Does your organization use G Suite or Google Apps? Do you have these requirements?
- Audit activity occurring in G Suite (user logons/logoffs, settings changed, files modified, etc)
- Audit file activity? (what files are being accessed, from where, how they are being accessed, etc)
- Govern how G Suite is accessed? (Only from a managed device? Only from a managed network? Don’t allow download from a non-managed computer?)
- Scan files in G Suite for sensitive data?
- And more!
In this blog we will explore how Microsoft Cloud App Security (CAS) part of Microsoft 365, can help you meet these requirements. For more information on connecting G Suite to CAS see this article. Let’s get started!
Note: Microsoft nor Matt Soseman nor this blog assumes no responsibilities and offers no warranties as a result of following the instructions in this blog. This requires enabling and modifying APIs. Use at your own risk.
Configure G Suite within Microsoft Cloud App Security:
From within Cloud App Security, click Investigate then select Connected Apps:
Click the + sign and select G Suite:
Type in a name and click Connect G Suite:
We need to pull the appropriate details from G Suite. Open a new browser instance and navigate to your G Suite admin portal using your admin credentials:
Once signed in, navigate to https://cloud.google.com/console/project
and click Create Project:
Give the project a name and click Create Project
Click Google Cloud Platform then click Go To APIs Overview:
Click API Library and enable the following APIs:
Back on the APIs and Services screen, click Credentials click the OAuth Consent Screen then in Application Name type Microsoft Cloud App Security and click Save:
Back on the Credentials tab click Create Credentials and select Service Account Key:
Configure the Service Account Key and click Create. Copy the secret to a scratchpad area. Download the certificate.
Back on the Credentials screen click Manage Service Accounts
Edit the Service Account:
Check the box next to Enable G Suite Domain Wide Delegation and click Save:
In the search box at the top type Google Drive API and press Enter
Click on Drive UI Integration, and configure using the following parameters (you can get the icons from here) and click Save Changes when finished:
In the search box type G Suite Marketplace
SDK and press Enter
On the Configuration tab, copy the Project Number to a scratch pad area:
Upload the same icons you used previously, and configure the following URLs:
Configure the following URL scopes:
Under Visibility select My Domain and click Save Changes:
Browse back to
Think your organization is operating in a secure and compliant manner? After you answer the following questions, you might want to keep reading…
- How do you ensure your sensitive data is protected across all the clouds in your environment, whether it’s Office 365/G-Suite/Box/SalesForce/etc?
- Do you have a single pane of glass view of when someone shares a file from one of those clouds to someone outside the organization
- What about login traffic to those cloud apps?
- Do you have visibility into your Shadow IT and understand which apps in the environment are storing data overseas or aren’t compliant with an industry regulation such as HIPAA or GDPR?
Watch the following 3 minute video for an overview on Cloud App Security in Microsoft 365 – this is the tool that will make you the hero in your organization and help ensure you operate in a secure and compliant manner! Questions? Leave a comment below!
Technical documentation and how to configure what I show in the video for Cloud App Security can be found here.
Do you need to meet an industry regulation? Curious what responsibilities Microsoft has as your cloud service provider and what responsibilities you have as a customer when it comes to using Office 365, Azure or Dynamics in compliance with your industry regulation? You may want to look into Microsoft Compliance Manager as a key tool in your compliance journey. Compliance Manager can help to assist in your compliance journey by helping you to understand the shared responsibility model, how each responsibility aligns/maps to the industry regulation, and enabling you with capabilities to then manage your compliance journey. This tool can help you to keep track of risk, verification and documentation as needed
At the time of this writing Compliance Manager can help you with the following:
- ISO 27018:2014
- ISO 27001:2013
- NIST 800-53
- NIST 800-171
- NIST CSF
- CSA CCM301
- ISO 27018:2014
- ISO 27001:2013
- NIST 800-53
Compliance Manager can be accessed via https://servicetrust.microsoft.com/ComplianceManager for existing Azure, Dynamics, Office 365 customers.
IMPORTANT: For the full technical documentation on Compliance Manager see: Use Compliance Manager to help meet data protection and regulatory requirements when using Microsoft cloud services and the Frequently Asked Questions can be found here.
Here is an example view of Compliance Manager’s dashboard, where you have visibility into each of your regulations by cloud service:
Clicking on any of the regulations will display the shared responsibility model for that regulation From here I can view what are the Microsoft Managed Controls and what are the Customer Managed Controls that I am responsible for.
Expanding Customer Managed Controls, I can see how each control maps back to the regulation articles (in this example, Access Authorization for HIPAA in Office 365). From here I can read more about actions required of me, enter details on how the control was implemented and how it was tested – including any response. In addition I can see if there are any related controls from other regulations, such as GDPR Lastly, I can assign this control to an owner in my organization to then upload relevant documentation and maintain the implementation date, test date, and test result information.
Compliance Manager is a fantastic tool to help manage your compliance compliance journey, and may help to enhance your current processes. If you need to comply with a regulation such as HIPAA or GDPR – please check out Compliance Manager! Enjoy!
It’s amazing watching the adoption journey of Microsoft teams among organizations and how it is quickly becoming a mission critical tool. For me, it’s mission critical because of the collaboration and teamwork that’s occurring inside, and the data that is being stored is quickly becoming the heartbeat of many organizations and their project teams. There is one challenge however with storing proprietary and sensitive data in Microsoft Teams, as users are accessing the data using the Teams app on not just their PC or laptop, but mobile devices and other (even unmanaged) computers as they perform their job – if that data is leaked/spilled/exposed or compromised, it could put the organization at risk, and as IT Professionals we need to help protect against this risk.
Not to worry – Azure Active Directory Conditional Access to the rescue! Using AzureAD Conditional Access, we will ensure Microsoft Teams is only accessed on devices that are managed, whether they are Active Directory domain joined, Azure AD joined or managed by Intune. This is very easy and straight forward to setup, let’s take a look together.
Important: Conditional Access requires AzureAD Premium. I won’t be discussing licensing requirements in this blog post, please reference this article for more information.
In the Azure Portal, I am going to create a new AzureAD Conditional Access policy with the following configuration:
- Users and Groups: “All Users”
- Cloud apps: (Include) “Microsoft Teams”
Conditions: Client Apps -> Configure “Yes” -> Select Client Apps -> check “Browser” and “Mobile apps and desktop clients”
Access Controls: Grant Access -> Check “Require Domain Joined” and “Require device to be marked as compliant”
Important: If you check “Require device to be marked as compliant” you must create a device compliance policy in Intune. This will ensure devices such as iOS, Android, Windows, Mac that try to access Microsoft Teams using either the app, client or website must be Intune MDM enrolled (which requires an Intune subscription). If accessed from a Windows PC and is Active Directory domain joined or Azure AD joined, require MDM enrollment will not apply. Here’s what an example Device Compliance policy looks like in Intune:
Back to Conditional Access…
Enable Policy: “On”
Now the policy is created, let’s test this out. It should deny access to Microsoft Teams.
From a Windows PC that is unmanaged (not joined to Azure AD, Active Directory, or MDM enrolled):
From a Web browser:
Notice the error reads “Windows device is not in required device state: compliant”
From the Microsoft Teams Windows Desktop Application:
Next, from an iPad Pro (iOS) that is unmanaged (not MDM enrolled):
Notice it gives me the option to enroll in MDM (Intune), pretty cool!
This is a quick and easy way to ensure that users are using Microsoft Teams on managed devices, where IT can control the configuration of the device and ensure the device is healthy and compliant. What’s more is this policy can be reversed and disallow users from using the Teams web client if that becomes a requirement. For additional fun, check out Microsoft Teams: Manage it using Mobile Application Management (MAM) and Microsoft Teams: Restrict Usage with Azure AD Conditional Access
If you have questions or feedback, let me know in the comments below. Enjoy and have fun!