Let’s assume one of user in your sales team log in to https://myapps.microsoft.com and launch salesforce app successfully from his office in UK. Few minutes later the same user made successful login from Canada. Unless user is using remote connection, it is not impossible. Still someone can’t travel that fast 😊. Azure Active Directory capable of detect this type of impossible sign-in activities. However, detection type for this kind of activities is “offline”. Which means reporting latency for these alerts are between 2 to 4 hours.
Azure cloud app security also capable of detecting these types of activities but it is real-time as it detects activities based on sessions. It helps administrators to react faster and protect infrastructure from potential breach. In this demo, I am going to demonstrate how to fine tune built in azure cloud app security policy for Impossible travel activity and prevent breach.
Before we start, first we need to integrate SaaS app with cloud app security. In my previous post I demonstrate how to do that. So please go ahead and read it on http://www.rebeladmin.com/2018/09/step-step-guide-block-data-download-using-azure-cloud-app-security/
In my demo I am using salesforce app.
1. Once integration is done, log in to https://portal.cloudappsecurity.com as global administrator.
2. Then go to Settings | Conditional access app control
3. There you should be able to see your app under Conditional access app control tab. It should be in healthy connected status.
4. Then click on Control | Policies
5. Under policies, click on impossible travel policy
6. This is a built-in policy. as you can see it doesn’t have any actions attached to it. if CAS detect such activity, it will still be reported under CAS dashboards.
7. In my environment, I like to get an alert if its detect such activity. To do that, click on Send alert as email option under Alerts. Then define email address in text box.