda-prompt.png
Customizable message

Supported controls

In public preview the following block methods are supported.

  • Block\Monitor of file download (all files\sensitive files)
  • Block\Monitor file upload
  • Block\Monitor copy\cut
  • Block\Monitor print

Setup sessions controls and conditional access

Let’s explore a sample use case to show the capabilities of this feature in action:

First you need to create a session policy. For this head over to the Cloud apps policy management and switch to the “Conditional access” tab.

Create a new session policy and select of the templates. In this case I will use the “Block cut/copy and paste based on real-time content inspection” template.

/data-protection-breeze-mda-integration-edge-business/images/create-session-policy.png
Create a new session policy from template

I modified the template to only prevent print, cut and copy for all Microsoft Online Services. This category includes the Azure portal, so be careful. Also I used the default to exclude hybrid joined or Intune compliant devices.

/data-protection-breeze-mda-integration-edge-business/images/session-policy-filter.png
Applied filters for this session policy

Then I headed over to the Conditional Access policies and created a policy targeting my test user, for all cloud apps, but only when using a browser from a non mobile device. As a precaution I also excluded hybrid joined and compliant devices using device filter.

But the most important setting is in the session controls. Enable “Use Conditional Access App Control” and set it to “Use custom policy…”

/data-protection-breeze-mda-integration-edge-business/images/entra-cap-appcontrol.png
Entra ID Conditional Access App Control

Next use the Microsoft Edge browser an sign-in to e.g. Outlook using the defined test user from a non-corporate device. You should be able to access the website but, depending on your configuration, you might first have to register your work profile. After this you have access to work data without going through the reverse proxy solution.

As you can see the URL is not rewritten to mcas[.]ms and in the advanced website information the Microsoft Defender for Cloud Apps indicator is shown. If you click on it you will see that this session is managed and also that actions are logged and can be reviewed.

/data-protection-breeze-mda-integration-edge-business/images/edgebrowser.png
Defender for Cloud Apps in the edge browser

And if you want to enable the developer tools, you can’t anymore. They are disabled and greyed out.

/data-protection-breeze-mda-integration-edge-business/images/edgebrowser-blocked.png
Blocked developer tools

When you attempt to perform an action that is blocked, the browser will warn you about this and prevent the action from happening.

/data-protection-breeze-mda-integration-edge-business/images/edge-mda-blocked.png
Blocked action popup in Edge

If you would use a different browser the session policy is not not working, but it will fallback to the reverse proxy experience as you see in this screenshot.

/data-protection-breeze-mda-integration-edge-business/images/edge-mcasms.png
Outlook over reverse proxy

Troubleshooting

If a user is not getting the new integrated experience, this might be because there are other policies that are incompatible with the current feature scope. Based on the docs this could be anything from the following use cases.

  • Google Chrome users
  • Microsoft Edge users who are scoped to a block paste policy
  • Microsoft Edge users on Android devices
  • Users in apps that use the OKTA authentication method
  • Microsoft Edge users in InPrivate mode
  • Microsoft Edge users with older browser versions
  • B2B guest users

To check which policies were applied check out the activity logs and select the policy that you expect to be applied. Search for the user and check of there are any other policies applied that might contain a method not supported. Depending on your needs adjust the policy or wait until further use cases get added to this experience.

/data-protection-breeze-mda-integration-edge-business/images/mda-activitylog.png
Activity logs in the XDR portal

Logging and hunting

While you can navigate using the Activity logs in the web UI and see actions that were blocked, or if the user was redirected, you can do yourself a favor and use Advanced Hunting. While this blog post goes not into the depth of the log source itself, I added a few interesting hunting queries to get you started.

/data-protection-breeze-mda-integration-edge-business/images/mda-activitylog-blocked.png
Blocked cut/copy action of the user

Copy to clipboard events

CloudAppEvents
| where ActivityType == @"Clipboard"
| where ActionType == @"Cut/Copy item"

Disable of Cloud App Session Policy

CloudAppEvents
| where ActionType == @"Set-ConditionalAccessPolicy"
| where ActivityObjects has "Disabled"
| extend ActivityObjects = todynamic(ActivityObjects)
| mv-apply PolicyDetails  = ActivityObjects to typeof(dynamic) on ( where ActivityObjects has "PolicyDetails")
| where PolicyDetails.Name == 'PolicyDetails'
| extend PolicyDetails = todynamic(PolicyDetails).Value

Conclusion

In-browser protection with Microsoft Edge for Business is a great addition to the toolbelt of any Defender and helps with data loss prevention. I hope this feature get’s more attention from customers and that Microsoft is extending the supported use cases. E.g. support for B2B users and additional actions like paste would be a welcome addition in the future. Also the ability to block access if it’s not coming from a browser supporting in-browser protection would be something that could help in certain edge scenarios.