Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Microsoft Defender for Cloud Apps Integration

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: SecurityCenter-031

Ensure that Microsoft Defender for Cloud Apps (formerly known as Microsoft Cloud App Security) integration is enabled within Microsoft Defender for Cloud settings in order to allow the security service to access your data and provide recommendations for missing configuration and security controls.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

To allow Microsoft Defender for Cloud to integrate with other security services, you must allow those services to access your data. Microsoft Defender for Cloud Apps provides you with security configuration assessments for your Azure cloud subscriptions. The assessments, powered by Defender for Cloud, provide recommendations for missing configuration and security controls.


Audit

To determine if Microsoft Defender for Cloud Apps is allowed to access your cloud data, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0.

03 In the main navigation panel, under Management, choose Environment settings.

04 Click on the name (link) of the Azure subscription that you want to examine.

05 In the navigation panel, under Settings, choose Integrations to access the integration settings of Defender for Cloud with other Microsoft security services.

06 Under Enable integrations, check the Allow Microsoft Defender for Cloud Apps to access my data setting status. If the Allow Microsoft Defender for Cloud Apps to access my data setting is disabled (i.e. the setting checkbox is not selected), the Microsoft Defender for Cloud Apps integration is not enabled in the selected subscription.

07 Repeat steps no. 4 – 6 for each Microsoft Azure subscription created within your Azure account.

Using Azure CLI

01 Run account get-access-token command (Windows/macOS/Linux) with custom query filters to describe the configuration status of the Microsoft Defender for Cloud Apps integration in the current subscription:

az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/settings?api-version=2019-01-01' | jq '.|.value[] | select(.name=="MCAS")'|jq '.properties.enabled'

02 The command output should return the status of the requested service integration (true for enabled, false for disabled):

false

If the account get-access-token command output returns false, as shown in the example above, the Microsoft Defender for Cloud Apps integration is not enabled within the current subscription.

03 Repeat steps no. 1 and 2 for each Microsoft Azure subscription available in your Azure cloud account.

Remediation / Resolution

To enable the Microsoft Defender for Cloud Apps integration by allowing the service to access your cloud data, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0.

03 In the main navigation panel, under Management, choose Environment settings.

04 Click on the name (link) of the Azure subscription that you want to access.

05 In the navigation panel, under Settings, choose Integrations to access the integration settings of Defender for Cloud with other Microsoft security services.

06 Under Enable integrations, select Allow Microsoft Defender for Cloud Apps to access my data setting checkbox to enable the Microsoft Defender for Cloud Apps integration by allowing the security service to access your data in the selected subscription. Choose Save to apply the changes

07 Repeat steps no. 4 – 6 for each Microsoft Azure subscription available within your Azure account.

Using Azure CLI

01 Define the configuration parameters for the account get-access-token command. Set "properties" to "enabled": true in order to allow Microsoft Defender for Cloud Apps to access your data. Save the configuration document to a JSON file named enable-defender-mcas-integration.json and replace the highlighted details, i.e. <azure-subscription-id>, with your own Azure account subscription ID:

{
  "id": "/subscriptions/<azure-subscription-id>/providers/Microsoft.Security/settings/MCAS",
  "kind": "DataExportSettings",
  "type": "Microsoft.Security/settings",
  "properties": {
    "enabled": true
  }
}

02 Run account get-access-token command (Windows/macOS/Linux) using the configuration document defined at the previous step (i.e. enable-defender-mcas-integration.json configuration file), to enable the Microsoft Defender for Cloud Apps integration by allowing the security service to access your data in the selected subscription:

az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/settings/MCAS?api-version=2019-01-01 -d@"enable-defender-mcas-integration.json"'

03 The output should return the account get-access-token command request metadata:

{
  "id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/providers/Microsoft.Security/settings/MCAS",
  "name": "MCAS",
  "type": "Microsoft.Security/settings",
  "kind": "DataExportSettings",
  "properties": {
    "enabled": true
  }
}

04 Repeat steps no. 1 – 3 for each Microsoft Azure subscription available in your Azure cloud account.

References

Publication date Feb 19, 2022