Skip to content

Scoped deployments and privacy

Using scoped deployments allows you to limit the activity that is being tracked in MDCA or limit the access of activities for certain accounts to only administrators with the appropriate permissions.

Microsoft states this feature is useful if you are trying to limit activities to users that have licenses or users in a country that prohibits monitoring of users.

Construction

Diagram for scoping rules https://learn.microsoft.com/en-us/defender-cloud-apps/scoped-deployment#example-results-for-include-and-exclude-rules

Include

If you specify an included group it essentially is like specifying an "exclude" all others. So if you include Group 1 for all apps, no other groups are monitored for all apps. If you include Group 1 for App A, App A is only monitored for users of Group 1, but all other users are monitored for all other apps.

Exclude

Specifying an exclude group ensures certain users aren't monitored by MDCA. These take precedence over your include rules.

Activity privacy

If you want to continue to monitor users in a group for certain apps but want to protect access to that data you can specify a group here that requires special permissions to view the activity data. Some special notes about activity privacy:

  • This is a change to future activities only, it is not retroactive.
  • These activities will not be forwarded to SIEMs or viewable in Advanced hunting, additionally attempting to export these activities via the GUI will result in missing data, they can only be viewed from the portal.
  • Once permissions have been granted to a user the user must select Show private activies... under the table settings of the activity log to see the private events.