BUSINESS DEVELOPMENT GUIDEMAY 2023, VERSION 1.0
ZSCALER AND MICROSOFT
DEFENDER FOR CLOUD APPS
DEPLOYMENT GUIDE
2©2023 Zscaler, Inc. All rights reserved.
ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE
Contents
Terms and Acronyms 4
About This Document 5
Zscaler Overview 5
Microso Overview 5
Audience 5
Document Prerequisites 5
Soware Versions 5
Request for Comments 6
Zscaler and Microso Introduction 7
ZIA Overview 7
Zscaler Resources 7
Microso Defender for Cloud Apps Overview 8
Microso Defender for Cloud Apps Resources 8
Zscaler Loing Architecture Overview 9
NSS 9
Loing into ZIA 10
Configuring NSS 10
Step 1: Verify You Meet all NSS Deployment Prerequisites 10
Step 2: Add a NSS Server and Download the SSL Certificate
in the ZIA Admin Portal 11
Step 3: Deploy to Azure Using the Zscaler NSS ARM Template 12
Step 4: Configure and Start NSS on the VM Instance 12
Step 5: Configure a MCAS NSS Feed 13
Enable the Microso Defender for Cloud App Integration 18
Step 1: Enable Automatic Log Uploads in the Microso Defender
for Cloud Apps Portal 18
Step 2: Create a Microso Defender for Cloud Apps API Token 19
Step 3: Configure Microso Defender for Cloud Apps Integration
in the ZIA Admin Portal 19
3©2023 Zscaler, Inc. All rights reserved.
ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE
Step 4: Enable Automatic Log Uploads to Microso Defender
for Cloud Apps for NSS 20
Verify your Microso Defender for Cloud Apps Integration Configuration 21
Troubleshooting 22
Appendix A: Requesting Zscaler Support 23
ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE
4©2023 Zscaler, Inc. All rights reserved.
Terms and Acronyms
The following table defines the acronyms used in this deployment guide. When applicable, a Request for Change (RFC) is
included in the Definition column for your reference.
Acronym Definition
CA Central Authority (Zscaler)
CSV Comma-Separated Values
DLP Data Loss Prevention
DNS Domain Name Service
DPD Dead Peer Detection (RFC 3706)
GRE Generic Routing Encapsulation (RFC2890)
ICMP Internet Control Message Protocol
IKE Internet Key Exchange (RFC2409)
IPS Intrusion Prevention System
IPSec Internet Protocol Security (RFC2411)
MCAS Microso Cloud App Security (Microso)
PFS Perfect Forward Secrecy
PSK Pre-Shared Key
SSL Secure Socket Layer (RFC6101)
TLS Transport Layer Security
VDI Virtual Desktop Infrastructure
XFF X-Forwarded-For (RFC7239)
ZCP Zscaler Cloud Protection (Zscaler)
ZDX Zscaler Digital Experience (Zscaler)
ZIA Zscaler Internet Access (Zscaler)
ZEN Zscaler Enforcement Node (Zscaler)
ZPA Zscaler Private Access (Zscaler)
ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE
5©2023 Zscaler, Inc. All rights reserved.
About This Document
The following sections describe the organizations and requirements of this deployment guide.
Zscaler Overview
Zscaler (NASDAQ: ZS) enables the world’s leading organizations to securely transform their networks and applications for
a mobile and cloud-first world. Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) services create fast, secure
connections between users and applications, regardless of device, location, or network. Zscaler delivers its services 100%
in the cloud and offers the simplicity, enhanced security, and improved user experience that traditional appliances or
hybrid solutions can’t match. Used in more than 185 countries, Zscaler operates a massive, global cloud security platform
that protects thousands of enterprises and government agencies from cyberaacks and data loss. For more information,
see Zscaler’s website or follow Zscaler on Twier @zscaler.
Microso Overview
Microso (MSFT) develops and licenses consumer and enterprise soware. It is known for its Windows operating systems
and Office productivity suite. The company is organized into three equally sized broad segments: productivity and
business processes (legacy Microso Office, cloud-based Office 365, Exchange, SharePoint, Skype, LinkedIn, Dynamics),
intelligence cloud (infrastructure- and platform-as-a-service offerings Azure, Windows Server OS, SQL Server), and more
personal computing (Windows Client, Xbox, Bing search, display advertising, and Surface laptops, tablets, and desktops).
To learn more, refer to Microso's website.
Audience
This guide is for network administrators, endpoint and IT administrators, and security analysts responsible for deploying,
monitoring, and managing enterprise security systems. For additional product and company resources, refer to:
• Zscaler Resources
• Microso Defender for Cloud Apps Resources
• Appendix A: Requesting Zscaler Support
Document Prerequisites
To use this document, the following prerequisites are required:
ZIA:
• An active instance of ZIA 6.2 (or later)
• Administrator login credentials to ZIA
Microso Defender for Cloud Apps:
• Administrator login credentials to Microso Defender for Cloud Apps
• Active subscription to Microso Defender for Cloud Apps
Soware Versions
This document was authored using the latest version of the Zscaler soware.
ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE
6©2023 Zscaler, Inc. All rights reserved.
Request for Comments
• For prospects and customers: Zscaler values reader opinions and experiences. Contact partner-doc-support@
zscaler.com to offer feedback or corrections for this guide.
• For Zscaler employees: Contact z-bd-sa@zscaler.com to reach the team that validated and authored the
integrations in this document.
ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE
7©2023 Zscaler, Inc. All rights reserved.
Zscaler and Microso Introduction
The following are overviews of the Zscaler and Microso applications described in this deployment guide.
ZIA Overview
ZIA is a secure internet and web gateway delivered as a service from the cloud. Think of it as a secure internet onramp—
all you do is make Zscaler your next hop to the internet via one of the following methods:
• Seing up a tunnel (GRE or IPSec) to the closest Zscaler data center (for offices).
• Forwarding traffic via the lightweight Zscaler Client Connector or PAC file (for mobile employees).
No maer where users connect—a coffee shop in Milan, a hotel in Hong Kong, or a VDI instance in South Korea—they get
identical protection. ZIA sits between your users and the internet and inspects every transaction inline across multiple
security techniques (even within SSL).
You get full protection from web and internet threats. The Zscaler cloud platform supports Cloud Firewall, intrusion
prevention system (IPS), Sandboxing, data loss prevention (DLP), and Browser Isolation, allowing you to start with the
services you need now and activate others as your needs grow.
Zscaler Resources
The following table contains links to Zscaler resources based on general topic areas.
Name and Link Description
ZIA Help Portal Help articles for ZIA.
Zscaler Tools Troubleshooting, security and analytics, and browser extensions that help Zscaler
determine your security needs.
Zscaler Training and Certification Training designed to help you maximize Zscaler products.
Submit a Zscaler Support Ticket Zscaler Support portal for submiing requests and issues.
The following table contains links to Zscaler resources for government agencies.
Name and Link Description
ZIA Help Portal Help articles for ZIA.
Zscaler Tools Troubleshooting, security and analytics, and browser extensions that help Zscaler
determine your security needs.
Zscaler Training and Certification Training designed to help you maximize Zscaler products.
Submit a Zscaler Support Ticket Zscaler Support portal for submiing requests and issues.
If you are using this guide to implement a solution at a government agency, some of the content might be
different for your deployment. Efforts are made throughout the guide to note where government agencies might
need different parameters or input. If you have questions, please contact your Zscaler Account team.
ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE
8©2023 Zscaler, Inc. All rights reserved.
Microso Defender for Cloud Apps Overview
Microso Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that supports various deployment modes
including log collection, API connectors, and reverse proxy. It provides rich visibility, control over data travel, and
sophisticated analytics to identify and combat cyberthreats across Microso and third-party cloud services.
Microso Defender for Cloud Apps natively integrates with leading Microso solutions and is designed with security
professionals in mind. It provides simple deployment, centralized management, and innovative automation capabilities.
To learn more, refer to the Microso Defender for Cloud Apps website.
Microso Defender for Cloud Apps Resources
The following table contains links to Microso Defender for Cloud Apps support resources.
Name and Link Description
Microso Defender for Cloud Apps
Documentation
Articles with use cases to get started using Microso Defender for Cloud
Apps.
Microso Defender for Cloud Apps
Support
Support portal for Microso Defender for Cloud Apps problems and help.
ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE
9©2023 Zscaler, Inc. All rights reserved.
Zscaler Loing Architecture Overview
When customers use ZIA, every customer-initiated transaction that traverses ZIA generates a corresponding log message.
Logs messages are retained by Zscaler for six months (or longer through a paid-for service).
Customers can view and search these logs using the Dashboard of the ZIA Admin Portal.
ZIA requires Nanolog Streaming Service (NSS) to send log messages outside of the Zscaler cloud.
NSS
Log messages are stored in Nanolog. When an organization deploys NSS for various log feeds, each NSS opens a
secure tunnel to the Nanolog in the Zscaler cloud. The Nanolog then streams copies of the logs to each NSS in a highly
compressed format to reduce bandwidth footprint. The original logs are retained on the Nanolog.
When NSS receives the logs from the Nanolog, it unscrambles them, applies the configured filters to exclude unwanted
logs, converts the filtered logs to the configured output format so they can be parsed by Microso Defender for Cloud
Apps, and then streams the logs to Microso Defender for Cloud Apps using an Authentication Token generated in the
Microso 365 Defender portal.
Figure 1. Nanolog Streaming Service and Microso Defender for Cloud Apps overview
ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE
10©2023 Zscaler, Inc. All rights reserved.
Loing into ZIA
First, set up the Zscaler side of this service.
Log into Zscaler using your Administrator Account. If you are unable to log in using your Administrator Account, contact
Zscaler Support (government agencies, see Zscaler Support).
Figure 2. ZIA Admin Portal
Configuring NSS
This deployment guide leverages the Zscaler NSS ARM Template from the Zscaler GitHub Repository. Alternative options
are available and can be found in the NSS Deployment Guide based on your deployment type (government agencies,
see NSS Deployment Guide).
Before you begin deployment, contact Zscaler Support to obtain the NSS VHD SAS token and the Azure VM instance
type recommendations.
Step 1: Verify You Meet all NSS Deployment Prerequisites
You need the following to deploy NSS over your VM:
• A subscription to NSS for Web.
• VM Specs:
• CPU: 2 CPU cores: NSS uses one core for the control plane and another core for the data plane.
• Instance Memory: Minimum of 8 GB for up to 8K users, 16 GB for up to 20K users, 32 GB for up to 50K users, 48
GB for up to 75K users, and 64 GB for above 75K users.
• Storage account: General Purpose.
• Network Specs:
• Two network interfaces:
• The first network interface is the management IP address. It's used to control connections to the Zscaler
cloud and to make an SSH connection to the NSS VM for configuration and management. You can
ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE
11©2023 Zscaler, Inc. All rights reserved.
customize the deployment and define a separate IP address for the SSH connection to the NSS VM.
• The second network interface is the service IP address. It is used for data connections to the Zscaler cloud
and Microso Defender for Cloud Apps.
• Two public IP addresses.
• Bandwidth for log download: 11 Mbps for 10K users.
NOTE:
It's mandatory to deploy the NSS instance behind a VM network security group. The NSS instance only requires
outbound connections to the Zscaler cloud. It does not require any inbound connections to your network
from the Zscaler cloud. To view the firewall requirements for your specific account, go to hps://config.zscaler.
com/<Zscaler Cloud Name>/nss.
The <Zscaler Cloud Name> can be found in the URL you use to log in to the ZIA Admin Portal.
For example, to log in to admin.zscaler.net, go to hps://config.zscaler.com/admin.zscaler.net/nss (government
agecies, go to hps://config.zscaler.us/admin.zscaler.net/nss).
Step 2: Add a NSS Server and Download the SSL Certificate in the ZIA Admin Portal
To add an NSS server:
1. Go to Administration > Nanolog Streaming Service.
2. From the NSS Servers tab, click Add NSS Server. The Add NSS Server window appears.
3. In the Add NSS Server window:
a. Enter a Name for the NSS.
b. Select NSS for Web type.
c. The NSS is Enabled by default.
4. Click Save.
Figure 3. Add NSS Server dialog
5. Click Download in the SSL Certificate column of the NSS server that you are configuring, and then save the
certificate.
ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE
12©2023 Zscaler, Inc. All rights reserved.
Step 3: Deploy to Azure Using the Zscaler NSS ARM Template
If you are deploying a new NSS in Azure, the Zscaler NSS Azure Resource Manager (ARM) Template was developed to
automate seing up an NSS in Azure. This voids the need for manually running PowerShell scripts.
Deployments can take up to one hour to finish.
Access the Zscaler NSS ARM Template from the Zscaler GitHub Repository and follow the instructions there to deploy.
Step 4: Configure and Start NSS on the VM Instance
To configure and start NSS on the VM instance:
1. Copy the downloaded NssCertificate.zip file from the ZIA Admin Portal to the VM, using FTP, SCP, or SFTP. For
example:
scp ./NssCerticate.zip zsroot@<mgmt publicIP>:/usr/home/zsroot/NssCerticate.zip
2. Use a SSH command such as the following to get shell access to the VM:
ssh zsroot@<mgmt publicIP>
3. Then, install the SSL certificate:
sudo nss install-cert NssCerticate.zip
Congure the NSS network settings by running the command:
sudo nss congure
4. Enter a name server (e.g., 168.63.129.16). You can either change (C), delete (D), or not change it (N).
In this case, enter N.
You can add a name server if you want. In this case, enter N.
5. Enter the service interface IP address with netmask (smnet_dev). This is the private IP address of the second
network interface (service interface - eth1) created in the VM.
6. Get the private IP address. To find the private IP of the second network interface you created in your Azure account:
a. Go to the NSS VM Configuration page.
b. In the le-side navigation, go to Networking and select your second network interface.
c. Copy the private IP address.
7. Enter the service interface default gateway IP address (smnet_dt_gw). This is the default gateway IP address.
ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE
13©2023 Zscaler, Inc. All rights reserved.
The following image shows an example output:
Figure 4. Example output from sudo nss configure command
8. Download the NSS binaries. Before starting the NSS service, run the following command to download and install the
NSS binaries:
sudo nss update-now
9. Start the NSS. Unless you are planning to use this instance for passive backup, run the command sudo nss start
and then to enable NSS to start automatically aer a restart, run the following command:
sudo nss enable-autostart
10. Finally, restart the NSS:
sudo nss restart
Step 5: Configure a MCAS NSS Feed
To configure an MCAS NSS feed:
1. Go to Administration > Nanolog Streaming Service.
2. From the NSS Feeds tab, click Add MCAS NSS Feed. The Add MCAS NSS Feed window appears. In the MCAS NSS
Feed window, enter:
a. Feed Name: Enter or edit the name of the feed. Each feed is a connection between the NSS and Microso
Defender for Cloud Apps.
b. NSS Type: NSS for Web is selected by default.
c. NSS Server: Choose an NSS from the list.
d. Status: The NSS feed is Enabled by default. Choose Disabled if you want to activate it later.
3. Define filters:
• Action:
• Policy Action: Use this filter to limit the logs to transactions that were either allowed or blocked. Transactions
wherein the service displayed a Caution page are considered blocked transactions; if users proceeded with
the transactions, they are considered allowed.
• Policy Reason: Use this filter to limit the logs based on the policy that the Zscaler service applied. These
are the policy reason strings that are in transaction drilldown. They indicate which policy caused a block, or
if allowed, the conditions under which they were allowed, such as Allowed due to override and Internet
Access cautioned. Multiple selections are allowed.
ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE
14©2023 Zscaler, Inc. All rights reserved.
• Who:
• Users: Use this filter to limit the logs to specific users who generated transactions. You can search for users
by username or email address. There is no limit on the number of users that you can select. Users that are
deleted aer they are selected appear with a strikethrough line.
• Departments: Use this filter to limit the logs to specific departments that generated transactions. You can
search for departments. There is no limit on the number of departments that you can select. Departments
that are deleted aer they are selected appear with a strikethrough line.
• From Where:
• Locations: Use this filter to limit the logs to specific locations from which transactions were generated. You
can search for locations. There is no limit on the number of locations that you can select. Locations that are
deleted aer they are selected appear with a strikethrough line.
• Client IP Addresses: Use this filter to limit the logs based on a client’s private IP address. You can enter:
• An IP address (e.g., 198.51.100.100).
• A range of IP addresses (e.g., 192.0.2.1-192.0.2.10).
• An IP address with a netmask (e.g., 203.0.113.0/24).
You can enter multiple entries. Press Enter aer each entry.
• Public IP Addresses: Use this filter to limit the logs based on a client’s public IP address. The internal IP
address is available if traffic forwarding is forwarded to the service through a GRE or VPN tunnel or from the
XFF header. If the internal IP address is not available, the value is the same as the client IP address. You can
enter:
• An IP address (e.g., 198.51.100.100).
• A range of IP addresses (e.g., 192.0.2.1-192.0.2.10).
• An IP address with a netmask (e.g., 203.0.113.0/24).
You can enter multiple entries. Press Enter aer each entry.
• Traffic Forwarding: Use this filter to limit the logs based on the traffic forwarding method to the ZIA Public
Service Edge.
• Transaction
• Direction: Use this filter to limit the logs to either inbound or outbound traffic.
• User Agents: Use this filter to limit the logs to transactions associated with the user-agent string that the
browser included in its GET request. Choose from the list of predefined user-agent strings or enter custom
user-agent strings. Multiple selections are allowed.
• Custom User Agent Strings: Use this filter to limit the logs to specific user-agent strings. A user-agent string
contains browser and system information that the destination server can use to provide appropriate content.
• Protocol Types: Use this filter to limit the logs to specific protocols. Supported protocols are HTTP, HTTPS,
and FTP. Multiple selections are allowed.
• Request Methods: Use this filter to limit the logs based on the HTTP request method obtained from the
client request. Multiple selections are allowed.
ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE
15©2023 Zscaler, Inc. All rights reserved.
• Response Codes: Use this filter to limit the logs based on the HTTP response code obtained from the server
or generated by the ZIA Public Service Edge. Multiple selections are allowed.
• Request Sizes: Use this filter to limit the logs based on HTTP request size. Enter either a specific size or
a range with a dash. By default, the service uses bytes, but you can also specify KB, MB, GB, or TB (e.g.,
10KB-1MB, 200). You can enter multiple entries. Press Enter aer each entry.
• Response Sizes: Use this filter to limit the logs based on HTTP response size. Enter either a specific size
or a range with a dash. By default, the service uses bytes, but you can also specify KB, MB, GB, or TB (e.g.,
10KB-1MB, 200). You can enter multiple entries. Press Enter aer each entry.
• Transaction Sizes: Use this filter to limit the logs based on transaction size, which is the header and body
request or response size, or the request and response size. Enter either a specific size or a range with a dash.
By default, the service uses bytes, but you can also specify KB, MB, GB, or TB (e.g., 10KB-1MB, 200). You can
enter multiple entries. Press Enter aer each entry.
• Referrer URLs: Use this filter to limit the logs based on the Referrer URL in the HTTP header. You can use
wildcards based on the rules:
• *string: Suffix matching match URLs ending with ‘string’.
• String*: Prefix matching match URLs beginning with ‘string’.
• *string*: Substring matching match URLs containing ‘string’.
• String: Exact matching match URLs that are exactly ‘string’.
Multiple strings are allowed. Enter one string per line. String search is not case-sensitive.
• To Where:
• URL Filter Type: Use this filter to limit the logs based on URLs in HTTP Requests. You can specify either a
Hostname or the Full URL. You can use wildcards based on the rules:
• *string: Suffix matching match URLs ending with ‘string’.
• String*: Prefix matching match URLs beginning with ‘string’.
• *string*: Substring matching match URLs containing ‘string’.
• String: Exact matching match URLs that are exactly ‘string’.
• Hostnames: Use this filter to limit the logs based on specific hostnames.
• URL Classes: Use this filter to limit the logs to specific URL classes (government agencies, see URL classes).
Select those that you want to include. Multiple selections are allowed.
• URL Super Categories: Use this filter to limit the logs to specific URL super categories (government agencies,
see URL super categories). Select those that you want to include. Multiple selections are allowed.
• URL Categories: Use this filter to limit the logs to specific URL categories (government agencies, see URL
classes). Select those that you want to include. Multiple selections are allowed.
• Server IP Addresses: Use this filter to limit the logs based on the destination server’s IP address. You can
enter:
• An IP address (e.g., 198.51.100.100).
• A range of IP addresses (e.g., 192.0.2.1-192.0.2.10).
• An IP address with a netmask (e.g., 203.0.113.0/24).
You can enter multiple entries. Press Enter aer each entry.
ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE
16©2023 Zscaler, Inc. All rights reserved.
• Cloud Application Classes: Use this filter to limit the logs to the selected cloud application classes
(government agencies, see cloud application classes). Multiple selections are allowed.
• Cloud Applications: Use this filter to limit the logs to selected cloud applications (government agencies, see
cloud applications). Multiple selections are allowed.
• Application Segment: Use this filter to limit the logs to specific application segments (government agencies,
see application segments). The default option for this filter is Any.
• Security:
• Malware Classes: Use this filter to limit the logs based on malware class or name. Multiple selections are
allowed.
• Malware Names: Use this filter to limit the logs based on specific malware or viruses that were detected.
You can specify multiple malware or virus names. Use the Search function to search for either.
• Advanced Threats: Use this filter to limit the logs based on the types of advanced threats that were
detected. Multiple selections are allowed.
• Threat Names: Use this filter to limit the logs based on specific threats that were detected. You can specify
multiple threat names. Use the Search function to search for either a specific threat or multiple threats.
• Suspicious Content: Use this filter to limit the logs based on the Page Risk Index score (government
agencies, see Page Risk Index score) of a transaction. Enter either a single value or a range of values,
between 0 and 100. Multiple values separated by commas are allowed.
• File Type:
• File Type Categories: Use this filter to limit the logs based on the file type categories (government agencies,
see file type categories) detected from the content. Multiple selections are allowed.
• File Types: Use this filter to limit the logs based on the file type (government agencies, see file type)
detected from the content. Multiple selections are allowed.
• Unscannable Type: Use this filter to limit the logs based on an unscannable file type. Multiple selections are
allowed. The following options appear under this filter:
• Encrypted File: Encrypted or password-protected (e.g., GZIP, PDF).
• Undetectable File: Unable to determine the file type, based on multiple methods.
• Unscannable File: Unscannable (e.g., corrupt archive).
• DLP:
• DLP Engines: Use this filter to limit the logs to transactions in which data leakage was detected based on
specific DLP engines (government agencies, see DLP engines). Multiple selections are allowed.
• DLP Dictionaries: Use this filter to limit the logs to transactions in which data leakage was detected based on
specific DLP dictionaries (government agencies, see DLP dictionaries). Multiple selections are allowed.
ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE
17©2023 Zscaler, Inc. All rights reserved.
4. Click Save and activate the change:
Figure 5. Add MCAS NSS Feed dialog
When complete, the Partner Integration page for Microso Cloud App Security looks like the following image:
Figure 6. Partner Integration Dialogue for Microso Defender for Cloud App
ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE
18©2023 Zscaler, Inc. All rights reserved.
Enable the Microso Defender for Cloud App Integration
The following steps show how to enable Microso Defender for Cloud App.
Step 1: Enable Automatic Log Uploads in the Microso Defender for Cloud Apps Portal
In the Microso 365 Defender portal, complete the following integration steps:
1. Select the Seings > Cloud apps > Automatic log upload.
2. Under Data Sources, select Add data source.
3. In the Add data source page, enter the following seings:
a. Name: NSS
b. Source: Zscaler QRadar LEEF
c. Receiver type: Syslog – UDP
4. Select View sample of expected log file.
Figure 7. Adding a data source for Microso Defender for Cloud Apps
5. Select Download sample log to view a sample discovery log, and make sure it matches your logs.
ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE
19©2023 Zscaler, Inc. All rights reserved.
Step 2: Create a Microso Defender for Cloud Apps API Token
In the Microso 365 Defender portal, complete the following integration steps:
1. Select the Seings sidebar option > Cloud apps > API tokens
2. Select Add token
3. For Token name, select a name for the token.
4. Click Generate and copy both the API token and the Your URL value.
Figure 8. Generating a new API token in Microso Defender for Cloud Apps
Step 3: Configure Microso Defender for Cloud Apps Integration in the ZIA Admin Portal
To configure a Microso Cloud App Security (MCAS) integration:
1. Log on to your ZIA Admin Portal and go to Administration > Partner Integrations.
2. Under Microso Cloud App Security (MCAS) Authentication Token, enter the API token you copied from Step 2:
into the field and click Test. If successful, a confirmation is displayed as shown in the following image:
Figure 9. Adding Microso Defender for Cloud Apps token to ZIA Admin Portal
Make sure that at least one app is categorized as unsanctioned within the Microso 365 Defender portal before testing
the integration. To learn more, refer to the Microso Cloud App Security documentation and see the Troubleshooting
section of this article.
ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE
20©2023 Zscaler, Inc. All rights reserved.
Zscaler verifies if the token is valid. If the token is valid, the configuration proceeds to the next step and Zscaler aempts
to sync your unsanctioned Cloud App URLs. If you do not have a valid token, generate a new API token or copy a valid
token from Microso's 365 Defender portal. The token must be generated by a Cloud Discovery global administrator.
To learn more, refer to the Microso Cloud App Security documentation.
When your API Token is validated, the first unsanctioned Cloud App URL sync occurs within two hours aer completion.
Microso Defender for Cloud Apps allows you to sanction or unsanction apps in your organization. Zscaler syncs all
unsanctioned app URLs to a custom URL category named MS Defender Unsanctioned Apps. Syncs to this custom URL
category continue to occur every two hours aerward.
This section updates automatically, showing the last sync timestamp and the number of URLs that were successfully
synced. If you have exceeded the maximum custom category limit that is set for your organization, then the sync fails. To
learn more, see the following Troubleshooting section.
Step 4: Enable Automatic Log Uploads to Microso Defender for Cloud Apps for NSS
To enable automatic log uploads to Microso Defender for Cloud Apps for NSS:
1. Log in to the NSS virtual appliance for your platform (i.e., VMware vSphere, Amazon Web Services, or Azure). Enter
the following command:
sudo nss congure-mcas
2. At the prompt, enter you API Token. For example:
token (Authentication token for uploading to MCAS) []: <MCAS API token>
3. At the following prompt, enter your Microso Defender for Cloud Apps domain. For example:
domain (MCAS domain like mycompany.portal.cloudappsecurity.com) []: <MCAS domain name>
4. Restart the service using the following command:
sudo nss restart
ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE
21©2023 Zscaler, Inc. All rights reserved.
Verify your Microso Defender for Cloud Apps Integration Configuration
To verify your Microso Defender for Cloud Apps partner integration configuration:
1. Go to Administration > URL Categories.
2. Aer the initial URL sync, you see a new User-Defined category named MS Defender Unsanctioned Apps in the
table.
Figure 10. New URL category on successful integration of Microso Defender for Cloud Apps
3. (Optional) If you enabled automatic log uploads (government agencies, see enabled automatic log uploads):
a. Log in to the Microso 365 Defender portal.
b. Click the Seings side bar option, and then click Cloud Apps.
c. In the Automatic log upload sidebar, make sure that the NSS data source you set up for Zscaler is receiving
data.
Figure 11. Updated log entries and last data received timestamp on successful integration of Microso Defender for Cloud Apps
ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE
22©2023 Zscaler, Inc. All rights reserved.
Aer the initial Cloud App URLs are synced to your custom URL category, the Microso Defender for Cloud Apps
Unsanctioned Cloud Application URLs Sync shows the number of URLs that have been successfully synced.
Figure 12. Unsanctioned Cloud Application URLs Sync
Troubleshooting
• You must assign the MS defender URL category to a URL filtering rule to block the traffic to those destinations.
Zscaler recommends that SSL inspection is turned on for that category in case some sanctioned apps are uniquely
identified by a full URL rather than just a domain name. To learn more, see Configuring SSL Inspection Policy
(government agencies, see Configuring SSL Inspection Policy).
• If the unsanctioned Cloud App URL sync to your custom URL category is not occurring every two hours, contact
Zscaler Support (government agencies, contact Zscaler Support).
• If you encounter an MCAS authentication token validation error on a valid/verified token, then it could be related
to not having any apps categorized as unsanctioned. Make sure that you have at least one app categorized within
Microso 365 Defender portal.
• In the Microso 365 Defender portal, find a list of your organization’s apps in Discover > Discovered apps,
then follow the procedure in the Microso Cloud App Security documentation to categorize an app as
unsanctioned:
• Click the three dots at the end of the row for the app you want to categorize as unsanctioned.
• Select Unsanction.
• If you do not see an app on the Discovered apps page, search for the app in Discover > Cloud app catalog,
then follow the same procedure.
• However, if you know your token is valid and need to verify that you have at least one app categorized as
unsanctioned, you can also run the following curl command:
curl -v "https://<MCAS URL>/api/discovery_block_scripts/?format=120&type=banned" -H
"Authorization: Token <Token>"
Where <MCAS URL> is the URL to the Cloud App Security portal associated with your authentication token, and
<Token> is the API token.
If URLs are returned within the response, then your token and URL syncs are working properly.
Figure 13. URLs being returned successfully using CURL command
ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE
23©2023 Zscaler, Inc. All rights reserved.
Appendix A: Requesting Zscaler Support
You might sometimes need Zscaler Support for provisioning certain services, or to help troubleshoot configuration and
service issues. Zscaler Support is available 24/7/365.
To contact Zscaler Support:
1. Go to Administration > Seings > and then click Company Profile.
Figure 14. Collecting details to open support case with Zscaler TAC
2. Copy the Company ID.
Figure 15. Company ID
ZSCALER AND MICROSOFT DEFENDER FOR CLOUD APPS DEPLOYMENT GUIDE
24©2023 Zscaler, Inc. All rights reserved.
3. Now that you have your company ID, you can open a support ticket. Go to Dashboard > Support > Submit a Ticket.
Figure 16. Submit a ticket
