Immediate session log off for suspicious users

Real-time remediation for security threats is a key challenge for companies, where attackers can move quickly to access critical data. The Cloud App Security team is excited to introduce a new feature for threat protection through integration with Azure Active Directory: when a suspicious activity is identified in Cloud App Security portal, you can now initiate an auto-remediation action logging off these users and requiring users to sign in again to Office 365 as well as all apps accessed through Azure Active Directory.

Let’s explore two key reaction capabilities of this feature:

Respond to anomalous behavior

External sharing of sensitive files, download of sensitive files from unrecognized locations, or any activity that’s considered abnormal can trigger alerts in Cloud App Security portal. These alerts provide immediate notification of potential security incidents and assist admins with proactive investigation.

In the event of suspicious user behavior, the new auto-remediation feature allows the security admin to take immediate action, triggering a revocation of all user sessions, and requiring the user to sign-in again to all apps.

React to account takeover

When an attacker gains unauthorized access to an account, a common industry practice is to disable the account. But this is not enough! If the account is actively being used to exfiltrate data, gain elevated privileges in the organization, or any other method that keeps the attacker’s session active, they can still use the compromised account.

The new Cloud App Security capability allows an admin to revoke the compromised account’s sessions and fully mitigate the attack. Cloud App Security invalidates all the user’s refresh tokens issued to cloud apps.

How to implement this feature

Requiring the user to sign in again can be set during the policy creation phase, or initiated directly from an alert as part of the resolution options for a user. Initiating governance actions directly from the policy allow for automatic remediation. In this case, the admin needs only to select this option and it will be enforced.


Policy setting: require user to sign-in again

Alternatively, an admin can select to require another sign in as part of the reactive investigation of an alert as seen below. In either case, to ensure secure productivity, the user is protected and can continue working with minimal interruption.


Require user to sign in again during investigation of a specific alert

Better together

Our goal is to provide a holistic and innovative security approach with Enterprise Mobility + Security. Cloud App Security and Azure Active Directory together offer unique value that help you gain better control over your cloud, by identifying suspicious activities which may be indicative of a breach and then respond immediately.

Learn more and give us feedback

We know how important visibility, control and threat protection are for you, especially when it comes to cloud apps. Our goal is to continuously innovate to provide a top-notch user experience, visibility, data control and threat protection for your cloud apps. If you would like to learn more about our solution, please visit our technical documentation page.

We’d also love to hear your feedback. If you have any questions, comments or feedback, please leave a comment or visit our Microsoft Cloud App Security Tech Community page.

Article Source