It is unfortunately common to see in a company of cloud applications (dropbox,…) used in services unless the IT team is aware. This can cause data loss and security problems. Cloud App Discovery is a feature present with the Premium of Azure AD version, it allows to perform application detection cloud used by the company.
Thus the following functions are provided by Cloud App Discovery:
• Perform detection of cloud applications and measure the use (number of users, traffic,…).
Allows you to list users
To operate, an agent is installed on user workstations. In order to retrieve information about the use of applications, these data are sent through a secure and encrypted service Cloud App Discovery Channel. Once the data is received, an assessment is performed in order to proceed to the generation of the data.
Operation of the agent
During installation, the agent stores the approved certificate on the computer, the latter is necessary for establishing a connection to the service Cloud App Discovery.
This connection also allows him to recover the configuration of the service Cloud App Discovery strategy. This strategy allows to determine cloud applications to monitor and determines whether automatic updates should be enabled.
The agent analyzes the traffic received and sent by the web browser and then extract the necessary information. Every minute, the agent passes the information to the service and this via a secure channel. In the case where the information can be sent (firewall that blocks traffic,…), the data is stored locally then transmitted subsequently.
Implementation of Cloud APP Discovery
Cloud App Discovery is configured through the portal Azure. After clicking on More services, it is possible to access the Marketplace (market place).
Subsequently, it is necessary search Cloud App Discovery, and then click on it.
The Create button may be used to proceed with the creation of the Cloud App Discovery.
The Azure AD Premium licenses have been turned on, so it is possible to proceed to the step of creation by clicking create. The PIN box on the dashboard to facilitate future access to the feature.
After the creation, it is necessary to click Quickstart in order to access the configuration panel.
It is possible to download the agent to be deployed on the desktops.
A selection of the options is necessary (notification and user’s consent). Note that it is possible to disable the notifications and the user’s consent.
A zip file is downloaded, following his decompression it is possible to perform the installation using EndPointAgentSetup.exe.
No option is requested during installation, only a click on the install button is needed.
After several minutes, the agent begins to transfer information.
By clicking on the different graphs, it is possible to see the information.
The Settings button gives access to various options including a list of applications that the administrator wants to monitor.
It is also possible to set up an account Azure Blob Storage to store the returned data.
This tool allows an easy analysis of the cloud service that is not managed by the IT Department.