This blog will be about how I broke my own Microsoft Cloud App Security instance.
Cloud App Security is a fantastic product, it can help you discovering and protecting all that’s in your Microsoft 365 tenant. Some time ago I wrote an article on how to automate your Cloud App Security Enrollment.
It can come in handy when you want to deploy all your custom made alerts to a new tenant.
In the mean time I added a lot more policies to my PowerShell enrollment:
*File copied to USB
*File/Folder shared with an external User
And a lot more… But that’s not what this blog will be about.
I will update the enroll script (https://call4cloud.nl/wp-content/uploads/2020/07/MCAS.txt) soon. Because till today the alert function in my own MCAS portal was broken (It’s fixed now). No alerts were triggered! It just stopped working. I hope to receive the final answer from Microsoft why it broke but I think I know why.
Here are my two cents: The first time I tested the enrollment script for creating the activity and file policies, I forgot to remove the Policy ID (I copied from another policy…stupid me). Good thing I warned everybody in my blog about this.
But that did not stop my own MCAS from breaking down. I could not delete the other “ghost” policies. Opening Fiddler to troubleshoot MCAS only showed me the famous and beautiful 404 error when opening or deleting the policies. It’s a little bit funny. I tried to delete a non-existing policy but MCAS thought it was still there. I think it’s weird Microsoft lets you create policies with the same ID?
Conclusion:
I hope to hear the official statement of why my MCAS was not triggering alerts soon. I guess after my “oopsie” with an identical ID it was hasta la vista, alerts. I guess Microsoft did not expect the possibility to automate MCAS with PowerShell?