Contents x
    Microsoft Cloud App Security
    • 08 Apr 2025
    • 3 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Contents

    Microsoft Cloud App Security

    • Updated on 08 Apr 2025
    • 3 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Article summary

    Microsoft Cloud App Security is a Cloud Access Security Broker (CASB) that supports various deployment modes including log collection, API connectors, and reverse proxy.

    Types of Assets Fetched

    This adapter fetches the following types of assets:

    • Users
    • SaaS data

    Parameters

    1. Portal URL (required) - The hostname or IP address of the Microsoft Cloud App Security server that Axonius can communicate with via the Required Ports. Refer to Cloud App Security REST API for details.

    2. Authentication Method - Select the Authentication Method, either 'Token' or 'OAuth2'. If you choose Token, then 'Token' is displayed. If you choose 'OAuth2', 'Client ID', 'Client Secret', and 'Tenant ID' are displayed.

    3. Token (required) - This option is available when you choose 'Token' as the 'Authentication Method'. A Token associated with a user account that has permissions to fetch assets. Refer to API Tokens for details.

    4. OAuth2 Options: The following options are displayed when you choose 'OAuth2' as the 'Authentication Method'. To use them you need to register the application, as explained in Access with application context.

      1. Client ID and Client Secret - Provided after registering the Application.
      2. Tenant ID - Provided by Microsoft.

    5. Username and Password (Required to fetch SaaS data) - The credentials for a user account that has the permissions needed to fetch SaaS data.

    6. 2FA Secret Key (Optional) - The secret generated in Microsoft Entra ID for setting up 2-factor authentication for the Microsoft user. For information on how to generate this key, see Microsoft Entra ID and Microsoft Intune. This is needed if the Entra ID user requires 2FA authentication.

    7. Verify SSL - Select whether to verify the SSL certificate of the server against the CA database inside of Axonius. For more details, see SSL Trust & CA Settings.

    8. HTTPS Proxy (optional) - Connect the adapter to a proxy instead of directly connecting it to the domain.

    9. HTTPS Proxy User Name (optional) - The user name to use when connecting to the value supplied in Host Name or IP Address via the value supplied in HTTPS Proxy.

    10. HTTPS Proxy Password (optional) - The password to use when connecting to the server using the HTTPS Proxy.

    To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.

    Connecting the Adapter with OAuth2
    MCAS_Adapter_OAUTH
    Connecting the Adapter with a token
    MCAS_Adapter_Token


    Advanced Settings

    Note:

    Advanced settings can either apply for all connections for this adapter, or you can set different advanced settings and/or different scheduling for a specific connection, refer to ​Advanced Configuration for Adapters.

    1. How to fetch user entities - You can select which fetching method to use to fetch user entities. Your selection will affect the fetching time. You can either enable it in Normal Fetch (will increase the fetching time significantly), enable it in Background Fetch, or not fetch user entities at all.
    2. Ignore users with no domain (optional, default: true) - Select this option to ignore Microsoft Cloud App Security users that do not have a domain field.
    3. Ignore external users - Select this option to ignore external users.
    4. Ignore SaaS Applications Repository and parse all applications (only for accounts with Axonius SaaS Applications) - Select this option to parse and save all the SaaS applications, even if they are not known by the Axonius SaaS Applications Repository.
    5. Timeframe - Set the fetch timeframe: 30 (default), 60, or 90 days.
    Note:

    To learn more about Adapter Configuration tab advanced settings, see Adapter Advanced Settings.

    APIs

    Axonius uses the Microsoft List - Entities API.

    Refer to Connecting to Cloud App Security API to learn how to generate a token.

    Required Ports

    Axonius must be able to communicate with the value supplied in Portal URL via the following ports:

    • TCP port 443


    Required Permissions

    The value supplied in Token must be associated with credentials that have permissions to fetch assets.

    If OAuth2 is selected as the authentication method, the application associated with the Client ID must be granted the following permissions:

    • discovery.read
    • investigation.read
    • settings.read

    Accessing OAuth2 Permissions

    1. In the Azure portal navigate to App registrations > {App name} > API Permissions.

    2. Click Add a permission.

    3. Click the APIs my organization uses tab, locate and click Microsoft Cloud App Security.
      MCAS_RequestAPIPermission

    4. Click Application permissions.

    5. Select the permissions mentioned above.
      MCAS_Permissions

    6. Click Add permssions.

    7. Click Grant admin consent for {Directory name}.

    8. When prompted, click Yes.

    Supported From Version

    Supported from Axonius version 4.4


    Was this article helpful?
    What's Next