Manage: SaaS Application Management
Focus
Focus
Strata Cloud Manager

Manage: SaaS Application Management

Table of Contents

Manage: SaaS Application Management

Prisma Access gives you simple, centralized management for your SaaS applications, including Microsoft 365 apps, Google apps, Dropbox, and YouTube.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Panorama or Strata Cloud Manager)
  • NGFW, including those funded by Software NGFW Credits
Each of these licenses include access to Strata Cloud Manager:
→ The features and capabilities available to you in Strata Cloud Manager depend on which license(s) you are using.
Prisma Access gives you simple, centralized management for your SaaS applications. For each of the apps listed on the SaaS Application Management dashboard—Microsoft 365 apps, Google apps, Dropbox, and YouTube—you’ll find features that you can use to safely enable the applications for enterprise use.
The EDL Hosting Service for Application Endpoint Management
SaaS providers publish lists of the IP addresses and URL endpoints their SaaS applications use, and frequently update these lists. Palo Alto Networks hosts these lists for you, and you can reference them in policy.
For Microsoft 365, you can subscribe to endpoint lists directly from Prisma Access Cloud Management (including optional and required lists). Sometimes, the EDL Hosting Service releases support for SaaS providers and endpoint list feeds that is not yet available directly in Prisma Access Cloud Management. To enforce policy for application endpoints from these SaaS providers—including Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), Salesforce (SFDC) public endpoints, Microsoft Defender, Zoom, and GitHub—you can create an external dynamic list based on the feed URL.

Microsoft 365

Prisma Access gives you simple, centralized management for your SaaS applications, including Microsoft 365 apps.
Prisma Access gives you simple, centralized management for your SaaS applications, including Microsoft 365 apps.

Easy M365 Enablement

Built-in security and decryption rules, as well as a guided walkthrough, mean you can safely enable M365 in just a few clicks.
  • Built-in security rules allow M365 apps, and ensure that they connect only to Microsoft endpoints
  • Built-in decryption rules skip decryption for traffic destined to Microsoft-categorized Optimize endpoints (this is Microsoft’s recommendation)
  • The guided walkthrough will get you up and running with M365 in two steps.

M365 for Enterprise Use

Safely enable your Microsoft apps for enterprise use by:
To manage Microsoft 365 usage, go to ManageConfigurationNGFW and Prisma Access. Select Prisma Access configuration scope, go to ObjectsSaaS App Management and edit Microsoft 365 settings.

Microsoft 365 Endpoint Lists

Microsoft publishes lists of the IP addresses and URL endpoints their SaaS applications use, and frequently updates these lists.
Palo Alto Networks hosts these lists for you, and from within Prisma Access, you can subscribe to the lists that are relevant to you (including optional and required lists). You can use the lists you’re subscribe to in policy. As Microsoft refreshes their endpoint lists, your policy dynamically enforces the latest version of the list; there’s no need for you to monitor list changes or make manual policy updates to catch the latest updates.
  1. Subscribe to an endpoint list
    1. Edit Microsoft 365 settings and go to Endpoint Lists.
    2. Select Customize Subscription and choose the endpoint lists you want to subscribe to, based on the services you’re using and the list type (IPv4, IPv6, or URL).
  2. Add the endpoint list to a security policy rule
    Your subscribed lists are available for you to use as match criteria in a security policy rule.
    1. Go to ManageConfigurationNGFW and Prisma AccessSecurity ServicesSecurity Policy and add or edit a rule.
    2. Add SaaS Application Endpoint lists as match criteria for the rule.

Microsoft 365 Tenant Restrictions

Tenant restrictions give you a way limit app usage to enterprise accounts (stop users from accessing their personal Microsoft accounts on the company network). To put tenant restrictions in place:
Specify the Microsoft 365 tenants to which you want to allow access.
  1. Specify the Microsoft 365 domains and tenants to which you want to allow access.
  2. Add the tenant restrictions to a security policy rule.
    While you can add tenant restrictions to a security policy rule directly from the Microsoft 365 settings here, any tenant restrictions you’ve configured can also be easily added to new and existing security policy rules:

Google Apps

Prisma Access gives you simple, centralized management for your SaaS applications, including Google apps.
Prisma Access gives you simple, centralized management for your SaaS applications – including Google apps – and you can enforce application traffic differently for personal and enterprise versions of the apps. For example, you can safely enable Google apps on your company network by restricting employees on managed devices to Google enterprise accounts, and block or limit access to personal Google accounts.
The EDL Hosting Service releases support for SaaS providers and endpoint list feeds that are not yet available directly in Prisma Access Cloud Management. To enforce policy for Google Cloud Platform (GCP) endpoints, you can create an external dynamic list based on the feed URL. Learn more about the EDL Hosting Service
To enable tenant restrictions for Google apps:
  1. Go to ManageConfigurationNGFW and Prisma Access. Select Prisma Access configuration scope, go to ObjectsSaaS App Management, and edit Google Apps settings.
  2. Add approved domains and tenants for your users to access
  3. Assign the tenant restrictions to a security policy rule
    While you can add tenant restrictions to a security policy rule directly from the Google app settings here, all tenant restrictions you’ve configured for SaaS apps are available to you when you’re editing or creating security policy rules:

Dropbox

Prisma Access gives you simple, centralized management for your SaaS applications, including Dropbox.
Prisma Access gives you simple, centralized management for your SaaS applications, including Dropbox. You can safely enable Dropbox on your company network by restricting usage only to enterprise accounts.
Go to ManageConfigurationNGFW and Prisma Access. Select Prisma Access configuration scope, go to ObjectsSaaS App Management, and edit Dropbox settings.
To enable tenant restrictions:
  1. Add approved domains and tenants for your users to access
  2. Assign the tenant restrictions to a security policy rule
    While you can add tenant restrictions to a security policy rule directly from the Dropbox settings here, all tenant restrictions you’ve configured for SaaS apps are available to you when you’re editing or creating security policy rules:

YouTube

Prisma Access gives you simple, centralized management for your SaaS applications, including YouTube.
Prisma Access gives you simple, centralized management for your SaaS applications, including YouTube. For YouTube, you can enforce Safe Search settings.
Go to ManageConfigurationNGFW and Prisma Access. Select Prisma Access configuration scope, go to ObjectsSaaS App Management, and edit YouTube settings.
To enforce Safe Search for YouTube:
  1. Add the domains for which you want to enforce Safe Search
  2. Add the Safe Search settings to a security policy rule
    While you can add safe search to a security policy rule directly from the YouTube settings here, the settings you’ve configured for SaaS apps are also available to you when you’re editing or creating security policy rules: