Azure AD Cloud App Discovery as a Service, not as a Project

Reading Time: 7 minutes

Azure Active Directory is quickly becoming the Identity Management-as-a-Service solution of choice for many organizations. One of the nicest features, but unfortunately less common features of Azure AD is its Cloud App Discovery tool and the way it integrates with Azure AD Identity Protection.


About Azure AD Cloud App Discovery

Azure AD Cloud App Discovery can be used to inventory the use of ‘shadow IT’.

Azure AD Cloud App Discovery Flow

Azure AD Cloud App Discovery consists of an endpoint agent, that needs to be installed on users’ devices, reporting to the Cloud App Discovery service. This data, that is conveniently filed and categorized for you, using Azure Machine Learning (ML), can be accessed in the Azure Portal.

From this data, you can quickly see which apps are used by which colleagues and how frequently they use it.

The default charts in the default Azure AD App Proxy pane show you:

  • The total number (count) of observed apps, the number of unmanaged apps and the number of managed apps. This graph can be modified to show volume or web requests.
  • The total number of observed users.
  • The total number of observed agent installations.

Azure AD Cloud App Discovery - Count Apps

When you zoom in on the data for the first graph, a second pane opens with a table specifying the app name, its category and status. It also shows you the number of users, the amount of web requests, the data volume, files uploaded and files downloaded. The data can be sorted on each of these columns.

Looks great, right?

It is great, as long as you remember these five things:

Its agent doesn’t support all devices and browsers

While the Azure Active Directory Cloud App Discovery endpoint agent can be installed on Windows 7, Windows 8.1 and Windows 10, it can’t perform its magic for colleagues using MacOS, iOS and/or Android-based devices.

The documentation is also clear on its support of Windows Server 2008, and up, but not whether the endpoint agent returns useful information on Windows Servers deployed as Remote Desktop session hosts (Terminal Servers).

Furthermore, for web-based applications, only traffic for Internet Explorer, Edge and Google Chrome are reported upon. When your organization relies on Mozilla FireFox, Apple Safari, or any other browser not listed, the Azure AD Cloud App Discovery endpoint agent will not report on application usage.

It’s not free

Azure AD Cloud App Discovery is a premium feature. While this sounds expensive, only admins who access the Cloud App Discovery reports in the Azure Portal need an Azure Active Directory Premium subscription, initially.

Azure Active Directory Premium trial licenses are usually limited to 25 or 50 user accounts and 90 days.

It doesn’t play nice with other agents

The Azure AD Cloud App Discovery endpoint agent uses a kernel-mode Windows Filtering Platform driver to intercept web traffic. With the Deep Inspection option, enabled, the driver component even acts as a trusted man-in-the-middle by intercepting TLS-encrypted traffic and inserts itself into the encrypted stream.

Due to this nature, the Azure AD Cloud App Discovery endpoint agent has incompatibilities. The most obvious and notorious incompatibility is Microsoft’s own Threat Management Gateway (TMG) agent. When your organization still uses this product, which is in extended support until April 14, 2020, with the TMG agent, you will need to remove it from the networking infrastructure and/or endpoints or accept that Azure AD Cloud App Discovery will not work.

Other incompatibilities may be expected with anti-malware software, since these are also known to use kernel-mode drivers. If need be, disable and/or uninstall the network proxy, network inspection and/or network reporting features of incompatible anti-malware endpoint agents for the Azure AD Cloud App Discovery endpoint agent to work its magic.

The Endpoint Agent download is an executable

In an apparent attempt to separate the men from the boys, Microsoft has decided to make the Azure AD Cloud App Discovery endpoint agent available as an executable (.exe), only.

If you want to deploy the Azure AD Cloud App Discovery Endpoint Agent in a centralized manner to tens, hundreds, thousands or hundreds of thousands of devices, you will need to create an installer package (.msi). Luckily, a Cloud App Discovery System Center Deployment Guide and Group Policy Deployment Guide are both available.

The Endpoint Agent might violate privacy regulations

The Azure AD Cloud App Discovery endpoint agent does a great job reporting all the apps in use by the persons in your organizations (or just the 1465 business apps, if you want to), but this might actually be a problem in itself. Not in all countries and not all verticals are allowed by law to gain this information from their personnel. Even further down the line, not all organizations might have the appropriate privacy clauses in their contracts with employees. Changing this (when possible) might take tremendous amounts of time.


App discovery and -integration as a Service

Cloud App Discovery as a gold mine for your partner

A lot of systems integrators, software vendors and software resellers have jumped the Azure AD Cloud App Discovery bandwagon.

Their aim is simple: When discovered, apps can be integrated into Azure Active Directory. However, when an organization would like to integrate 11 or more applications with Azure Active Directory per user, users of these apps need an upgrade from an Azure Active Directory Free subscription or Azure Active Directory Basic subscription to an Azure Active Directory Premium subscription. Otherwise, their access panel view will be limited to 10 apps.

Azure Active Directory’s ‘Bring your own App’ functionality, additionally, is also an Azure Active Directory Premium feature. Another issue with integrating your own SAML, SCIM or forms-based apps with Azure Active Directory might be a need to bring necessary attributes for these apps to Azure AD. Synchronizing attributes from on-premises Active Directory schema extensions using Azure AD Connect, also, requires Azure Active Directory Premium licenses…

Beyond certain thresholds, Azure Active Directory Premium is needed.

Money to PartnersIt’s a potential goldmine. For your partners.

Especially when they’re your Partner of Record (PoR) or Cloud Solutions Provider (CSP) partner: Every month, they’ll receive a kick-back fee from Microsoft on your usage.

Cloud App Discovery as a Service

However, with the advent of Azure Active Directory Identity Protection and the Azure Security Center, the role of Azure AD Cloud App Discovery changes.

About Azure Active Directory Identity Protection

Azure Active Directory Identity Protection is a security service that provides a consolidated view into risk events and potential vulnerabilities affecting your organization’s identities. Microsoft has been securing cloud-based identities for over a decade, and with Azure AD Identity Protection, Microsoft is making these same protection systems available to enterprise customers. Identity Protection leverages existing Azure AD’s anomaly detection capabilities (available through Azure AD’s Anomalous Activity Reports), and introduces new risk event types that can detect anomalies in real-time.

Azure Active Directory Identity Protection and Azure Security Center are currently in public preview with some limitations.

The Azure Active Directory Identity Protection, Azure Security Center, but also Microsoft’s Advanced Threat Analytics (ATA) and Operations Management Suite (OMS) leverage Azure Machine Learning (ML) even more, than Azure AD Cloud App Discovery does, but Azure AD Cloud App Discovery can feed into them.

In fact, unmanaged apps observed by Azure AD Cloud App Discovery, are reported as vulnerabilities in Azure AD Identity Protection with a low risk level and default recommendation to bring apps under management with Azure AD.

Azure AD Identity Protection - Vulnerabilities (click for larger screenshot)

The possibilities of reported managed and unmanaged apps, their usage and the user accounts accessing them in terms of risk management are unlimited.

Through this integration Microsoft might automatically roll-over the password for a password vaulted app (in case of a suspected breach of a service or app). Alternatively, the (configurable) risk policies in Azure AD Identity Protection can be leveraged to enforce multi-factor authentication (in case of a suspected breach of the user’s credentials). Keeping you safe.


Call to Action

Now, when your organization has no problems with the Security and Privacy implications of Azure AD Cloud App Discovery, and is not (severely) impacted by the technical limitations of the solution (as stated above), then it would not be too practical to have your partner uninstall the Azure AD Cloud App Discovery endpoint agents from your organization’s devices (as part of their default offering): You’d lose out on all the data and behavioral statistics on dates and times of usage, the volume of traffic sent and received and the browser/app used (user agent string).

Although your partner has already (potentially) benefited from the sale of Azure Active Directory Premium subscriptions, now your organization may truly benefit from Azure AD Cloud App Discovery by continuously monitoring Software-as-a-Service (SaaS) usage and the risk this ‘Shadow IT’ usage may entail.

Your partner may be able to help you make sense of the different alerts and recommendations in the Azure Portal. Since this is fairly new technology, you can get a sense of up-to-dateness of your partner with it.

Switching partners might be a good idea, when your current partner has no idea what you’re on about when you talk about being on top of IT, instead of over budget…



When your IT partner proposes to run Azure AD’s Cloud App Discovery for you and build a report for you, be aware that your partner is only looking to sell Azure Active Directory Premium subscription and/or Enterprise Mobility Suite (EMS) / Enterprise Cloud Suite (ECS) subscriptions, not to give you the means to continuously handle ‘Shadow IT’ within your organization and truly get you on top of IT.

Further reading

Cloud App Discovery Security and Privacy Considerations
Azure AD Premium vs Azure AD

One Response to Azure AD Cloud App Discovery as a Service, not as a Project


    Can you deploy Cloud App Discover to more than one subscription in an enrollment?

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.