Govern, Audit and Control G Suite with Microsoft! (Google Apps + Cloud App Security)

Does your organization use G Suite or Google Apps? Do you have these requirements?

  • Audit activity occurring in G Suite (user logons/logoffs, settings changed, files modified, etc)
  • Audit file activity? (what files are being accessed, from where, how they are being accessed, etc)
  • Govern how G Suite is accessed? (Only from a managed device? Only from a managed network? Don’t allow download from a non-managed computer?)
  • Scan files in G Suite for sensitive data?
  • And more!

In this blog we will explore how Microsoft Cloud App Security (CAS) part of Microsoft 365, can help you meet these requirements. For more information on connecting G Suite to CAS see this article. Let’s get started!

Note: Microsoft nor Matt Soseman nor this blog assumes no responsibilities and offers no warranties as a result of following the instructions in this blog. This requires enabling and modifying APIs. Use at your own risk.

Configure G Suite within Microsoft Cloud App Security:

From within Cloud App Security, click Investigate then select Connected Apps:


 

Click the + sign and select G Suite:


Type in a name and click Connect G Suite:


We need to pull the appropriate details from G Suite. Open a new browser instance and navigate to your G Suite admin portal using your admin credentials:

Once signed in, navigate to https://cloud.google.com/console/project
and click Create Project:


Give the project a name and click Create Project


Click Google Cloud Platform then click Go To APIs Overview:


Click API Library and enable the following APIs:





Back on the APIs and Services screen, click Credentials click the OAuth Consent Screen then in Application Name type Microsoft Cloud App Security and click Save:


Back on the Credentials tab click Create Credentials and select Service Account Key:


Configure the Service Account Key and click Create. Copy the secret to a scratchpad area. Download the certificate.


Back on the Credentials screen click Manage Service Accounts


Edit the Service Account:


Check the box next to Enable G Suite Domain Wide Delegation and click Save:


In the search box at the top type Google Drive API and press Enter


Click on Drive UI Integration, and configure using the following parameters (you can get the icons from here) and click Save Changes when finished:



In the search box type G Suite Marketplace
SDK and press Enter


On the Configuration tab, copy the Project Number to a scratch pad area:


Upload the same icons you used previously, and configure the following URLs:


Configure the following URL scopes:

https://www.googleapis.com/auth/admin.reports.audit.readonly

https://www.googleapis.com/auth/admin.reports.usage.readonly

https://www.googleapis.com/auth/drive

https://www.googleapis.com/auth/drive.appdata

https://www.googleapis.com/auth/drive.apps.readonly

https://www.googleapis.com/auth/drive.file

https://www.googleapis.com/auth/drive.metadata.readonly

https://www.googleapis.com/auth/drive.readonly

https://www.googleapis.com/auth/drive.scripts

https://www.googleapis.com/auth/admin.directory.user.readonly

https://www.googleapis.com/auth/admin.directory.user.security

https://www.googleapis.com/auth/admin.directory.user.alias

https://www.googleapis.com/auth/admin.directory.orgunit

https://www.googleapis.com/auth/admin.directory.notifications

https://www.googleapis.com/auth/admin.directory.group.member

https://www.googleapis.com/auth/admin.directory.group

https://www.googleapis.com/auth/admin.directory.device.mobile.action

https://www.googleapis.com/auth/admin.directory.device.mobile

https://www.googleapis.com/auth/admin.directory.user

 


 

Under Visibility select My Domain and click Save Changes:

 


 

Browse back to

Block OneDrive Downloads and Audit OneDrive Activity! (SharePoint too!)

Do you have a business requirement to block the download of specific files or file types from OneDrive? What about detailed auditing to understand what files are downloaded or viewed? Well, today is your lucky day – because this is all possible with Microsoft security technology and takes minutes to create. I’m going to walk you through how to do this, and in return, make you look like an IT Rockstar to your organization!

Note: There are other methods to restrict those files from being synchronized using the OneDrive desktop client, we won’t cover those today however (but are accessible in the SharePoint Online Admin Portal)

IMPORTANT: Nothing is 100% secure and it’s all about defense in depth. If you want that extra ply in the tinfoil hat, I highly recommend protecting and encrypting those files with Azure Information Protection as that extra layer of protection.

Also, it’s important to note,the method below at the time of this writing is in public preview.

Background:

My organization, an engineering firm, designs buildings for their commercial and government clients. These design plans often contain additional documentation that are in the form of a .PDF and sometimes photos in the form of a .JPEG (or .jpg).

Scenario:

These .PDF and .JPEG files are highly confidential and thus we want to make sure they never leave OneDrive in Office 365 and can only be viewed in a web browser. In other words, we need to block the ability for an end-user to download these two file types from OneDrive. So, how do we do this?

Solution:

Azure Active Directory Conditional Access and Microsoft Cloud App Security Conditional Access App Control to the rescue! These two products are part of Microsoft 365 E5 or EMS E5 or my new favorite: Microsoft 365 E3 + Identity & Threat Protection. The two products that make up this solution are Azure Active Directory and Microsoft Cloud App Security.

Let’s take a look at how to do this!

Step 1: Create a Azure AD Conditional Access Policy

From within the Azure portal -> Azure Active Directory -> Conditional Access -> New Policy I am going to create a new policy. First, give it a name, “OneDrive Block JPEG and PDF”. Next, assign it to specific users or groups of users. For testing purposes I’m assigning to Adele Vance (IMPORANT: Don’t lock yourself out! Careful planning is required when assigning to all users).

 

 

Next, add Office 365 SharePoint Online as the application to be applied to:

 

 

Under Session, select Use Conditional Access App Control, then click Done.

Next, click Enable policy to enable the policy and click Create.

 

Step 2: Launch OneDrive (via portal.office.com)

Wait 15 minutes for the new Conditional Access policy to propagate. Next, open a new browsing session (inprivate or on another computer) and logon as the test user that was just assigned to. In my case, I am going to sign in to portal.office.com in an in-private session as Adele. Browse to OneDrive in the Office portal and open a file in the web browser. Sign out of this web browsing session when done.

Step 3: Configure Microsoft Cloud App Security

We now need to configure Microsoft Cloud App Security (CAS) and create the appropriate policies.

To start, validate that OneDrive is a connected application by browsing to http://portal.cloudappsecurity.com and navigating to Investigate -> Connected Apps. Notice OneDrive for Business will be listed and connected: (Yes, you can also connect CAS to G-Suite, Box, and other apps!)

 

Next, click on Conditional Access App Control apps and OneDrive for Business will also be displayed:

Step 4: Create the Session Policy in Microsoft Cloud App Security

Next, we need to create the policy that will provide the session control when Adele uses OneDrive in the Office 365 Portal. To do this navigate to Control -> Policies, click New Policy and select Session Policy.

 


 

Let’s give the policy a name and description:

 

Next, under Session control type select Control file download (with DLP). Under Activity source and activity filters configure configure them per the screenshot below

 

 

Scroll down (leave content inspection blank and don’t check the box) and under Actions select Block. OPTIONAL: Configure user email notification or customize block message. When finished at the bottom of the page click Create.

Step 5: Test the User Experience

Now it’s time to test and validate this is the behavior we want. Open a new web browsing session and login as the test user. In my case, I’m going to login to portal.office365.com using Adele Vance’s account in an in-private browser session.


 

Once signed in, navigate to OneDrive in the Office 365 Portal. When you click on OneDrive, notice the splash page indicating this site is being monitored!

 

 

 

 

Also, notice the address of the site. It’s being proxied through CAS.MS indicating this session is being controlled by Cloud App Security:

 

Click Continue to Microsoft OneDrive for Business

Notice I have two files, a .PDF and a .JPEG in the OneDrive folder:

 

Hover the cursor over the PDF and click the ellipses, and select Download

 

Notice, the file download is blocked with a splash message indicating it’s blocked!

 

Now, I know what you’re wondering, “Matt what’s that file it wants to save?” When I open that file, it’s just a warning:

 

From here, within the Cloud App Security Portal, I can audit the activity and receive additional details around this attempt:

Additional alerting can be generated, with an email or SMS notification sent. Imagine having CAS send an email to your ticket system so you can be notified of this violation? What about sending to your SIEM? Endless possibilities.

Conclusion:

As you can see, with a bit of an open mind and creativity, possibilities to build true security solutions that lead to a real business outcome, is entirely possible. The total time spent creating this solution was 10 minutes. Don’t forget to test (which obviously will add to the 10 minutes) all the scenarios for this. Questions? Let me know in the comments below!

Enjoy and help us make this world more secure! –Matt Soseman

Monitor & protect your data in ALL your clouds, NOW!

Think your organization is operating in a secure and compliant manner? After you answer the following questions, you might want to keep reading…

  • How do you ensure your sensitive data is protected across all the clouds in your environment, whether it’s Office 365/G-Suite/Box/SalesForce/etc?
  • Do you have a single pane of glass view of when someone shares a file from one of those clouds to someone outside the organization
  • What about login traffic to those cloud apps?
  • Do you have visibility into your Shadow IT and understand which apps in the environment are storing data overseas or aren’t compliant with an industry regulation such as HIPAA or GDPR?

Watch the following 3 minute video for an overview on Cloud App Security in Microsoft 365 – this is the tool that will make you the hero in your organization and help ensure you operate in a secure and compliant manner! Questions? Leave a comment below!

Technical documentation and how to configure what I show in the video for Cloud App Security can be found here.