Sanction or Unsanction (Allow/Block) with Defender for Cloud Apps

There might be a scenario where you would like to block (or Allow) specific Cloud Applications/Web Applications. In this blog I pick OpenAI ChatGPT as an example. I can imagine some Schools are not happy with ChatGPT and are trying to prevent their students from using it.

There are various ways to block network traffic. It could be done using URL filtering in Firewalls for example. This does not prevent the user/device from accessing the URL/Cloud App when they are not working behind this firewall. This blog describes how to do this using Defender for Cloud Apps and/or Defender for Endpoint Indicators.

Block using Defender for Endpoint Indicators

Blocking certain URL’s via Indicators is probably the easiest method and does not require Defender for Cloud Apps. It does come with some limitations that the blocked URL is a static configuration and needs to be maintained when blocked URL’s might change. Luckily this doesn’t happen that much.

Navigate to https://security.microsoft.com/ and click Settings -> Endpoints -> Indictors -> URLs/Domains -> click Add item.

Select Block execution as action mode and optionally select Generate alert. This will send a mail to the configured e-mail notification addresses under Settings -> Endpoints -> Email notifications.

On the Scope page. Select All devices or optionally a device group (e.g. “Student Devices”).

After saving the Indicator, it can take a few minutes before the block mode is activated for this URL. After approx. 15 minutes you will see the URL being blocked from the endpoints.

Note: It can take up to 2 more hours before your endpoints have received the policy update and start blocking the URL.

Block using Defender for Cloud Apps

The more advanced way of blocking access can be done using Defender for Cloud Apps. Since Microsoft added OpenAI ChatGPT as a Cloud App to the application catalog, we’re able to manage it. Although this also uses Indicators in the background, we’re still able to do more management and monitoring compared to indicators.

Defender for Cloud apps contains thousands of cloud applications which can be monitored/sanctioned or unsanctioned. For example: Facebook, Netflix, Dropbox, WeTransfer, Discord, Tiktok, Twitter, Instagram and many more.

The complete cloud app catalog can be found here.

Prerequisites

Configure Defender for Endpoint Integration

To block all unsanctioned cloud apps automatically, the Defender for Endpoint integration should be enabled first. This can be done from the Defender for Cloud Apps portal via Settings -> Cloud Discovery -> Microsoft Defender for Endpoint or via this URL. Make sure to enable Enforce app access. Enabling this can take up to 30 minutes for this setting to take effect.

It’s also wise to enable the Defender for Cloud Apps integration from Advanced Features in Defender for Endpoint. This setting can be found via https://security.microsoft.com/ -> Settings -> Endpoints -> Advanced features.

Unsanction an app

Navigate to https://security.microsoft.com/ and click Cloud app catalog. Search for OpenAI ChatGPT. This gives us the opportunity to sanction (allow) or unsanction (block) cloud applications. Tag the application as unsanctioned to block access from Defender managed devices.

In case you want to filter some specific devices from being blocked you can use App Tags. This can be found under Settings -> Cloud Apps -> App Tags. These make use of Device Filter groups which is basically the same as selecting a device group when using a Indicator as shown before.

Once Defender for Cloud Apps pushed the modifications to Defender for Endpoint, you will see that a indicator is automatically created as we first did manually. Your endpoints are now starting to block the unsanctioned app.

Note: It can take up to 3 hours before the Cloud App / URL is blocked on endpoints! Defender for Cloud Apps synchronizes every hour to Defender for Endpoint. It can take up to 2 more hours before your endpoints have received the policy update.

Related Posts

4 thoughts on “Sanction or Unsanction (Allow/Block) with Defender for Cloud Apps

  1. Hey,

    do you know if its possible to disable the Create Alert that is greyed out in the indicators
    Because when you have a Policy like Block Non GDRP Apps – a lot of Apps are blocked and will create therefore a lot of alerts

    Thanks in advance

    1. Hi Pascal,

      When using the Defender for Endpoint and Cloud Apps integration (unsanctioned apps) this is not possible. This is only possible when creating an indicator yourself via Settings-> Endpoints -> Indictors -> URLs/Domains -> click Add item.
      Apps found in the Cloud App Catalog are managed by Microsoft. Indicators are managed by yourself.

  2. Ey man, thanks for the post.

    I have found an issue while blocking traffic to Unsanctioned Apps, it doesn´t work in Google Chrome, only with Edge…. Is that normal?

Leave a Reply

Your email address will not be published. Required fields are marked *

4 + 16 =