ZSCALER AND MICROSOFT

DEFENDER FOR CLOUD APPS

DEPLOYMENT GUIDE

SEPTEMBER 2024, VERSION 1.1 BUSINESS DEVELOPMENT GUIDE

 ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE

Contents
Terms and Acronyms 4
About This Document 6
Zscaler Overview 6
Microsoft Overview 6
Audience 6
Document Prerequisites 6
Software Versions 6
Request for Comments 7
Zscaler and Microsoft Introduction 8
ZIA Overview 8
Zscaler Resources 8
Microsoft Defender for Cloud Apps Overview 9
Microsoft Defender for Cloud Apps Resources 9
Zscaler Logging Architecture Overview 10
NSS 10
Logging in to ZIA 11
Configuring NSS 11
Step 1: Verify You Meet All NSS Deployment Prerequisites 11
Step 2: Add an NSS Server and Download the SSL Certificate
in the ZIA Admin Portal 12
Step 3: Deploy to Azure Using the Zscaler NSS ARM Template 13
Step 4: Configure and Start NSS on the VM Instance 13
Step 5: Configure a MCAS NSS Feed 14

Enable the Microsoft Defender for Cloud App Integration 19

Step 1: Enable Automatic Log Uploads
in the Microsoft Defender for Cloud Apps Portal 19
Step 2: Create a Microsoft Entra Application 20

©2023 Zscaler, Inc. All rights reserved. 2

 ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE

Step 3: Configure Microsoft Defender for Cloud Apps Integration

in the ZIA Admin Portal 24
Step 4: Enable Automatic Log Uploads to Microsoft Defender
for Cloud Apps for NSS 26
Step 5: Verify your Microsoft Defender for Cloud Apps Integration Configuration 27

Troubleshooting 28
Appendix A: Requesting Zscaler Support 29

©2023 Zscaler, Inc. All rights reserved. 3

 ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE

Terms and Acronyms

The following table defines the acronyms used in this deployment guide. When applicable, a Request for Change (RFC) is
included in the Definition column for your reference.

Acronym Definition
ARM Azure Resource Manager (Microsoft
CA Central Authority (Zscaler)
CSV Comma-Separated Values
DLP Data Loss Prevention
DNS Domain Name Service
DPD Dead Peer Detection (RFC 3706)
GRE Generic Routing Encapsulation (RFC2890)
ICMP Internet Control Message Protocol
IKE Internet Key Exchange (RFC2409)
IPS Intrusion Prevention System
IPSec Internet Protocol Security (RFC2411)
MCAS Microsoft Cloud App Security (Microsoft)
MDCA Microsoft Defender for Cloud Apps (Microsoft)
PFS Perfect Forward Secrecy
PSK Pre-Shared Key
SSL Secure Socket Layer (RFC6101)
TLS Transport Layer Security
VDI Virtual Desktop Infrastructure
XFF X-Forwarded-For (RFC7239)
ZDX Zscaler Digital Experience (Zscaler)
ZIA Zscaler Internet Access (Zscaler)
ZPA Zscaler Private Access (Zscaler)

©2023 Zscaler, Inc. All rights reserved. 4

 ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE

Trademark Notice
© 2024 Zscaler, Inc. All rights reserved. Zscaler™ and other trademarks listed at zscaler.com/legal/trademarks are either (i)
registered trademarks or service marks or (ii) trademarks or service marks of Zscaler, Inc. in the United States and/or other
countries. Any other trademarks are the properties of their respective owners.

©2023 Zscaler, Inc. All rights reserved. 5

 ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE

About This Document

The following sections describe the organizations and requirements of this deployment guide.

Zscaler Overview
Zscaler (NASDAQ: ZS) enables the world’s leading organizations to securely transform their networks and applications for
a mobile and cloud-first world. Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) services create fast, secure
connections between users and applications, regardless of device, location, or network. Zscaler delivers its services 100%
in the cloud and offers the simplicity, enhanced security, and improved user experience that traditional appliances or
hybrid solutions can’t match. Used in more than 185 countries, Zscaler operates a massive, global cloud security platform
that protects thousands of enterprises and government agencies from cyberattacks and data loss. For more information,
see Zscaler’s website or follow Zscaler on Twitter @zscaler.

Microsoft Overview
Microsoft (MSFT) develops and licenses consumer and enterprise software. It is known for its Windows operating
systems and Office productivity suite. The company is organized into three equally sized broad segments: productivity
and business processes (legacy Microsoft Office, cloud-based Microsoft 365, Exchange, SharePoint, Skype, LinkedIn,
Dynamics), intelligence cloud (infrastructure- and platform-as-a-service offerings Azure, Windows Server OS, SQL Server),
and more personal computing (Windows Client, Xbox, Bing search, display advertising, and Surface laptops, tablets, and
desktops). To learn more, refer to Microsoft's website.

Audience
This guide is for network administrators, endpoint and IT administrators, and security analysts responsible for deploying,
monitoring, and managing enterprise security systems. For additional product and company resources, refer to:

• Zscaler Resources
• Microsoft Defender for Cloud Apps Resources
• Appendix A: Requesting Zscaler Support

Document Prerequisites
To use this document, the following prerequisites are required:

ZIA:

• An active instance of ZIA 6.2 or later

• Administrator login credentials to ZIA

Microsoft Defender for Cloud Apps:

• Administrator login credentials to Microsoft Defender for Cloud Apps

• Active subscription to Microsoft Defender for Cloud Apps

Software Versions
This document was authored using the latest version of the Zscaler software.

©2023 Zscaler, Inc. All rights reserved. 6

 ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE

Request for Comments

• For prospects and customers: Zscaler values reader opinions and experiences. Contact partner-doc-support@
zscaler.com to offer feedback or corrections for this guide.
• For Zscaler employees: Contact [email protected] to reach the team that validated and authored the
integrations in this document.

©2023 Zscaler, Inc. All rights reserved. 7

 ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE

Zscaler and Microsoft Introduction

The following are overviews of the Zscaler and Microsoft applications described in this deployment guide.

exclamation-triangle Ifdifferent
you are using this guide to implement a solution at a government agency, some of the content might be
for your deployment. Efforts are made throughout the guide to note where government agencies might
need different parameters or input. If you have questions, contact your Zscaler Account team.

ZIA Overview
ZIA is a secure internet and web gateway delivered as a service from the cloud. Think of it as a secure internet onramp—
all you do is make Zscaler your next hop to the internet via one of the following methods:

• Setting up a tunnel (GRE or IPSec) to the closest Zscaler data center (for offices).
• Forwarding traffic via the lightweight Zscaler Client Connector or PAC file (for mobile employees).

No matter where users connect—a coffee shop in Milan, a hotel in Hong Kong, or a VDI instance in South Korea—they get
identical protection. ZIA sits between your users and the internet and inspects every transaction inline across multiple
security techniques (even within SSL).

You get full protection from web and internet threats. The Zscaler cloud platform supports Cloud Firewall, intrusion
prevention system (IPS), Sandboxing, data loss prevention (DLP), and Isolation, allowing you to start with the services you
need now and activate others as your needs grow.

Zscaler Resources
The following table contains links to Zscaler resources based on general topic areas.

Name and Link Description

ZIA Help Portal Help articles for ZIA.

Zscaler Tools Troubleshooting, security and analytics, and browser extensions that help Zscaler
determine your security needs.

Zscaler Training and Certification Training designed to help you maximize Zscaler products.

Submit a Zscaler Support Ticket Zscaler Support portal for submitting requests and issues.

The following table contains links to Zscaler resources for government agencies.

Name and Link Description

ZIA Help Portal Help articles for ZIA.

Zscaler Tools Troubleshooting, security and analytics, and browser extensions that help Zscaler
determine your security needs.

Zscaler Training and Certification Training designed to help you maximize Zscaler products.

Submit a Zscaler Support Ticket Zscaler Support portal for submitting requests and issues.

©2023 Zscaler, Inc. All rights reserved. 8

 ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE

Microsoft Defender for Cloud Apps Overview

Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that supports various deployment modes
including log collection, API connectors, and reverse proxy. It provides rich visibility, control over data travel, and
sophisticated analytics to identify and combat cyberthreats across Microsoft and third-party cloud services.

Microsoft Defender for Cloud Apps natively integrates with leading Microsoft solutions and is designed with security
professionals in mind. It provides simple deployment, centralized management, and innovative automation capabilities.

To learn more, refer to the Microsoft Defender for Cloud Apps website.

Microsoft Defender for Cloud Apps Resources

The following table contains links to Microsoft Defender for Cloud Apps support resources.

Name and Link Description

Microsoft Defender for Cloud Apps Articles with use cases to get started using Microsoft Defender for Cloud
Documentation Apps.

Microsoft Defender for Cloud Apps Support portal for Microsoft Defender for Cloud Apps problems and help.
Support

©2023 Zscaler, Inc. All rights reserved. 9

 ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE

Zscaler Logging Architecture Overview

When customers use ZIA, every customer-initiated transaction that traverses ZIA generates a corresponding log message.
Logs messages are retained by Zscaler for six months (or longer through a paid-for service).

Customers can view and search these logs using the Dashboard of the ZIA Admin Portal.

ZIA requires Nanolog Streaming Service (NSS) to send log messages outside of the Zscaler cloud.

NSS
Log messages are stored in Nanolog. When an organization deploys NSS for various log feeds, each NSS opens a
secure tunnel to the Nanolog in the Zscaler cloud. The Nanolog then streams copies of the logs to each NSS in a highly
compressed format to reduce bandwidth footprint. The original logs are retained on the Nanolog.

When NSS receives the logs from the Nanolog, it unscrambles them, applies the configured filters to exclude unwanted
logs, converts the filtered logs to the configured output format so they can be parsed by Microsoft Defender for Cloud
Apps, and then streams the logs to Microsoft Defender for Cloud Apps using an Authentication Token generated in the
Microsoft 365 Defender portal.

Figure 1. Nanolog Streaming Service and Microsoft Defender for Cloud Apps overview

©2023 Zscaler, Inc. All rights reserved. 10

 ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE

Logging in to ZIA
First, set up the Zscaler side of this service.

Log in to Zscaler using your Administrator Account. If you are unable to log in using your Administrator Account, contact
Zscaler Support (government agencies, see Zscaler Support).

Figure 2. ZIA Admin Portal

Configuring NSS
This deployment guide leverages the Zscaler NSS ARM Template from the Zscaler GitHub Repository. Alternative options
are available and you can find the NSS Deployment Guide based on your deployment type (government agencies, see
NSS Deployment Guide).

Before you begin deployment, contact Zscaler Support to obtain the NSS VHD SAS token and the Azure VM instance
type recommendations.

Step 1: Verify You Meet All NSS Deployment Prerequisites

You need the following to deploy NSS over your VM:

• A subscription to NSS for Web.

• VM Specs:

• CPU: 2 CPU cores: NSS uses one core for the control plane and another core for the data plane.
• Instance Memory: Minimum of 8 GB for up to 8K users, 16 GB for up to 20K users, 32 GB for up to 50K users, 48
GB for up to 75K users, and 64 GB for above 75K users.
• Storage account: General Purpose.
• Network Specs:

• Two network interfaces:

• The first network interface is the management IP address. It's used to control connections to the Zscaler
cloud and to make an SSH connection to the NSS VM for configuration and management. You can

©2023 Zscaler, Inc. All rights reserved. 11

 ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE

customize the deployment and define a separate IP address for the SSH connection to the NSS VM.
• The second network interface is the service IP address. It is used for data connections to the Zscaler cloud
and Microsoft Defender for Cloud Apps.

• Two public IP addresses.

• Bandwidth for log download: 11 Mbps for 10K users.

Clipboard-list It's mandatory to deploy the NSS instance behind a VM network security group. The NSS instance only requires
outbound connections to the Zscaler cloud. It does not require any inbound connections to your network from
the Zscaler cloud. To view the firewall requirements for your specific account, go to
https://config.zscaler.com/<Zscaler Cloud Name>/nss.

You can find the <Zscaler Cloud Name> in the URL you use to log in to the ZIA Admin Portal.

For example, to log in to admin.zscaler.net, go to https://config.zscaler.com/admin.zscaler.net/nss (government

agecies, go to https://config.zscaler.us/admin.zscaler.net/nss).

Step 2: Add an NSS Server and Download the SSL Certificate in the ZIA Admin Portal
To add an NSS server:

1. Go to Administration > Nanolog Streaming Service.

2. From the NSS Servers tab, click Add NSS Server. The Add NSS Server window appears.
3. In the Add NSS Server window:
a. Enter a Name for the NSS.
b. Select NSS for Web type.
c. The NSS Status is Enabled by default.

4. Click Save.

Figure 3. Add NSS Server dialog

5. Click Download in the SSL Certificate column of the NSS server that you are configuring, and then save the
certificate.

©2023 Zscaler, Inc. All rights reserved. 12

 ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE

Step 3: Deploy to Azure Using the Zscaler NSS ARM Template

If you are deploying a new NSS in Azure, the Zscaler NSS Azure Resource Manager (ARM) Template was developed to
automate setting up an NSS in Azure. This voids the need for manually running PowerShell scripts.

Deployments can take up to one hour to finish.

Access the Zscaler NSS ARM Template from the Zscaler GitHub Repository and follow the instructions there to deploy.

Step 4: Configure and Start NSS on the VM Instance

To configure and start NSS on the VM instance:

1. Copy the downloaded NssCertificate.zip file from the ZIA Admin Portal to the VM, using FTP, SCP, or SFTP. For
example:
scp ./NssCertificate.zip zsroot@<mgmt publicIP>:/usr/home/zsroot/NssCertificate.zip

2. Use a SSH command such as the following to get shell access to the VM:
ssh zsroot@<mgmt publicIP>

3. Then, install the SSL certificate:

sudo nss install-cert NssCertificate.zip

Configure the NSS network settings by running the command:

sudo nss configure

4. Enter a name server (e.g., 168.63.129.16). You can either change (C), delete (D), or not change it (N).
In this case, enter N.

You can add a name server if you want. In this case, enter N.

5. Enter the service interface IP address with netmask (smnet_dev). This is the private IP address of the second
network interface (service interface - eth1) created in the VM.

6. Get the private IP address. To find the private IP of the second network interface you created in your Azure account:
a. Go to the NSS VM Configuration page.

b. In the left-side navigation, go to Networking and select your second network interface.

c. Copy the private IP address.

7. Enter the service interface default gateway IP address (smnet_dflt_gw). This is the default gateway IP address.

©2023 Zscaler, Inc. All rights reserved. 13

 ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE

The following image shows an example output:

Figure 4. Example output from sudo nss configure command

8. Download the NSS binaries. Before starting the NSS service, run the following command to download and install the
NSS binaries:
sudo nss update-now

9. Start the NSS. Unless you are planning to use this instance for passive backup, run the command sudo nss start
and then to enable NSS to start automatically after a restart, run the following command:
sudo nss enable-autostart

10. Finally, restart the NSS:

sudo nss restart

Step 5: Configure a MCAS NSS Feed

To configure an MCAS NSS feed:

1. Go to Administration > Nanolog Streaming Service.

2. From the NSS Feeds tab, click Add MCAS NSS Feed. The Add MCAS NSS Feed window appears. In the MCAS NSS
Feed window, enter:
a. Feed Name: Enter or edit the name of the feed. Each feed is a connection between the NSS and Microsoft
Defender for Cloud Apps.
b. NSS Type: NSS for Web is selected by default.
c. NSS Server: Choose an NSS from the list.
d. Status: The NSS feed is Enabled by default. Choose Disabled if you want to activate it later.

3. Define filters:
• Action:
• Policy Action: Use this filter to limit the logs to transactions that were either allowed or blocked. Transactions
wherein the service displayed a Caution page are considered blocked transactions; if users proceeded with
the transactions, they are considered allowed.
• Policy Reason: Use this filter to limit the logs based on the policy that the Zscaler service applied. These
are the policy reason strings that are in transaction drilldown. They indicate which policy caused a block, or
if allowed, the conditions under which they were allowed, such as Allowed due to override and Internet
Access cautioned. Multiple selections are allowed.

©2023 Zscaler, Inc. All rights reserved. 14

 ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE

• Who:
• Users: Use this filter to limit the logs to specific users who generated transactions. You can search for users
by username or email address. There is no limit on the number of users that you can select. Users that are
deleted after they are selected appear with a strikethrough line.
• Departments: Use this filter to limit the logs to specific departments that generated transactions. You can
search for departments. There is no limit on the number of departments that you can select. Departments
that are deleted after they are selected appear with a strikethrough line.

• From Where:
• Locations: Use this filter to limit the logs to specific locations from which transactions were generated. You
can search for locations. There is no limit on the number of locations that you can select. Locations that are
deleted after they are selected appear with a strikethrough line.

• Client IP Addresses: Use this filter to limit the logs based on a client’s private IP address. You can enter:

• An IP address (e.g., 198.51.100.100).

• A range of IP addresses (e.g., 192.0.2.1-192.0.2.10).

• An IP address with a netmask (e.g., 203.0.113.0/24).

You can enter multiple entries. Press Enter after each entry.

• Public IP Addresses: Use this filter to limit the logs based on a client’s public IP address. The internal IP
address is available if traffic forwarding is forwarded to the service through a GRE or VPN tunnel or from the
XFF header. If the internal IP address is not available, the value is the same as the client IP address. You can
enter:

• An IP address (e.g., 198.51.100.100).

• A range of IP addresses (e.g., 192.0.2.1-192.0.2.10).

• An IP address with a netmask (e.g., 203.0.113.0/24).

You can enter multiple entries. Press Enter after each entry.

• Traffic Forwarding: Use this filter to limit the logs based on the traffic forwarding method to the ZIA Public
Service Edge.

• Transaction
• Direction: Use this filter to limit the logs to either inbound or outbound traffic.

• User Agents: Use this filter to limit the logs to transactions associated with the user-agent string that the
browser included in its GET request. Choose from the list of predefined user-agent strings or enter custom
user-agent strings. Multiple selections are allowed.

• Custom User Agent Strings: Use this filter to limit the logs to specific user-agent strings. A user-agent string
contains browser and system information that the destination server can use to provide appropriate content.

• Protocol Types: Use this filter to limit the logs to specific protocols. Supported protocols are HTTP, HTTPS,
and FTP. Multiple selections are allowed.

• Request Methods: Use this filter to limit the logs based on the HTTP request method obtained from the
client request. Multiple selections are allowed.

©2023 Zscaler, Inc. All rights reserved. 15

 ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE

• Response Codes: Use this filter to limit the logs based on the HTTP response code obtained from the server
or generated by the ZIA Public Service Edge. Multiple selections are allowed.

• Request Sizes: Use this filter to limit the logs based on HTTP request size. Enter either a specific size or
a range with a dash. By default, the service uses bytes, but you can also specify KB, MB, GB, or TB (e.g.,
10KB-1MB, 200). You can enter multiple entries. Press Enter after each entry.

• Response Sizes: Use this filter to limit the logs based on HTTP response size. Enter either a specific size
or a range with a dash. By default, the service uses bytes, but you can also specify KB, MB, GB, or TB (e.g.,
10KB-1MB, 200). You can enter multiple entries. Press Enter after each entry.

• Transaction Sizes: Use this filter to limit the logs based on transaction size, which is the header and body
request or response size, or the request and response size. Enter either a specific size or a range with a dash.
By default, the service uses bytes, but you can also specify KB, MB, GB, or TB (e.g., 10KB-1MB, 200). You can
enter multiple entries. Press Enter after each entry.
• Referrer URLs: Use this filter to limit the logs based on the Referrer URL in the HTTP header. You can use
wildcards based on the rules:

• *string: Suffix matching match URLs ending with ‘string’.

• String*: Prefix matching match URLs beginning with ‘string’.
• *string*: Substring matching match URLs containing ‘string’.
• String: Exact matching match URLs that are exactly ‘string’.

Multiple strings are allowed. Enter one string per line. String search is not case-sensitive.

• To Where:
• URL Filter Type: Use this filter to limit the logs based on URLs in HTTP Requests. You can specify either a
Hostname or the Full URL. You can use wildcards based on the rules:

• *string: Suffix matching match URLs ending with ‘string’.

• String*: Prefix matching match URLs beginning with ‘string’.
• *string*: Substring matching match URLs containing ‘string’.
• String: Exact matching match URLs that are exactly ‘string’.
• Hostnames: Use this filter to limit the logs based on specific hostnames.
• URL Classes: Use this filter to limit the logs to specific URL classes (government agencies, see URL classes).
Select those that you want to include. Multiple selections are allowed.
• URL Super Categories: Use this filter to limit the logs to specific URL super categories (government agencies,
see URL super categories). Select those that you want to include. Multiple selections are allowed.
• URL Categories: Use this filter to limit the logs to specific URL categories (government agencies, see URL
categories). Select those that you want to include. Multiple selections are allowed.
• Server IP Addresses: Use this filter to limit the logs based on the destination server’s IP address. You can
enter:

• An IP address (e.g., 198.51.100.100).

• A range of IP addresses (e.g., 192.0.2.1-192.0.2.10).
• An IP address with a netmask (e.g., 203.0.113.0/24).

You can enter multiple entries. Press Enter after each entry.

©2023 Zscaler, Inc. All rights reserved. 16

 ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE

• Cloud Application Classes: Use this filter to limit the logs to the selected cloud application classes
(government agencies, see cloud application classes). Multiple selections are allowed.
• Cloud Applications: Use this filter to limit the logs to selected cloud applications (government agencies, see
cloud applications). Multiple selections are allowed.
• Application Segment: Use this filter to limit the logs to specific application segments (government agencies,
see application segments). The default option for this filter is Any.

• Security:
• Malware Classes: Use this filter to limit the logs based on malware class or name. Multiple selections are
allowed.
• Malware Names: Use this filter to limit the logs based on specific malware or viruses that were detected.
You can specify multiple malware or virus names. Use the Search function to search for either.
• Advanced Threats: Use this filter to limit the logs based on the types of advanced threats that were
detected. Multiple selections are allowed.
• Threat Names: Use this filter to limit the logs based on specific threats that were detected. You can specify
multiple threat names. Use the Search function to search for either a specific threat or multiple threats.
• Suspicious Content: Use this filter to limit the logs based on the Page Risk Index score (government
agencies, see Page Risk Index score) of a transaction. Enter either a single value or a range of values,
between 0 and 100. Multiple values separated by commas are allowed.

• File Type:
• File Type Categories: Use this filter to limit the logs based on the file type categories (government agencies,
see file type categories) detected from the content. Multiple selections are allowed.
• File Types: Use this filter to limit the logs based on the file type (government agencies, see file type)
detected from the content. Multiple selections are allowed.
• Unscannable Type: Use this filter to limit the logs based on an unscannable file type. Multiple selections are
allowed. The following options appear under this filter:

• Encrypted File: Encrypted or password-protected (e.g., GZIP, PDF).

• Undetectable File: Unable to determine the file type, based on multiple methods.
• Unscannable File: Unscannable (e.g., corrupt archive).
• DLP:
• DLP Engines: Use this filter to limit the logs to transactions in which data leakage was detected based on
specific DLP engines (government agencies, see DLP engines). Multiple selections are allowed.
• DLP Dictionaries: Use this filter to limit the logs to transactions in which data leakage was detected based on
specific DLP dictionaries (government agencies, see DLP dictionaries). Multiple selections are allowed.

©2023 Zscaler, Inc. All rights reserved. 17

 ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE

4. Click Save and activate the change:

Figure 5. Add MCAS NSS Feed dialog

When complete, the Partner Integration page for Microsoft Cloud App Security looks like the following image:

Figure 6. Partner Integration dialog for Microsoft Defender for Cloud App

©2023 Zscaler, Inc. All rights reserved. 18

 ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE

Enable the Microsoft Defender for Cloud App Integration

The following steps show how to enable Microsoft Defender for Cloud App.

Step 1: Enable Automatic Log Uploads in the Microsoft Defender for Cloud Apps Portal
In the Microsoft 365 Defender portal, complete the following integration steps:

1. Go to Settings > Cloud apps > Automatic log upload.

2. Under Data Sources, select Add data source.
3. In the Add data source page, enter the following settings:
a. Name: NSS
b. Source: Zscaler QRadar LEEF
c. Receiver type: Syslog – UDP

4. Select View sample of expected log file.

Figure 7. Adding a data source for Microsoft Defender for Cloud Apps

5. Select Download sample log to view a sample discovery log, and make sure it matches your logs.

©2023 Zscaler, Inc. All rights reserved. 19

 ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE

Step 2: Create a Microsoft Entra Application

To access MCAS with application context, create an application in Microsoft Entra ID (previously Microsoft Active
Directory) and assign it with the permissions required to access MCAS. In creating the application, you generate the
values of the parameters (e.g., client ID, client secret, etc.) required for OAuth 2.0-based authentication. You later provide
the values when configuring the integration on the Partner Integrations page in the ZIA Admin Portal.

To create an application:

1. Log in to Microsoft Azure.

2. Under Azure services, go to Microsoft Entra ID.
3. In the left-side navigation, go to App Registrations and then click New registration.

Figure 8. New registration

4. In Register an application:
a. Enter a Name for the application that represents the Defender for Cloud Apps integration.
b. Set the Supported account types option to Accounts in this organizational directory only.
c. Click Register. The Application is registered, and the Overview page is displayed.

Figure 9. Register an application

©2023 Zscaler, Inc. All rights reserved. 20

 ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE

d. On the application’s Overview page, copy the Application (client) ID and Directory (tenant) ID values and
save them for later use.

Figure 10. Overview

e. Add a client secret. To add a client secret to the application:

i. On the left side-navigation of the application, go to Manage > Certificates & secrets.
ii. Click New client secret.

Figure 11. Client secret

iii. On the Add a client secret page, enter a Description, and click Add.

Figure 12. Add a client secret

©2023 Zscaler, Inc. All rights reserved. 21

 ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE

iv. The secret is created. Copy the secret Value.

Figure 13. Secret value

f. Add permissions. To add the required MDCA permissions to the application:

i. In the left side-navigation of the application, go to API Permissions.

ii. Click Add a permission.

Figure 14. Add a permission

iii. Click APIs my organization uses, search for Microsoft Cloud App Security, copy the Application
(client) ID value for MDCA, and save it for later use.

Figure 15. Application (client) ID value

iv. Select Microsoft Cloud App Security in the search results and then select Application permissions.

Figure 16. Application permissions

©2023 Zscaler, Inc. All rights reserved. 22

 ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE

v. Select the discovery.manage permission, which is required to upload data and generate block scripts, and
click Add permissions.

Figure 17. Add permissions

vi. Click Grant admin consent for <tenant name>, and then click Yes to confirm.

Figure 18. Grant admin consent

©2023 Zscaler, Inc. All rights reserved. 23

 ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE

Step 3: Configure Microsoft Defender for Cloud Apps Integration in the ZIA Admin Portal
To configure a Microsoft Cloud App Security (MCAS) integration:

1. Log in to your ZIA Admin Portal and go to Administration > Partner Integrations.
2. On the Microsoft Cloud App Security tab, under Microsoft Cloud App Security (MCAS) Authentication Setup,
configure the following parameters:
i. Client ID: Enter the Application (client) ID for the application that you created in Azure (e.g., 97b9XXXX-
beXX-48XX-b5XX-8792cdXXXXXX).
ii. Client Secret: Enter the application’s client secret value that you generated in Azure. Ensure that you
provide the client secret value, not the client secret ID.
iii. Scope: Enter the scope (i.e., the resource identifier) for the MCAS API, appended with the /.default suffix
(e.g., 05a65629-4c1b-48c1-a78b-804c4abdd4af/.default). To ensure you have the current scope
for MCAS, refer to the Microsoft documentation
iv. Authentication URL: Enter the authentication URL with your Directory (tenant) ID in Azure in the following
format: https://login.microsoftonline.com/<Tenant ID>/oauth2/v2.0/token.

For example: https://login.microsoftonline.com/9fe3XXXX-d6XX-46XX-a9XX-

d8907dXXXXXX/oauth2/v2.0/token
v. API URL: Enter the API URL for your tenant (e.g., https://zedscaler.us3.portal.
cloudappsecurity.com). To find your API URL, refer to the Microsoft documentation.

3. Click Test.

Figure 19. Microsoft Cloud App Security (MCAS) Authentication Setup

©2023 Zscaler, Inc. All rights reserved. 24

 ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE

When successful, a message that URLs were successfully synced is shown.

Figure 20. Success message

4. Activate your changes.

©2023 Zscaler, Inc. All rights reserved. 25

 ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE

Step 4: Enable Automatic Log Uploads to Microsoft Defender for Cloud Apps for NSS
To enable automatic log uploads to Microsoft Defender for Cloud Apps for NSS:

1. Log in to the NSS virtual appliance for your platform (i.e., VMware vSphere, Amazon Web Services, or Azure). Enter
the following command:
sudo nss configure-mcas2

2. Restart the service using the following command:

sudo nss restart

©2023 Zscaler, Inc. All rights reserved. 26

 ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE

Step 5: Verify your Microsoft Defender for Cloud Apps Integration Configuration
To verify your Microsoft Defender for Cloud Apps partner integration configuration:

1. Go to Administration > URL Categories. After the initial URL sync, you see a new User-Defined category named MS
Defender Unsanctioned Apps in the table.

Figure 21. New URL category on successful integration of Microsoft Defender for Cloud Apps

2. (Optional) If you enabled automatic log uploads (government agencies, see enabled automatic log uploads):
a. Log in to the Microsoft 365 Defender portal.
b. Click the Settings side bar option, and then click Cloud Apps.
c. In the Automatic log upload window, make sure that the NSS data source you set up for Zscaler is receiving
data.

Figure 22. Updated log entries and last data received timestamp on successful integration of Microsoft Defender for Cloud Apps

©2023 Zscaler, Inc. All rights reserved. 27

 ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE

Troubleshooting
• You must assign the MS Defender URL category to a URL filtering rule to block the traffic to those destinations.
Zscaler recommends that SSL inspection is turned on for that category in case some sanctioned apps are uniquely
identified by a full URL rather than just a domain name. To learn more, see Configuring SSL Inspection Policy
(government agencies, see Configuring SSL Inspection Policy).
• If the unsanctioned Cloud App URL sync to your custom URL category is not occurring every two hours, contact
Zscaler Support (government agencies, contact Zscaler Support).
• To verify the connection with MCAS, run the following CURL command, replacing the authentication parameters in
red with the values from your configuration:

curl -X POST

"https://login.microsoftonline.com/<Tenant ID>/oauth2/token " -d

"scope=<Scope> " -d

"client_id=<Client ID> " -d

"client_secret=<Client Secret Value> " -d

"grant_type=client_credentials " -H

"Content-Type: application/x-www-form-urlencoded "

When successful, this shows the bearer token and its expiration in the output.

• If you know your token is valid and need to verify that you have at least one app categorized as unsanctioned, you
can also run the following CURL command:

curl -v "https://<MCAS URL>/api/discovery_block_scripts/?format=120&type=banned "

-H "Authorization: Bearer <Bearer token> "

Where <MCAS URL> is the URL to the Cloud App Security portal associated with your authentication token, and
<Bearer Token> is the Bearer token from the previous step.

If URLs are returned within the response, then your token and URL syncs are working properly.

Figure 23. URLs being returned successfully using CURL command

©2023 Zscaler, Inc. All rights reserved. 28

 ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE

Appendix A: Requesting Zscaler Support

You might sometimes need Zscaler Support for provisioning certain services, or to help troubleshoot configuration and
service issues. Zscaler Support is available 24/7/365.

To contact Zscaler Support:

1. Go to Administration > Settings > and then click Company Profile.

Figure 24. Collecting details to open support case with Zscaler TAC

2. Copy the Company ID.

Figure 25. Company ID

©2023 Zscaler, Inc. All rights reserved. 29

 ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE

3. Now that you have your company ID, you can open a support ticket. Go to Dashboard > Support > Submit a Ticket.

Figure 26. Submit a ticket

©2023 Zscaler, Inc. All rights reserved. 30