How does Microsoft M365 E3 work with the non-Microsoft ecosystem applications?
Detexian’s CTO Adrian Kitto continues with part 2 of his 12 part blog series on tackling some hard productivity and SaaS application security use cases with Microsoft’s M365 E3 product suite.
In case you missed it last time, please check out:
The modern workplace is powered by a myriad of SaaS applications, many of which are external to the Microsoft ecosystem.
These applications can come in the form of:
Native to the Microsoft M365 ecosystem such as Exchange, SharePoint and Teams;
Additional productivity applications such as Slack, Dropbox or Box;
Functional applications for business units such as:
HR - BambooHR / Employment Hero;
Sales - Salesforce / Hubspot;
Marketing - Canva / Typeform;
IT Ops / Software engineering - Github / Jira & Confluence.
Integration applications - Zapier / Moxo
These applications are commonly referred to as enterprise or B2B SaaS applications and often target business users directly to be integrated into business processes. It's worth noting that while Microsoft M365 E3 is designed to work well with non-Microsoft ecosystem applications, there may be some limitations or challenges that you need to be aware of.
For example, some non-Microsoft applications may not fully support Microsoft Graph, which could limit their integration with M365 E3. They are typically designed to interact with and have user identity centralized to Microsoft’s Azure AD. Some applications may require additional configuration or setup to work properly with M365 E3, which could add to the complexity of the integration that may be overlooked.
With the rise of the SaaS application marketplaces, many B2B SaaS applications can be chosen and procured by the business units themselves. IT and Security are rarely involved in the selection, procurement, and operation of these applications. Discovering what “Shadow IT” applications are being used outside the Microsoft ecosystem requires the use of Microsoft 365 Defender, which is an E5 only product.
With Microsoft M365 E3 licensing, customers can control device management, user identity, and endpoint security. However, with only these tools, they lack the ability to easily discover SaaS applications that are being chosen, procured, and operated by their business users. Additionally, once they do discover applications in use in their business, they have zero visibility, governance, or management capabilities in those applications. This is another significant gap in security posture for mid-size enterprises attempting to effectively manage their users, applications, and corporate data.
When Detexian identifies applications such as Slack and Salesforce that have been procured and operated by the business steps, it is normal for the IT team to want to implement some controls to ensure that the use is within the company's risk appetite. The traditional way to control this was to centralize management to IT and remove the business users from administration functions in the application. However, in the modern workplace, the business is better suited to fund and operate their tools, and IT only requires governance oversight.
By leveraging Azure AD for SSO and MFA, Intune Conditional Access for Device Management, Detexian for Privileged Access monitoring, and Detexian for User Access Management, the IT/Security team gets assurance that the required security controls are in place and operating effectively. If the discovered application has data sharing or marketplace capabilities, additionally, Detexian can extend IT/Security visibility to those as well. This is a significant uplift on the security and compliance functionality delivered by Microsoft M365 E3 on its own.
Security thought for the week
Did you know that the first reported business email compromise (BEC) occurred in 1998 when fraudsters, posing as a well-known retailer, sent emails to their suppliers requesting payment be made to a new bank account. This attack went undetected for several months, allowing the fraudsters to steal millions of dollars from the targeted businesses.
Since then, BEC has become a prevalent form of cybercrime, with attackers using increasingly sophisticated methods to trick victims into transferring money or divulging sensitive information. In 2020, the FBI received over 19,000 reports of BEC incidents in the US alone, resulting in losses of over $1.8 billion.
Join me next time when I get into the details about “Discovering user consented apps with Microsoft M365 E3.” You’ll get some real code that can output some potential security risks in this one.
Till then, stay secure.
Adrian
