Summary: How to start using Office 365 Cloud App Security.
Date: Around 2015
Refactor: 7 March 2025: Checked links and formatting.

Cloud App Security is part of the E5 EMS license structure and provides some good insight into what's going on in your Office 365 cloud environment.

The portal can be reached from the office365 Admin portal: https://portal.office.com → Admin Centers → Cloud App Security. This will patch you through to something like: https://COMPANY.portal.cloudappsecurity.com. Or you can access the portal directly through: https://portal.cloudappsecurity.com

All global admins have access to the Cloud App Security Portal. You can also add people to the Security Readers role in https://portal.azure.com → User → Directory role. And finally you can grant users access inside the Cloud App Security Settings → Manage Admin Access

• Global Admin: Admins with Full access have full permissions in Cloud App Security. They can add admins, add policies and settings, upload logs and perform governance actions.
• Security Reader: Has read-only permissions and can manage alerts.

You can use Cloud App Security to get an overview of all apps that are authorized by users to access Company data.

• Go to Investigate → OAuth Apps

By default, users can register apps themselves and consent to data access. You can disable this by setting these two settings:

• Azure Portal → Azure Active Directory → Users → User settings → App Registration → NO
• Azure Portal → Azure Active Directory → Enterprise Applications → User Settings → Users can consent to apps accessing company data on their behalf → NO

Once the apps are registered you can Approve or Block them in the Cloud App Security Portal:

• Select the App in the Manage OAuth Apps overview
• You can Approve or Block the app on the rightside of the screen

You can remove an individual user from access to an app which is convenient if you don't want to block access to the app for the entire company in a single click. You need to take two steps, you need to configure the app to require user assignment (only once) and then remove the individual users.

• Go to Azure Active Directory → Enterprise Applications and select the application
• Go to properties → User assignment required → YES

• Go to Azure Active Directory → Enterprise Applications and select the application
• Go to Users and Groups and select the user. Click Remove.

It might take up to an hour for the setting to take effect (time measured when testing) but then the user gets an notification that the application is no longer available.

To get an overview of data that is publicly shared or shared with external guests:

• Go to Investigate → Files
• Set Access Level as appropriate, for example External

If you have the need to unshare files you can do so:

• Select the files by clicking the document icon in front of the filename.
• At the top three vertical dots appear, click them
• Select Make Private

Go to the Alerts dashboard to view the open alerts. If required you can set to receive emails for these alerts in your own admin settings. Go to your profile → User Settings → Notifications (note that your account needs a valid email address).

The alerts gets triggered by policies that are maintained by Microsoft. You can setup your own policies as well, or modify the default policies. To do so:

• Go to Control → Policies
• Select the policy you want to modify
  • You can change the scope to include or exclude specific users
  • Or configure the alerts to be sent to a specific mailbox (Alerts → Send alert as email → Enter the email address)
  • Or set to notify or suspend the user (Governance → Notify user / Suspend User)

https://docs.microsoft.com/en-us/cloud-app-security/admin-settings
https://docs.microsoft.com/en-us/cloud-app-security/manage-admins
https://docs.microsoft.com/en-us/cloud-app-security/manage-app-permissions
https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy