Some of the enterprise customers I have talked to, that are in the process of evaluating cloud services for use by their organization, have told me that they currently do not use cloud services. Some are adamant that no one within their organization is currently using the cloud, while others speculate that some business groups are undoubtedly using cloud apps unbeknownst to their IT department and without explicit organizational approval to do so. In both of these cases the customers don’t have much data to help them get insight into the “shadow IT” solutions that might be in use within their organizations. This worries CISOs and CIOs alike as corporate data they have been entrusted to protect could be leaving the organization via unapproved cloud apps that might not meet their organization’s security and privacy standards.

This is where Azure Active Directory Cloud App Discovery can help. Azure AD Cloud App Discovery is included in the Premium edition of Azure Active Directory. You can get information on the different editions of Azure Active Directory here.

Azure Active Directory Cloud App Discovery enables you to:

  • Discover cloud applications in use within your organization. See the specific applications that were detected and track application usage over time.
  • Identify which users in your organization are using cloud applications. See the number of users using a particular application, and the identities of those users.
  • Data can be exported so that it can be further analyzed via PowerBI analytics or offline.
  • Prioritize applications to bring under IT control, with provisioning, single sign-on and conditional access policies.

The Azure Active Directory Cloud App Discovery Endpoint Agent is used to collect data on which cloud apps are being used on client systems that it is installed on. This agent can be installed on Windows 7, Windows 8, Windows 8.1, and Windows 10 based systems. Administrators of the Azure Active Directory tenant can download the agent installation package from the Azure portal. The agent can either be manually installed on client systems or installed across multiple machines in the organization using Group Policy or Microsoft System Center Configuration Manager (SCCM). The administrator has an option to configure regarding privacy notification or approval of agent installation and data collection (as seen below). I also provide a screen shot of what the user sees above the system tray on their system when the administrator selected the “require user consent” option below.
102615_02 102615_03

The agent captures the URLs, headers and metadata for HTTP and HTTPs connections originating from the system that it is installed on. This allows the agent to capture requests to all cloud applications accessed over HTTP or HTTPs (using the “Deep Inspection” option seen below) whether the user is using a browser or some other type of application.

If applications use protocols other than HTTP or HTTPS to access cloud services, those apps won’t be discovered by the agent. The agent also captures the username of the user logged onto the system. The agent sends this data to the Azure Cloud App Discovery service over an encrypted channel where its stored in Azure blob storage; the data in the service is only visible to admins of the tenant and each tenant admin can only see the data for their tenant.

More information on the agent, the specific data it collects, and how the data is sent to the service from the clients is available in this article: Cloud App Discovery Security and Privacy Considerations.

Global Administrators or their delegates can decide which cloud apps they want the agent to track usage of. By default, all the apps in the Business apps category will be tracked, but any combination of the 1,465 apps (current count at the writing of this article) in 25 categories can be selected or all apps can be specified.

For each application tracked, administrators will see the username of the user using the application, the machine name the app was used from, how many web requests were sent to the cloud app (multiple requests can be sent per operation so this number could be large), the volume of data sent out, the volume of data that came in, and the last date and time the app was accessed. A comma separated values (CSV) file with this data can be downloaded from Azure Cloud Discovery App in the Azure portal.

Here are some other resources for you:

Cloud App Discovery
Azure Cloud App Discovery GA and our new Privileged Identity Management service
Azure Cloud App Discovery (video)
Cloud App Discovery – Frequently Asked Questions
Cloud App Discovery Group Policy Deployment Guide

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection