GSA ‐ Web Content Filtering using Defender for Cloud Apps - mattnovitsch/M365 GitHub Wiki

Summary

Since I heard the idea of using Global Secure Access (GSA) to block applications—potentially leveraging domains from Defender for Cloud Apps—I started exploring how to script this. After several roadblocks and some failed approaches, I was able to get a working script early this morning.

The solution uses the Cloud Discovery API to generate a block script exported in Zscaler format. This allows the results to be held in memory and looped through the GSA API.

What the solution covers

  • Customers who want to use Cloud Apps but do not have MDE in Active mode
  • Customers who want web filtering based on users rather than device groups

What the script does

  • Imports changes from Cloud Apps that have been marked as unsanctioned
  • Checks whether the GSA policy exists and creates it if it does not
  • Verifies whether domains are present in the current policy
    • Adds domains if they are newly unsanctioned
    • Removes domains if they are no longer unsanctioned

Licensing Requirements

  • Microsoft Entra Internet Access (standalone license)
    OR
  • Microsoft Entra Suite (includes Internet Access)
  • Defender for Cloud Apps (E5/E7,Security add-ons)

Government Clouds:

Environment GSA Internet Access Web Content Filtering
GCC (Moderate) Supported Supported
GCC High (GCCH) Limited / Phased Limited / Phased
DoD Not supported Not supported

API Availability

Cloud Availability
Commercial (Global) Supported
US Government L4 (GCC) Supported
US Government L5 (GCCH) Not supported
US Government DoD Not supported
China (21Vianet) Not supported

Prerequisites

  • Defender for Cloud Apps - Cloud App Catalog - Applications marked as unsanctioned

Optional Configurations

  • Defender for Endpoint deployed in Active or Passive Mode
  • Defender for Cloud Apps Log Collector deployed

Entra Configuration

Creating App Registration

  1. Navigate to Entra
  2. Using the left-hand panel, navigate to App Registration > All applications > New Registration
image
  1. Provide the application with a meaningful name for your organization and click Register(I did mine as MDAtoGSA).
  2. Once the application is created, click on API permissions.
  3. The only permission you need to configure is NetworkAccess.ReadWrite.All as an application type(this is so the scan can run it automatically).
image
  1. Next Click on Certificates & Secrets > Client Secrets > New Client Secret
image
  1. Put in a description that is meaningful to your organization and select the date when it expires.
image
  1. Make sure you copy the Value as it is needed for later in this process.
image
  1. Click Overview and copy TenantID and ClientID
image

Microsoft Defender for Cloud Apps API Configuration

  1. Navigate to Defender XDR
  2. Copy the API URL
image
  1. Navigate to API Tokens in the middle column and then click Add Token
image
  1. Provide your token with a meaningful name for your origination(I'm naming mine MDAtoGSAToken for the documentation), then click Generate
image
  1. Copy this number also and save it for later.
image

Script Configuration/Execution

  1. Download MDAExport-blockscript-Template.ps1
  2. Edit the script in your favorite editor(I just used notepad)
  3. At the tope of the script you will have your variables that need to enter in. Enter the Following from previous steps:
  • TenantID: Step 9 of Creating App Registration
  • ClientID: Step 9 of Creating App Registration
  • ClientSecret: Step 8 of Creating App Registration
  • PolicyName: Leave Default or change to your Organizational requirements.
  • MDCATenant: First part of the API URL from Step 2 of Microsoft Defender for Cloud Apps API Configuration
  • MDCARegion: Second part of the API URL from Step 2 of Microsoft Defender for Cloud Apps API Configuration
  • MDCAToken: Step 5 of Microsoft Defender for Cloud Apps API Configuration
  1. Save and run the script as administrator. You could get an output like this depending on what was configuration in the cloud app catalog.
image

Global Secure Access Configurations

  1. Navigate to Entra
  2. Navigate to Global Secure Access > Secure > Web Content Filtering Policies. You should see the policy with the name the script created
image
  1. Navigate to Global Secure Access > Secure > Security Profiles then click Create Profile
  2. Provide the policy with a name that is meaningful to your organization then click next
image
  1. Click Link a policy and existing web filtering policy
image
  1. When you click Policy Name you should see the policy we saw in step 2, click Add to link the policy
image
  1. Review and create profile.
  2. Navigate to Conditional Access > Policies > New Policy
image
  1. Provide the policy with a name, I called mine "GSA"
  2. Define users for this policy(I would highly encourage test users first before deploying it to everyone)
  3. Under Target Resources > All Internet Resources with Global Secure Access
image
  1. Under Session > Use Global Secure Access Security profile > Select your profile.
image

Global Secure Access Client Deployment

  1. Navigate to Entra
  2. Navigate to Global Secure Access > Connect > Client Download
  3. Download the client on the machines you are testing on. For testing, I would just manually install it on the first client and then work on a deployment play with Intune, Configuration Manager, or whatever your MDM/Endpoint Management Solution is.

Note: Please feel free to use the reference material for client deployment at the bottom of the page.

Validation/Testing/Troubleshooting

  1. Navigate back to Cloud Apps in Defender XDR
  2. Click on Cloud App Catalog on the far left side.
  3. Pick an application you want to block(called unsanctioned in Cloud Apps). For this example I am going to pick on CNN. Click the box next to the application or the box on the top next to App to select all.
image
  1. Click Tag app then select Tag as Unsanctioned
image

They should look like this when done:
image

  1. Open an administrative PowerShell and run the script. Your output should look like this.
image

Note: Even though we only selected 4 applications, there were 14 domains associated with the applications.

Please work within your organization to determine which applications you want to block.

Note: Once the policy is created/updated, there is a delay when this will take effect. General rule of thumb is 15 minutes to an hour.

FAQ:

  1. Q: If someone turns off (doesn't initiate GSA), can they access the apps (I would think so). A: We can set policies in Intune or using applications like AppLocker to prevent users from turn it off. Additional you can set an CA policy that would require it on for connecting to company resources.

  2. Q: What is the potential load to process the script?
    A: Initial load was a little long (600domains on mine took about 30 minutes to upload) but didn't slow my client down. I also created the script to support in Azure Runbooks or any other scripting platform you use.

  3. Q: How often does it refresh its list client-side? A: 15 minutes to 2 hours seems to be what I have seen.

  4. Q: What is the message to the client and is it customizable? A: Only with HTTPS Traffic

  5. Q: Is it browser vendor independent? A: I've tested GSA in Chrome, Edge, and Firefox

image

References

⚠️ **GitHub.com Fallback** ⚠️