Microsoft Cloud App Security (MCAS) is a cloud security tool that, among many other things, can scan your cloud storage for protected data (such as PII, PCI, HIPAA, etc.). In this post, we’ll configure a policy to scan OneDrive for files containing an American social security number (SSN).
There are several ways to license MCAS. You can buy it standalone, bundle it with EMS E3 or A3, EMS E5/A5, M365 E5/A5 Security, or with full M365 E5/A5. There are also subsets of features available when purchasing Office 365 E5/A5 and Azure AD Premium P1 or P2.
For information on enabling MCAS and connecting it to O365, see Enable Microsoft Cloud App Security and Connect to O365. This post assumes that you have already performed the steps outlined in that blog post.
Enable File Monitoring
To scan files in a cloud storage provider, you must first ensure that file monitoring is enabled. To do this, follow these steps.
- Click the Gear in the upper-right corner and select Settings.
- Click Files under Information Protection.
- Check the box and click Save.
Next, make sure that the Office 365 connector is enabled to scan files.
- Click Investigate, then Connected apps in the menu.
- Click the options button, then select Edit settings….
- Check the box for Office 365 files and click Connect.
Enable SSN Policy
To enable a policy to scan for SSNs, follow these steps.
- Click Control, then select Policies from the menu.
- Click Create policy, then select File policy.
- In the Policy template drop down, select File containing PII detected in the cloud (built-in DLP engine). Read and accept the warning message.
- Give your policy template a name in the Policy name field and a description in the Description field.
- Configure the rest of the fields per your organization’s requirements. When you are done, click Create.
You do not need to specify a filter, unless there’s an organizational need too. Leaving the filter empty will scan all files in the connected cloud service.
Test the Policy
You can verify that the policy is working by placing a file in OneDrive that contains SSNs. There are several examples online of fake SSNs that will still activate this policy. It took about three hours before I had an alert, but this was a fresh setup. I put another file in OneDrive and I had a new alert within about five minutes. To view the alert, follow these steps.
- Click Alerts from the menu.
- Click the Alert.
This screen will show you all of the details about the alert, such as the file, it’s history, and various activities related to the file.
You can take various actions on the file by clicking on the menu button.
Now you’ve created your SSN policy, triggered an alert, and taken action on a file.
All content provided on this blog is for information purposes only. Windows Management Experts, Inc makes no representation as to accuracy or completeness of any information on this site. Windows Management Experts, Inc will not be liable for any errors or omission in this information nor for the availability of this information. It is highly recommended that you consult one of our technical consultants, should you need any further assistance.