Microsoft Cloud Security for Enterprise
Architects
Microsoft and customer security responsibilities
Security in the cloud is a partnership
The security of your Microsoft cloud services is a partnership between
you and Microsoft.
Microsoft
Microsoft cloud services are
built on a foundation of trust
and security. Microsoft provides
you security controls and
capabilities to help you protect
your data and applications.
The responsibilities and controls for the security of applications and networks vary by the service type.
SaaS
Software as a Service
Microsoft operates and secures
the infrastructure, host operating
system, and application layers.
Data is secured at datacenters
and in transit between Microsoft
and the customer.
You control access and secure
your data and identities, including
configuring the set of application
controls available in the cloud
service.
Keys to success
Enterprise organizations benefit from taking a methodical approach to cloud
security. This involves investing in core capabilities within the organization
that lead to secure environments.
Governance &
Security Policy
Microsoft recommends developing
policies for how to evaluate, adopt, and
use cloud services to minimize creation
of inconsistencies and vulnerabilities
that attackers can exploit.
Ensure governance and security
policies are updated for cloud services
and implemented across the
organization:
• Identity policies
• Data policies
• Compliance policies and
documentation
Administrative Privilege
Management
Your IT administrators have control
over the cloud services and identity
management services. Consistent
access control policies are a
dependency for cloud security.
Privileged accounts, credentials, and
workstations where the accounts are
used must be protected and
monitored.
February 2022 © 2022 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at [email protected].
Microsoft’s Trusted Cloud principles
Safeguarding your data with state-of-the-art
Security
technology, processes, and encryption is our priority.
Privacy by design with a commitment to use customers’
Privacy &
information only to deliver services and not for
You Control
advertisements.
You own your data and identities
The largest portfolio of compliance standards and
and the responsibility for Compliance
certifications in the industry.
protecting them, the security of
your on-premises resources, and
the security of cloud components We explain what we do with your data, and how it is
you control (varies by service type). Transparency
secured and managed, in clear, plain language.
PaaS IaaS
Platform as a Service Infrastructure as a Service
Microsoft operates and secures the Microsoft operates and secures
infrastructure and host operating the base infrastructure and
system layers. host operating system layers.
You control access and secure your You control access and secure
data, identities, and applications, data, identities, applications,
including applying any infrastructure virtualized operating systems,
controls available from the cloud and any infrastructure controls
service. available from the cloud
service.
You control all application code and
configuration, including sample code
provided by Microsoft or other sources.
Your responsibility for security is based on the type of cloud service. The
following chart summarizes the balance of responsibility for both
Microsoft and the customer.
Responsibility SaaS PaaS IaaS On-prem
Identity Systems and
Data governance &
Identity Management rights management
Identity services provide the
foundation of security systems. Most Client endpoints
enterprise organizations use existing
identities for cloud services, and these Account & access
identity systems need to be secured at management
or above the level of cloud services.
Identity & directory
Threat Awareness infrastructure
Organizations face a variety of security Application
threats with varying motivations.
Evaluate the threats that apply to your
Network controls
organization and put them into context
by leveraging resources like threat
intelligence and Information Sharing
Operating system
and Analysis Centers (ISACs).
Data Protection Physical hosts
You own your data and control how it
should be used, shared, updated, and Physical network
published.
You should classify your sensitive data Physical datacenter
and ensure it is protected and
monitored with appropriate access
control policies wherever it is stored Microsoft Customer
and while it is in transit.
 Microsoft Cloud Security for Enterprise
Architects

Overview
Safeguard your SaaS, PaaS, and IaaS services and data from Microsoft or
other vendors with a comprehensive set of cloud security services.
Best together Leverages cross-product design and integration.

Built-in Included in Microsoft 365, Windows 11 or 10, Edge, and Azure.

AI-powered Microsoft analyzes trillions of security signals a day and responds to new threats.

Transparent to users Most security functions are behind the scenes so your workers can focus on getting things done.

Extensible Includes support for third-party cloud services, cloud and on-premises apps, and security products.

Microsoft security pillars

Identity and device access Threat protection
Stop attacks across your entire
Ensure that your users, their devices, and
organization with AI that stitches
the apps they are using are identified,
signals together and tells you
authenticated, and restricted according
what’s most important, allowing
to policies you create.
you to respond swiftly.
Information protection Cloud app protection
Discover, classify, and protect
Install, monitor, protect, and
sensitive information wherever
detect when applications in
it lives or travels and ensure
your subscription are threats
compliance with regulatory
to your resources.
requirements.

Licensing Microsoft 365 Enterprise + Mobility

Security (EMS)
E3 E5 E3 E5
Identity and device access

Azure Active Directory Premium P1, Windows Hello, Credential Guard, Direct Access a a a a
Azure Active Directory Premium P2 a a
Azure AD Identity Protection a a
Microsoft Intune a a a a
Threat protection
Microsoft Advanced Threat Analytics, Windows Defender Antivirus, Device Guard a a a a
Microsoft Defender for Office 365, Microsoft Defender for Endpoint, Microsoft 365 Defender a
Microsoft Defender for Identity a a
Information protection
Sensitivity labels a a a a
Microsoft 365 data loss prevention a a a a
Microsoft Defender for Cloud Apps a a
Windows 11 or 10 Enterprise
Full feature set for identity and access management, threat protection, and information protection a a
Additional Azure services
Microsoft Defender for Cloud Microsoft Sentinel
Provides threat protection for workloads running in Azure, on A cloud-native security information and event manager
premises, and in other clouds. Integrated with Azure Security (SIEM) platform that uses built-in AI to help analyze large
Center. volumes of data across an enterprise.

Security solutions
Microsoft 365 and SaaS apps

Azure AD and Intune

aa a

a
Zero Trust identity and Ransomware protection for your Information protection for data Secure collaboration
device access Microsoft 365 tenant privacy regulations
February 2022 © 2022 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at [email protected].
 Microsoft Cloud Security for Enterprise
Architects

Identity and device access

A well-planned and executed identity infrastructure provides stronger security and protected access
by authenticated users and devices to your productivity workloads and their data.

Key components
Azure Active Directory (Azure AD) for user sign-ins and restrictions
Multi-factor authentication (MFA) Requires user sign-ins to supply an additional verification of identity.

Conditional Access Analyzes sign-in signals to make decisions about allowed access and to enforce organization policies.

Azure AD Identity Protection Detects potential vulnerabilities affecting your organization's identities and automates remediation of risks.

Microsoft Intune for device health and restrictions

Device enrollment Manage your workforce's devices and apps and how they access your company data.

Device compliance policies Require users and devices to meet organization health requirements to help protect organizational data.

Use rules to ensure an organization's data remains safe or contained in a managed app for both enrolled and
App protection policies
personal devices.

Access and restrictions for cloud apps

Access policies Define which users and devices are allowed to access a cloud app and its data.

Permissions Define what each allowed user and device is allowed to do within a cloud app and to its data.

Architecture
Signal Decision Enforcement

Azure AD
• User name Defender for Cloud Apps Microsoft 365
• Intune app protection
Conditional Access Conditional Access App cloud apps
policy restrictions
• Device type Control

• Device name • Defender for Cloud Third-party SaaS and

Microsoft Intune Azure AD Identity Protection: Apps App Control
• Device enrollment • Leaked credentials PaaS cloud apps
restrictions
• Location • Device policies • Behavioral analytics
• App protection policies • User risk-based Conditional
• Client application Access policies • Intune MAM policies Mobile apps

• Azure Resource
Evaluation data Azure portal
Manager
A user sign-in event • Group membership • App info • Device info
includes a set of signals
about the user, the • Microsoft Threat intelligence info • Azure AD App Proxy On-premises apps
device, and other factors.
Grant access
• With MFA requirement • After password change Along with the sign-in session are restrictions from Intune
• With device compliance requirement app protection and MAM, Defender for Cloud Apps App
Control, Azure Resource Manager, and Azure AD
Deny access Application Proxy, which can enforce access to cloud and
on-premises apps and resources.
Azure AD uses the signals and additional evaluation data with
Conditional Access, Azure AD Identity Protection, Defender for Cloud apps can also use the attributes of the sign-in
Cloud Apps App Control, and Intune policies to decide to grant session to enforce their own restrictions, such as denying
access, require additional sign-in steps, or deny access. access to a sensitive resource from an unmanaged device.

Solution: Zero Trust identity and device access configurations

Deploy Zero Trust-based
secure access to Microsoft
365 for enterprise cloud apps
and services, other SaaS
services, and on-premises
applications published with
Azure AD Application Proxy.

February 2022 © 2022 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at [email protected].
 Microsoft Cloud Security for Enterprise
Architects
Threat protection See prerequisite information for
Microsoft provides comprehensive threat detection and remediation across Microsoft and third- Microsoft 365 Defender and
Microsoft Sentinel for regional
party cloud apps and on-premises apps and the centralization of signals for analysis and threat
and government cloud
detection and response. The building blocks are Microsoft Defender and Microsoft Sentinel. availability.

Microsoft Defender
Use Microsoft 365 Defender and Microsoft Defender for Cloud to stop attacks across infrastructure and cloud
platforms, protecting Azure and hybrid resources including virtual machines, databases, containers, and IoT.
Microsoft 365 Defender portal
Microsoft 365 Defender
Microsoft 365 Defender
Unified pre- and post-breach enterprise defense suite that natively
coordinates detection, prevention, investigation, and response
across endpoints, identities, email, and applications to provide
integrated protection against sophisticated attacks.

Microsoft Defender for Cloud

Microsoft Defender for Identity
Leverages your on-premises
Active Directory Domain Services
(AD DS) signals to identify, detect,
and investigate advanced threats,
compromised identities, and
malicious insider actions.
Microsoft Defender for Office 365
Safeguards your organization
against malicious threats posed by
email messages, links (URLs), and
collaboration tools. Provides
protection against malware,
phishing, spoofing, and other
attack types.
Microsoft Defender for Endpoint
Protects your organization’s
endpoints (devices) from
cyberthreats, advanced attacks,
and data breaches.
Apps
Provides rich visibility, control
over data travel, and
sophisticated analytics to
identify and combat
cyberthreats across all your
Microsoft and third-party cloud
services.

Microsoft Defender for Cloud Azure Security Center

Microsoft Defender for Cloud

Advanced, intelligent, protection of your Azure and hybrid
resources and workloads. Protect your non-Azure servers and your
virtual machines in other clouds (such as AWS and GCP).

Azure-based resources

Server VMs SQL Containers Network traffic Industrial IoT Azure App
Services

Microsoft Sentinel
A cloud-native security information and event management (SIEM) and security orchestration automated
response (SOAR) solution that provides intelligent security analytics across your entire organization,
powered by AI based on intelligence from decades of Microsoft experience.

Connectors Connect your security information

Workbooks to visualize data
Analytics to correlate alerts into
incidents
Playbooks for automation and
orchestration
and event information to
Microsoft cloud services Microsoft Sentinel with
Microsoft 365 Defender connectors for Microsoft and
Microsoft Defender for Identity third-parties.
Microsoft Defender for Cloud Apps
Microsoft Defender for Endpoint
Microsoft Defender for Office 365
Microsoft Defender for Cloud

Investigation tools to find the Third-party services,

root cause of a threat appliances, and solutions
AWS CloudTrail
Microsoft
Hunting search and query tools Cisco Umbrella Sentinel
F5 BIG-IP
Palo Alto Networks
Many others

Continued on next page

Components and relationships
Signals and security portals

Your subscriptions in the Microsoft cloud

Azure AD Azure Services

Third-party Other Cloud security SQL Azure Storage
and Azure AD
SaaS and SaaS and and threat Server VMs Azure DNS
Identity Storage Azure Resource
PaaS apps PaaS apps Microsoft 365 intelligence Network Traffic Manager
Protection
Industrial IoT Azure Key Vault
Azure App Services Azure App Service

Microsoft
Microsoft Microsoft Microsoft
Defender Microsoft Defender for
Defender for Defender for Defender for
for Cloud Cloud
Office 365 Identity Endpoint
Apps

Microsoft 365 Defender

Signals

Microsoft 365 Defender portal Signals from sign-ins, Windows

Azure Security Center
11 or 10 desktops, and Office
365 and other cloud apps feed Signals from Azure services
into the components of feed into Microsoft
Microsoft 365 Defender. Defender for Cloud.

The Microsoft 365 Defender The Azure Security Center

portal shows the aggregate shows the aggregate
security posture and details of security posture and details
incidents and alerts. of incidents and alerts.

SEIM data and Microsoft Sentinel

Your subscriptions in the Microsoft cloud

Azure Services
Third-party Other Azure AD Cloud security SQL Azure Storage
SaaS and SaaS and and Azure AD and threat Server VMs Azure DNS
Storage Azure Resource
PaaS apps PaaS apps Microsoft 365 Identity intelligence Network Traffic Manager
Protection Industrial IoT Azure Key Vault
Azure App Services Azure App Service

Microsoft
Microsoft Microsoft Microsoft
Defender Microsoft Defender for
Defender for Defender for Defender for
for Cloud Cloud
Office 365 Identity Endpoint
Apps

SIEM data
Microsoft 365 Defender

SIEM data

Microsoft Sentinel in the Azure portal Microsoft 365 Defender and

Microsoft Defender for Cloud send
SIEM log data through a series of
Microsoft Sentinel connectors.

Microsoft Sentinel in the Azure

portal shows the aggregate security
posture and details of incidents and
alerts.

Continued on next page

Microsoft Defender for Cloud Apps
Identify and combat cyberthreats across all your cloud services with Microsoft’s cloud access security broker (CASB) that
provides multifunction visibility, control over data travel, and sophisticated analytics.

Protect your sensitive information Protect against cyberthreats Assess the compliance of your
Control the use of Shadow IT
anywhere in the cloud and anomalies cloud apps

Identify the cloud apps, IaaS, and PaaS
services used by your organization.
Investigate usage patterns, assess the
risk levels and business readiness.
Manage them to ensure security and
compliance.
Understand, classify, and protect the
exposure of sensitive information at rest.
Leverage out-of-the box policies and
automated processes to apply controls in
real-time across all your cloud apps.
Detect unusual behavior across
cloud apps to identify ransomware,
compromised users or rogue
applications, analyze high-risk
usage and remediate automatically
to limit the risk to your
organization.
Assess if your cloud apps meet
relevant compliance requirements
including regulatory compliance and
industry standards. Prevent data
leaks to non-compliant apps, and
limit access to regulated data.

Key uses in your organization

Discover and manage shadow IT Block downloads of sensitive information

Detect suspicious user activity Manage cloud platform security

Investigate risky users Protect your files with admin quarantine

Investigate risky Oauth apps Apply Azure Information Protection labels automatically

Discover and protect sensitive information Extend governance to endpoint remediation

Protect any app in your organization in real time

Conditional Access App Control

With Conditional Access App Control, user app access and sessions are monitored and
controlled in real time based on access and session policies. This allows you to:

Prevent data exfiltration Monitor user sessions for compliance

Protect on download Block access

Prevent upload of unlabeled files Block custom activities

Block potential malware

Defender for Cloud Apps integration

IT-managed
Microsoft Defender
Windows 11 or
for Endpoint Signals 10 device

Device traffic information

Microsoft 365
Third party
IdPs
App connectors

Third-party SaaS
and PaaS apps
Microsoft Azure AD
Defender for Conditional
Cloud Apps Policy evaluation Access

Firewall/ Microsoft 365

proxy Defender
Cloud app traffic logs Signals

Sentinel connector for SIEM data

Microsoft
Sentinel

Defender for Cloud Apps is a central collection point for app Defender for Cloud Apps uses Azure AD Conditional Access for
information, cloud app traffic logs from network edge devices, Conditional Access App Control, sends signals to Microsoft 365
device traffic information from Defender for Endpoint, and sign-in Defender, and sends SIEM data to Microsoft Sentinel.
information from Azure AD and other identity providers (IdPs).

Continued on next page

 Defender for Cloud Apps architecture

Your subscriptions in the Microsoft cloud

Defender for Cloud Apps

Requests for app activity
uses edge device traffic logs
to discover apps and obtains
information from cloud apps
on cloud app traffic through
Cloud app connectors.
app
Third-party Other App
traffic SaaS and SaaS and connectors
PaaS apps Microsoft 365 PaaS apps Defender for Cloud
Apps portal

Firewall/
proxy
Cloud discovery
Your
organization The Defender for Cloud Apps
portal provides aggregate
security posture and the
Defender for Cloud Apps details of incidents and
alerts.

Architecture for Conditional Access App Control

Conditional Access App Control uses a reverse proxy

architecture and allows user app access and sessions Your subscription in the Microsoft cloud
to be monitored and controlled in real time based on
access and session policies.

App
connectors

Third-party Other
SaaS and SaaS and
PaaS apps Microsoft 365 PaaS apps Cloud
discovery

Cloud
app
traffic
Reverse proxy for Conditional
Access App Control
(access and session controls)

Your Firewall/ Defender for Cloud Apps

organization proxy

February 2022 © 2022 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at [email protected].
 Microsoft Cloud Security for Enterprise
Architects

Information protection
Discover, classify, and protect sensitive information wherever it lives or travels.

Microsoft Information Protection (MIP)

Sensitivity labeling Microsoft 365 Data Loss Prevention (DLP) Defender for Cloud Apps

Helps you classify, label, and protect your data. Help prevent accidental or inappropriate sharing of Discover and protect sensitive information
information with DLP policies. across multiple locations and devices.

Classify, protect, and monitor your documents and emails.

Know your data Protect your data Monitor and remediate

Understand your data landscape and identify Apply flexible protection actions, such as See what’s happening with your sensitive
important data across your hybrid environment. encryption, access restrictions, and visual data and gain more control over it.
markings.

Information protection for Microsoft 365

Protection for Microsoft 365 services, the data stored within them, and individual files and email:

Resource What determines who can access? What can they do? How is it encrypted?

Actions and methods of access

Teams Teams access lists Service encryption or Customer Key
allowed by policy in the label

SharePoint sites and Actions and methods of access

Access lists Service encryption or Customer Key
OneDrive folders allowed by policy in the label

Actions allowed by rights Per-email encryption using either Microsoft-

Exchange email Sensitivity label with permissions
granted to user with the label managed or tenant-managed keys

Files (protection that Actions allowed by rights Per-file encryption using either Microsoft-
Sensitivity label with permissions
travels with the file) granted to user with the label managed or tenant-managed keys

Sensitivity labeling
Sensitivity labels allow people in your organization to collaborate with others both inside and outside the organization by
placing labels that classify and protect your organization's content, such as files and email messages. Key features include:
Applies encryption, permissions, and content markings to files Support for containers that include Teams, Microsoft 365 Groups,
and email and SharePoint sites
Support for content in Office apps across different
platforms and devices Built-in labels that do not require a separate installed client

Support for third-party apps and services and the content in

them with the MIP SDK Support for Power BI data and assets for Azure Purview

Cloud service-side auto-labeling polices for documents and

Classification with or without using any protection settings
emails
Support for Conditional Access for unmanaged devices and
Running auto-labeling policies in simulation mode external users
Content Explorer and Activity Explorer to monitor labeling and Azure Information Protection (AIP) client can label file types not
user actions supported by built-in labeling

Label scopes Microsoft 365

Container label
Attachments
• For teams, SharePoint sites,
Microsoft 365 groups
• Settings for privacy, external Azure Purview
user access and sharing, access - Azure assets
from unmanaged devices - Multi-cloud
SharePoint Exchange PowerBI assets
Teams
Content label or OneDrive email (data)
• Documents and email
• Settings for permissions,
encryption, content marking,
sensitivity awareness, and
content tracking and revocation Documents Third-party apps
- Content
Azure Purview label (with Defender
for Cloud Apps
or the MIP SDK)
Continued on next page
 Here’s how labels of different scope are used for Microsoft 365:

Microsoft 365

Sensitivity labels
Container Content Labels created by a
security administrator

SharePoint site
Container labels are manually
applied to SharePoint sites,
Site Content
Documents
folder label groups, or teams

Content labels on files and emails are:

• Manually applied or
auto-labeled by services

• Embedded and travel with

the file and email

DLP policies
DLP policies can identify and protect
Protect files and email with files and email with a content label
the content label

Here’s the recommended structure of labels and sublabels:

Sensitivity labels • Ordering labels from least to most

restrictive is more intuitive for your
users. It is also used by Microsoft 365 to
determine when to prompt users for
Least Label A Sublabels justifying why they changed a label to
restrictive
one that is less restrictive.
Sublabel A-1
• The order of sublabels is used when
auto-labeling. When content matches
Ordered list
conditions for multiple labels, the last
sublabel of the last label is applied.
Sublabel A-2
• Client-side auto-labeling will never
Ordered list Label B ... apply a label on a document already
labeled with a higher-sensitivity label.
…
Sublabel A-n
…

...

Most
restrictive Label n

Continued on next page

Here’s how sensitivity labels are applied to
Your Microsoft 365 E3 or E5 subscription
different sets of files:

Teams SharePoint Exchange OneDrive

Built-in labels, Word, Excel, PowerPoint files

Labels applied
auto-labeled, or
with the AIP client
manually applied Outlook emails

Other files

Your Non-Microsoft
organization 365 files Third-party Microsoft 365 apps

Other files

DLP
Detect, warn, and block risky, inadvertent, or inappropriate sharing
of data containing personal or confidential information, both
internally and externally:

• Personal information such as personally identifying information

(PII) for compliance with regional privacy regulations.
• Confidential information based on sensitivity labels (in preview)

Locations where DLP applies

SharePoint and On-premises Defender for
Microsoft Teams Exchange Endpoint DLP
OneDrive scanner Cloud Apps
• Channel • Email body • Files on • Files in use on • Files in on- • Files in your
conversations • Attachments SharePoint sites Windows 11 or premises cloud
• Chat messages and OneDrive 10 devices folders and on environment
• Files shared in folders premises
channel • Files on Teams SharePoint
conversations and sites folders
chat messages

DLP policies in the Microsoft 365 compliance center

DLP uses policies that define how to handle data with sensitive information types with
well-known formats for PII, such as credit card numbers. They have this structure:

Policy A Locations DLP policy evaluation:

Rule A-1 When content is evaluated

against rules, the rules are
Conditions processed in priority order.
Ordered Match any or all:
list Condition A-1-a If content matches multiple
Condition A-1-b
Rule A-2 rules, the rules are
…
Condition A-1-n processed in priority order
Ordered Policy B ... and the most restrictive
list Exceptions action is enforced.
… Actions
Rule A-n Restrict access or
encrypt the content in
…
Microsoft 365 locations.
Restrict 3rd party apps.
...
User notifications
User overrides
Policy n Incident reports
Rule priority

Continued on next page

How DLP works for files saved in SharePoint and Exchange

File creation DLP events DLP processing

1 2 3 4

User creates a file User saves the User: Based on matching DLP
file in SharePoint policies for sensitive data types
• Adds data or OneDrive and • Sends an email and sensitivity labels, DLP can:
corresponding DLP scans the
to a sensitive file contents • Posts a message or a Allow
data type file to a Teams chat or
channel Block
• Adds sensitivity
label • Shares a file in Show policy tip
SharePoint or OneDrive
Send email notification

Solution: Information protection for data privacy regulations

Protect, manage, and provide rights
and control over personal information
stored in your IT infrastructure,
including both on-premises and in the
cloud to comply with regional data
privacy regulations.

Deployment path

February 2022 © 2022 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at [email protected].
 Microsoft Cloud Security for Enterprise
Architects

Cloud app protection

With cloud app protection, you can more securely install apps in your subscription, restrict and
monitor their use, and detect when they become threats to your resources.

The Microsoft cloud app ecosystem

Development Build apps on a platform that supports a range of services and continuous collaboration and delivery.

Deployment Register an app in Azure AD and make it available to your users to install and use.

Threat protection and detection Analyze alerts and incidents exposed in security portals for quick response and remediation.

Secure access Use Zero Trust to ensure strong authentication for users and compliant devices.

Governance Inventory, add, remove, and detect inactive or over-permissioned apps for removal.

Shared security signaling Do comprehensive cross-service analysis of alerts and their correlation and combination as incidents.

Consistent incident response

Use the common design of security portals as a consistent way to respond to app-based threats.
experience

Components
Three Microsoft services included with Microsoft 365 E5 or with additional licenses provide protection
for apps in the Microsoft cloud.

Apps Insights Requirements Detections

All Microsoft cloud apps, • App consent activity • Monitor user consent and • Malicious apps (for
which includes: • User-to-app sign-in usage workflows example, consent
and permissions • Monitor user assignment phishing)
• Microsoft 365 apps • Weak credential detection • Impose just-in-time app • Overprivileged apps and
(included with Microsoft • App roles and groups access role assignments
365 and third-party) assigned • Use Azure AD Conditional • Unused apps
Azure AD • Other Microsoft and third- Access for app-to-app • Aggregated app risk
with Azure party cloud apps • Require authentication (across all signals)
AD Identity methods for apps and • Service Principal
Protection service principals compromise
• Revoke app’s access
token

All Microsoft cloud apps • App consent activity by • Alert on app's metadata • Office 365 audit log-
users values (for example, a based OAuth app
Microsoft • App metadata high permissioned app detections
Defender with an admin consent • OAuth app metadata-
and infrequent use) based detections (such
for Cloud
• Revoke an app's access as homoglyphs and
Apps token on alert insecure URLs)
• Anomalous behavior
activity by applications

All Microsoft cloud apps that • Microsoft 365 graph API • Restrict the type of data • API activity-based app
are OAuth-enabled and activity by resource and an app can access in compromise or malicious
App access Microsoft 365 data data type Microsoft 365 behavior
governance through the Microsoft Graph • View new or risky apps • Alert on apps that go • API inactivity and
add-on APIs that access Microsoft 365 outside predefined API inactive graph
APIs in the tenant activity permissions

Primary threats Components for app protection

• Azure AD
Attacker uses illicit app consent grant to access user data
• Defender for Cloud Apps

• Azure AD with Azure AD Identity Protection

Insiders or attackers with compromised credentials use apps to access data
• Defender for Cloud Apps

Malicious apps use the Microsoft 365 app platform to access data App governance add-on

• Azure AD with Azure AD Identity Protection

Insiders or attackers with compromised credentials use overprivileged apps to access data • Defender for Cloud Apps
• App governance add-on

Continued on next page

Component architecture
The components of app protection ai the Microsoft cloud are integrated with each other
and into the larger Microsoft cloud app ecosystem.

Microsoft cloud subscription

App
user
activity
User app activity signals

Cloud apps
Microsoft
OAuth
Users on Defender for
Apps that are OAuth- and
devices Cloud Apps
enabled and Graph
access Microsoft API app
activity
Sign-in Azure AD 365 data through the signals App
and Azure Graph APIs governance
AD Identity
add-on
Protection

Signals
Microsoft Defender for
Cloud Apps portal
Azure AD Identity Protection
in the Azure AD Admin portal

Microsoft 365 Defender portal

SIEM data

Microsoft Sentinel in the Azure portal

Azure AD Identity Protection in the Azure AD Admin portal, the Defender for Cloud Apps portal,
Consistent incident and app governance in the Microsoft 365 Defender portal provide a common way to view
response experience summaries of threat information in dashboards and the ability to analyze and respond to app-
based alerts and incidents.

Shared security signaling
with centralized incident
response and orchestration
Security signals from Azure AD Identity Protection and Defender for Cloud Apps with the app
governance add-on feed into Microsoft 365 Defender for an eXtended Detection & Response
(XDR) solution. You can perform incident response for app-related incidents from the Microsoft
365 Defender portal.
The Microsoft 365 Defender security signals can also be sent to Microsoft Sentinel as SIEM data for
security orchestration automated response (SOAR)

Continued on next page

App policies
Policies are how you define requirements for restrictions and
specify app behaviors to meet your app security needs.

App security questions:

How do I require secure access How healthy does the device How do I monitor app usage How do I require app
to the app and specify allowed need to be and how do I protect and detect and prevent compliance and detect and
apps and user consent app data on the device? malicious user behavior within prevent malicious app
requirements? apps? behavior?

User sign-ins with Azure Network traffic with App platform use with the
Devices with Intune
AD Defender for Cloud Apps app governance add-on

Conditional Access policies to • Device compliance Conditional Access policy to Usage policies for:
require: requirements policies use Conditional Access App • Increase in users
• Multi-Factor • Level 2 and 3 App Protection Control for specific apps, • High data volume
Authentication (MFA) Policies (APP) for data groups, and users
• Only approved apps protection Permissions policies for:
• Blocking of legacy Defender for Cloud Apps • Overpermissioned
authentication session policies to: • New app with high-
• Compliant devices (PCs, • Monitor all activities privileges
mobile) with Intune • Block all downloads • New app with app-only
management • Protect files on download permissions
• Protect uploads of
User consent settings for: sensitive files Certification policies for:
• Allowing • Certification loss
• Blocking • New uncertified app
• Verified publishers

App lifecycle
Use these steps for the lifecycle of apps in your Microsoft cloud subscriptions.

Azure AD Defender for Cloud Apps App governance add-on

1. Verify registration and certificate. N/A N/A

1. Acquisition 2. Register app in tenant.
3. Restrict user consent operations
with an app consent policy.

1. Azure AD Conditional Access Add the new app to Conditional Add the new app to app usage or
policies: Add app to the list of Access App Control policies. app permissions policies.
allowed apps.
2. Intune: Add app to MAM and APP
policies.
2. Deployment 3. Try the app for 30 days in a test
tenant.
4. Sign-off for the app in your
production tenant.
5. Try the app for 60 days in your
production tenant before
widespread deployment.

1. Monitor Azure AD Identity 1. Monitor app usage by users. 1. Monitor the app’s usage of the
Protection alerts for compromised 2. Resolve alerts and incidents. platform.
3. Run state credentials. 3. Modify Conditional Access App 2. Resolve alerts and incidents.
2. Update Conditional Access and Control policies as needed. 3. Modify app usage and
Intune policies as needed. permissions policies as needed.

1. Azure AD Conditional Access Remove the app from Conditional Remove the app from usage and
policies: Remove the app from the Access App Control policies. permissions policies.
list of allowed apps.
4. Decommission 2. Intune: Remove the app from
MAM and APP policies.
3. Remove the app registration from
Azure AD.

More Microsoft
Identity Networking Hybrid
cloud architecture
models aka.ms/cloudarchidentity aka.ms/cloudarchnetworking aka.ms/cloudarchhybrid

February 2022 © 2022 Microsoft Corporation. All rights reserved. To send feedback about this documentation, please write to us at [email protected].