Azure App Cloud Discovery & PAC Files

Azure App Cloud Discovery is a seriously cool piece of technology. Being able to scan your entire computer estate for cloud SaaS applications in either a targeted, or catch-all manner can really help discover the ‘Shadow IT’ going on in your environment. Nowadays, users not having local admin rights won’t necessarily stop them from using cloud SaaS apps in any way which is going to increase their productivity. Users don’t generally think about the impact of using such applications, and the potential for data leakage.

But, as with lots of Microsoft’s other cloud technologies which are being launched left, right and centre at the moment, the Enterprise isn’t catered for as it might hope. Most Enterprise IT departments leverage some kind of web filtering, or proxying. This may be using transparent proxying, in which case you can count your blessings as Cloud App Discovery will work just fine. If you are explicitly defining a proxy in your internet settings, then you can get around that by adding particular registry keys. However if you are using a PAC file to control access to the internet, then unfortunately Cloud App Discovery will not work for you. This is a shame as it is, in my opinion, the best way to approach web proxying in an Enterprise, but that’s another story. From what I have heard, a feature is in the works which will allow you to configure Cloud App Discovery agents to log their findings to an internal data collector. This data collector can sit on a local server and then upload data to Azure on your behalf, which is a much more elegant solution to the problem of data collection from multiple machines. However as far as I know, this feature is not available yet. I’ll be keeping my ear to the ground and will let you know if this changes.

In the meantime, if you are desperate to get your data collection up and running in the meantime, you could change to explicitly defined proxying, and configure registry settings for your clients as per the following MS article:

https://azure.microsoft.com/en-gb/documentation/articles/active-directory-cloudappdiscovery-registry-settings-for-proxy-services/

Cloud App Discovery is a feature of Azure Active Directory Premium, a toolkit designed to take your Azure Active Directory to new, cloudier heights. Azure AD Premium can be bought standalone, or comes bundled with the Enterprise Mobility Suite. I would highly recommend it to Office 365 customers as it can give you and your users some great new features which can help make your Azure AD the best it can be!

Edit: It looks like PAC file support has been added rather surreptitiously. No announcement was made, and the KB articles haven’t been updated. I happened to check the Change Log today and Release 1.0.10.1 includes an option to tweak your PAC file to support Cloud App Discovery. https://social.technet.microsoft.com/wiki/contents/articles/24616.cloud-app-discovery-agent-changelog.aspx

Alternatively, if you use a PAC file (Proxy Auto Configuration) to manage proxy configuration, please tweak your file to add https://policykeyservice.dc.ad.msft.net/ as an exception URL.

I’m yet to test this myself but it looks promising!

Advertisements

Notes from Barcelona – Empowering and protecting your mobile users

After a day and a half of TechEd, my mind is filled with two words…Enterprise Mobility. And the more I hear, the more sense it makes. Gone are the days where a user had a single corporate device, plugged into the wall with a LAN cable. These days, a user typically has anywhere between 2-5 devices, most of them mobile, and that user fully expects to be able to access some kind of corporate data on those devices. The line between a device for work and another for play is blurred to the point of being invisible, and IT needs to adapt to be able to empower and protect users. EMS isn’t just a product suite, but a concept, which will increase productivity and security for your users.

On any given day, our users, in particular remote and mobile users, are logging into many different SaaS applications on many different devices, most of which are unmanaged. One new way for a company to get an idea of what SaaS apps are in use is to deploy the Cloud App Discovery tool from Microsoft. By deploying a lightweight agent to all, or a subset of machines, you can see which apps are in use, who is using them and how much data is being pushed through them. This can help you identify which apps are used most frequently, and will also show you if these can be integrated with Azure Active Directory to provide secure Single Sign On. Surprisingly the average amount of applications found is around 150! Integrating Azure Active Directory with these SaaS apps will bring a new level of security to your IT environment by controlling the authentication mechanism being used, thus avoiding credential leakage.

Enterprise Mobility covers many facets of securing mobile devices, mobile data and cloud services. Securing your SaaS apps is one,but what about your mobile devices? The half life of a mobile device is getting shorter all the time and it is not feasible for IT to keep track of who owns what device. With Microsoft Intune and Azure RMS in Office 365, you can enable your users to enrol and manage their own devices whilst keeping your data safe and secure.

For example, in order to access corporate email on their mobile or tablet device, a user must enrol their device with Microsoft Intune. Once this is done, conditional access is configured so that corporate data can only be accessed by approved applications. A Word Document attachment in your OWA app cannot be saved anywhere other than OneDrive for business, and cannot be edited by any app other than Word. This way, data leakage is reduced significantly. Policies for this are easy to configure in a few clicks and require no user involvement. The concept here is to enable users by providing access to apps which assist productivity, such as collaborative document management in Sharepoint and OneDrive for Business. However this data also needs to be secured for legal and compliance reasons, and conditional access can address this.

This is just a taste of the features available in the Enterprise Mobility Suite. The concept of integrating your SaaS applications with Azure AD and enabling and securing your users mobile and tablet devices using Intune will significantly improve the security and productivity of your users. Add to this the Azure Rights Management Services and Self Service Password Reset features and you are a much more mobile and secure company. BYOD is a reality and it’s time IT embraced it.