Configuring a Microsoft Cloud App Security (MCAS) Integration


Configuring a Microsoft Cloud App Security (MCAS) Integration

To configure an MCAS partner integration:

  1. Go to Administration > Partner Integrations.
  2. In the Microsoft Cloud App Security tab:
    1. Under NSS Subscription, Zscaler verifies that you have:
      • An active NSS Web Log subscription or trial. If you do not have an active subscription, you must submit a Support ticket
      • A healthy NSS Web Server enabled.
        • If you don't have an NSS Web Server enabled, go to Administration > Nanolog Streaming Service, and from the NSS Servers tab add and enable a new server or edit and enable an existing server.
        • If the enabled server is not in a Healthy state, identify the unhealthy server and attempt troubleshoot any issues. To learn more, see Troubleshooting NSS.
      • An MCAS NSS Feed configured for the server you've enabled. If you don't have a feed configured, go to Administration > Nanolog Streaming Service, and from the NSS Feeds tab, add a new NSS feed for MCAS.

To learn more, see About Nanolog Streaming Service (NSS).

  1. Under Microsoft Cloud App Security (MCAS) Authentication Token, enter the token string into the field and click Test.

Make sure that at least 1 app is categorized as unsanctioned within Microsoft's Cloud App Security portal before testing the integration. To learn more, see the Microsoft product documentation and Troubleshooting below. 

Zscaler will verify if the token is valid. If the token is valid the configuration proceeds to the next step and Zscaler attempts to sync your unsanctioned Cloud App URLs. If you do not have a valid token, generate a new API token or copy a valid token from Microsoft's Cloud App Security portal. To learn more, see the Microsoft product documentation.

  1. Under Unsanctioned Cloud App URLs Sync, once your MCAS authentication token is validated, the first unsanctioned Cloud App URL sync will occur within 2 hours after completion. MCAS allows you to sanction or unsanction apps in your organization. Zscaler syncs all unsanctioned app URLs to a custom URL category named MCAS Unsanctioned Apps. Syncs to this custom URL category will continue to occur every 2 hours afterward.

This section will automatically update, showing the last sync timestamp and the number of URLs that were successfully synced. You can add up to 25,000 custom URLs (across all categories), and up to 48 custom categories. If you have reached the maximum number of custom categories, the sync will fail. To learn more, see Troubleshooting below.

  1. Verify your configuration.

After you have completed the steps above, you can enable automatic log uploads to MCAS. 

To configure and enable automatic log uploads to MCAS for NSS:

  1. Make sure that you have completed the Deployment procedure as detailed in the Microsoft product documentation.
  2. Log in to the NSS virtual appliance for your platform (i.e., VMware vSphere, Amazon Web Services, or Azure). To learn more, see the NSS Deployment Guide for your platform.
  3. Enter the following command:
sudo nss configure-mcas
  1. At the prompt, enter your MCAS Authentication Token, for example:
token (Authentication token for uploading to MCAS) []: <MCAS authentication token>
  1. At the prompt, enter your MCAS domain, for example:
domain (MCAS domain like mycompany.portal.cloudappsecurity.com) []: <MCAS domain name>
  1. Restart the service using the following command:
sudo nss restart
  1. Verify your configuration.

To verify your MCAS partner integration configuration:

  1. Go to Administration > URL Categories.
  2. After the initial URL sync, you should see a new User-Defined category, named MCAS Unsanctioned Apps within the table.

See image.

  1. (Optional) If you enabled automatic log uploads:
    1. Log in to Microsoft's Cloud App URL portal.
    2. Click on the cog icon in the upper-right corner, and select Log collectors.

See image.

  1. On the Data sources tab, make sure that the NSS data source you set up for Zscaler is receiving data.

See image.

Troubleshooting

  • If the unsanctioned Cloud App URL sync to your custom URL category is not occurring every 2 hours, contact Zscaler Support.
  • If you encounter an MCAS authentication token validation error on a valid/verified token, then it could be related to not having any apps categorized as unsanctioned. Make sure that you have at least 1 app categorized within Microsoft's Cloud App URL portal. However, if you know your token is valid and need to verify that you have at least 1 app categorized as unsanctioned, you can also run the following curl command:
curl -v "https://<MCAS URL>/api/discovery_block_scripts/?format=120&type=banned" -H "Authorization: Token <Token>"

Where <MCAS URL> is the URL to the Cloud App Security portal associate to your authentication token, and <Token> is the token string you entered in step 2b. of the partner integration procedure above. 

If URLs are returned within the response, then your token and URL syncs should be working properly.

See image.

If no URLs are being returned, contact Microsoft regarding your API token.

URL Categories page within the Zscaler Admin Portal

MCAS portal with cog icon > Log collectors selected

MCAS portal displaying Log collectors > Data Sources tab

Curl command response with URL strings