Explanation:
Register App1 in Microsoft Entra ID.
Create a conditional access policy that has session controls configured.
From Microsoft Defender for Cloud Apps, modify the Connected apps settings for App1.
From Microsoft Defender for Cloud Apps, create a session policy.
Let's break this down step by step based on Microsoft Defender for Cloud Apps (MDCA) and Microsoft Entra ID integration for enabling real-time session-level monitoring, as outlined in Microsoft Identity and Access Administrator documentation.
Understanding the Goal: Real-Time Session-Level Monitoring with Microsoft Defender for Cloud Apps:
Microsoft Defender for Cloud Apps (MDCA) is a Cloud Access Security Broker (CASB) solution that provides visibility, control, and threat protection for cloud applications.
Real-time session-level monitoring allows MDCA to inspect and control user activities within a cloud app (App1 in this case) during active sessions. This requires integration with Microsoft Entra ID and the use of Conditional Access policies to route sessions through MDCA for monitoring.
The Microsoft 365 E5 tenant includes licenses for Microsoft Entra ID P2 and Microsoft Defender for Cloud Apps, which are necessary for this functionality.
Step-by-Step Analysis of the Actions:To enable real-time session-level monitoring, the actions must be performed in a logical order that aligns with Microsoft's recommended workflow for integrating a cloud app with MDCA.
Step 1: Register App1 in Microsoft Entra ID.
Before App1 can be monitored by MDCA, it must be registered as an application in Microsoft Entra ID. This step involves adding App1 to the tenant's enterprise applications, which allows Microsoft Entra ID to manage authentication and authorization for the app.
Registering the app in Microsoft Entra ID enables single sign-on (SSO) and allows the app to be governed by Conditional Access policies, which is a prerequisite for session-level monitoring.
This is the first step because none of the other actions can proceed without App1 being recognized by Microsoft Entra ID.
Step 2: Create a conditional access policy that has session controls configured.
Microsoft Defender for Cloud Apps integrates with Microsoft Entra ID Conditional Access to enforce session-level monitoring. A Conditional Access policy must be created to target App1 and include session controls that route user sessions through MDCA.
In the Conditional Access policy, under "Session" controls, you enable the option "Use Conditional Access App Control," which integrates with MDC This step must come after registering the app in Microsoft Entra ID because the Conditional Access policy needs to target an existing app. It must also precede the MDCA-specific steps because the session control integration sets up the connection between Microsoft Entra ID and MDCA.
Step 3: From Microsoft Defender for Cloud Apps, modify the Connected apps settings for App1.
After the Conditional Access policy routes sessions to MDCA, you need to configure App1 within MDCA by modifying its Connected apps settings. This step involves ensuring that App1 is properly connected to MDCA, which may include configuring API connectors or verifying that MDCA can monitor the app's activities.
This step is necessary to ensure MDCA has the necessary permissions and configurations to monitor App1. It comes after the Conditional Access policy because the policy enables the integration, and now MDCA needs to be set up to handle the app.
Step 4: From Microsoft Defender for Cloud Apps, create a session policy.
Finally, you create a session policy in MDCA to define the real-time monitoring and control rules for App1. A session policy in MDCA allows you to monitor user activities (e.g., file downloads, data sharing) and apply actions (e.g., block, notify) based on predefined conditions.
This step is the last because it relies on the previous steps: the app must be registered, the Conditional Access policy must route sessions to MDCA, and the Connected apps settings must be configured for MDCA to recognize App1. Only then can you define session policies to enforce real-time monitoring.
Why This Order?
The order ensures a logical flow:
Registering the app in Microsoft Entra ID establishes the app's identity in the tenant.
The Conditional Access policy enables the integration with MDCA by routing sessions through it.
Modifying the Connected apps settings in MDCA ensures the app is properly set up for monitoring.
Creating a session policy in MDCA defines the specific monitoring and control rules for real-time session-level monitoring.
Deviating from this order would result in errors. For example, creating a session policy in MDCA before registering the app in Microsoft Entra ID would fail because MDCA wouldn't recognize the app.
Additional Considerations:
The Microsoft 365 E5 license includes Microsoft Entra ID P2 and Microsoft Defender for Cloud Apps, so no additional licensing is required for this scenario.
If App1 is not a supported app for MDCA's app connectors, additional steps (e.g., using a custom app connector) might be needed, but the question implies App1 can be monitored with the standard process.
Session policies in MDCA can include actions like blocking downloads or requiring step-up authentication, which are applied in real time during the user's session.
Conclusion:The correct order to enable real-time session-level monitoring of App1 using Microsoft Defender for Cloud Apps is:
Register App1 in Microsoft Entra ID.
Create a conditional access policy that has session controls configured.
From Microsoft Defender for Cloud Apps, modify the Connected apps settings for App1.
From Microsoft Defender for Cloud Apps, create a session policy.
Reference:
Microsoft Defender for Cloud Apps documentation: "Session control with Microsoft Defender for Cloud Apps" (Microsoft Learn:https://learn.microsoft.com/en-us/defender-cloud-apps/session-policy) Microsoft Entra ID Conditional Access documentation: "Session controls in Conditional Access" (Microsoft Learn:https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-session) Microsoft Identity and Access Administrator (SC-300) exam study guide, which covers integrating Microsoft Defender for Cloud Apps with Microsoft Entra ID for session-level monitoring.