Many applications, one identity repository

Many applications, one identity repository

Discovering all cloud applications in use within your organization

Imagine indeed a business requires a new application to enhance the relationships with customers, and the key points regarding this application are a limited budget and a short time frame to deliver it. This leads the IT considering a public cloud application, which brings interesting capabilities like scale economies, time-to-market and unlimited scalability.

Furthermore, with the ability to subscribe at any time a cloud application to quickly help answering some business imperatives, campaigns, etc., with the freedom of choice, the flexibility, the perceived non-dependency on IT such an open marketplace on the Internet provides to entities within an organization, many more SaaS applications are also potentially in use as IT estimates. This situation leads organizations towards a “Shadow IT” with all the concerns about unauthorized access to corporate data, possible sensible data leakage and other security risks inherent in the SaaS applications in use. Without exactly knowing how many cloud applications or which applications are being used, even getting started building a plan to deal with these risks seems daunting…

The Cloud App Discovery service of Azure AD constitutes a first step to help IT having an accurate visibility into which cloud application are in use within the organization. IT can then take steps to integrate the SaaS applications in use with Azure AD through the Application Access Enhancements for Azure AD (see next section).

This service is available in the new Azure portal at https://portal.azure.com/. The portal allows you to add the Cloud App Discovery tile to your Startboard.

Important note This service is only available when you enable the premium edition of Azure AD. For more information, see the Microsoft TechNet article Azure Active Directory Editions¹⁴⁹.

Once added, this service allows your IT to:

• 
  See the applications which were detected, and track application usage over time.
  
• 
  See the number of users using a particular application, and the identities of those users.
  
• 
  See the number of agents that are reporting data to the Cloud App Discovery service.
  
• 
  Sort applications by number of requests, volume of data, or the number of users using the application.
  
• 
  Control which applications to collect data on.
  
• 
  Export data to an offline store for custom analysis.
  

To achieve the above, and thus in order to discover the cloud applications in use, and thus to collect application usage information, the Cloud App Discovery service uses an agent. This agent can be deployed on all (or some representative) machines in the organization that run Windows 7 and above.

The agent captures HTTP usage information, i.e. URLs, headers and metadata for HTTP/HTTPs accesses originating from the machine on which it runs. This allows the agent to capture requests to all cloud applications accessed over HTTP or HTTPs.

Note Every access to an application’s web site typically includes multiple different requests to the site to retrieve different parts of the web-page. The browser will actually make over dozens of additional web requests for content like pictures, social plugins and other resources. See the snapshot below.

For known cloud applications in the database, the Cloud App Discovery service includes an optimization that only counts webpage loads once so that the Cloud App Discovery Service can ignore counting every access to various elements of the webpage. However, this is an area we’re looking to continue to make improvements on.

The agent also captures the username of the user on the machine. The agent sends the collected traffic over a secure, encrypted channel to the Cloud App Discovery service. The data in the service is only visible to the administrators of the tenant. Each tenant admin can only see the data for their tenant, and no other tenant’s.

To start using the Cloud App Discovery service and deploying the agent on the windows machines, proceed with the following steps:

1. 
   Open a browsing session and navigate to the new Azure Portal at https://portal.azure.com/.
   
2. 
   Click Sign in and enter the credentials for a global administrator account of your organization that has a trial or paid subscription to Azure AD Premium.
   
3. 
   Select Marketplace, and then select Security + Identity, or search for it by typing “Identity”.
   

4. 
   Click Azure AD Cloud App Discovery. An introductory blade opens up.
   

5. 
   Click Create. This will open another blade with your Cloud App Discovery information.
   

6. 
   On the Cloud App Discovery blade, click Quickstart., and then the Download Agent.
   

7. 
   Click Download to download the ZIP file (Microsoft Cloud App Discovery Endpoint Agent.zip). The ZIP file contains the setup file (EndpointAgentSetup.exe file) that should be installed on the targeted machine for cloud applications discovery, and a certificate used to authenticate to your Azure AD tenant in the cloud.
   
8. 
   After installing the agent on a machine where the user has been accessing applications, data typically shows up within 10 minutes in the Cloud App Discovery dashboard.
   

The Cloud App Discovery service can be further configure to route the data collected to an Azure Blob storage in order to perform analytics on the data in tools like Excel and Power BI¹⁵⁴.