Access Policies and Policy Templates

Start course

This course explores Microsoft Cloud App Security, including what it is, what it offers, and how it's configured. You'll learn about Cloud Discovery and how to configure Microsoft Cloud App Security. You’ll learn about access policies, policy templates, and how to manage OAuth apps, before diving into Cloud App Security log uploads.

We'll also look at app connectors and at the Cloud App Catalog before moving on to the Cloud App Security dashboard and ways to manage alerts. Finally, we'll cover data management reports.

Learning Objectives

  • Get a solid understanding of Microsoft Cloud App Security including what it is, what it offers, and how it's configured
  • Learn how to set up access policies and access templates
  • Learn how to manage OAuth apps and Cloud App Security uploads
  • Understand how app connectors and the Cloud App Catalog add security to your apps
  • Learn about Cloud App Security dashboard, how to manage alerts, and how to generate management reports

Intended Audience

This course is intended for those who wish to learn how to use Cloud App Security in Microsoft 365.


To get the most out of this course, you should already have some basic knowledge of Microsoft 365.


Hello, and welcome to Access Policies and Policy Templates. In this lesson, we are going to take a look at Cloud App Security access policies and at templates you can use to create policies.

Cloud App Security access policies are used to enable real-time monitoring and to manage control of access to your cloud apps, based on user, location, device, and app. Access policies can be created for virtually any device, including those that aren’t even Hybrid Azure AD Joined, nor managed by Intune. This is accomplished by pushing out client certificates to the devices you wish to manage. You can also leverage existing certificates to accomplish this.

Before you can use access policies, you need to have the proper licensing in place. If you are using Azure AD, you’ll need an Azure Premium P1 license. If you are using a third-party identity provider, you’ll need the license required by the third-party iDP solution.

You also need to deploy your cloud apps with Conditional Access App Control, and you need to ensure you’ve configured your IdP solution to work with Cloud App Security. This means that if you are using Azure AD, you’ll need to configure Azure AD to work with Cloud App Security. For third-party IdP solutions, you’ll have to configure the third-party solution to work with Cloud App Security.

Creating a Cloud App Security access policy is a relatively painless process. Simply browse to the Cloud App Security portal and open the Control page. From the Control page, you can open the Policies page to create your access policy.

When you create an access policy, you need to give it a name and select filters that should apply to the policy. For example, you can select the Device Tag filter to identify unmanaged devices. The Location filter can be used to identify unknown, or risky, locations. The IP Address filter can be used to filter on IP addresses or on assigned IP address tags, while the User Agent Tag can be used to enable the heuristics that are used to identify mobile and desktop apps.

Once you have your filters selected, you set your Action. Setting the Action to Test explicitly allows access to the app according to the policy filters you set. Setting the Action to Block, naturally, explicitly blocks access to the app according to the policy filters you set.

You can also create an alert that fires for each event that is generated by the policy. You can set an alert limit and you can choose how you want the alerts sent. You can choose email, text messages, or both.

There are two ways to create a policy in Cloud App Security. You can create it from scratch, or you can base it on a template. Microsoft recommends creating polices from templates whenever possible. As I’m sitting at my desk, creating this course, I’m looking at the list of templates that are available. At current count, there are about 30 of them. That being the case, I’m not going to list them all out here. That would be kinda boring. Instead, I’ll just break them out by risk category, and then you can read more about each individual template at the URL I provide momentarily.

The policy templates in Cloud App Security are broken down into four different risk categories. These include Cloud Discovery, DLP, Threat Detection, and Sharing Control.

The full list of policy templates can be found at the URL on your screen: 

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.