Block Cloud Apps using Defender for Cloud Apps


This is useful for blocking certain SaaS apps like Dropbox, Otter.ai, Read.ai etc.



Config



From the Defender settings > Endpoints

 

Have to toggle on "Custom network indicators" and "Microsoft Defender for Cloud Apps"




How to Sanction, Unsanctioned or Monitor Cloud Apps


Sanction = Allow

Unsanctioned = Blocked

Monitored = Blocked but allows user to bypass. Gives warning that it is blocked but they can click allow to bypass.



  1. Navigate to Defender portal
  2. Click on "Cloud app catalog".

  3. You will then be able to see thousands off applications which Microsoft have rated with a risk score. It will display useful information as to why its rated as it is. Information such as has it ever had a data breach, does it support MFA, ISO Accreditations and much more.

  4. Here is example of a poor one.
  5. Simply click the Sanction, Unsanctioned or Monitor on the app and it will mark it.
    Sanctioned

    Unsanctioned

    Monitored
  6. Once this is done you can see the blocked apps under indicators from here.
  7. It can take up to a few hours for the changes to apply but should look something like below.


    Example of a monitored app block where it lets the user click "allow"