Manage: SaaS Application Management
Focus
Focus
Strata Cloud Manager

Manage: SaaS Application Management

Table of Contents

Manage: SaaS Application Management

Prisma Access gives you simple, centralized management for your SaaS applications, including Microsoft 365 apps, Google apps, Dropbox, and YouTube.
Where Can I Use This?
What Do I Need?
  • Prisma Access (Cloud Management)
  • Prisma Access
    license
Prisma Access gives you simple, centralized management for your SaaS applications. For each of the apps listed on the
SaaS Application Management
dashboard—Microsoft 365 apps, Google apps, Dropbox, and YouTube—you’ll find features that you can use to safely enable the applications for enterprise use.
The EDL Hosting Service for Application Endpoint Management
SaaS providers publish lists of the IP addresses and URL endpoints their SaaS applications use, and frequently update these lists. Palo Alto Networks hosts these lists for you, and you can reference them in policy.
For Microsoft 365, you can subscribe to endpoint lists directly from Prisma Access Cloud Management (including optional and required lists). Sometimes, the EDL Hosting Service releases support for SaaS providers and endpoint list feeds that is not yet available directly in Prisma Access Cloud Management. To enforce policy for application endpoints from these SaaS providers—including Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), Salesforce (SFDC) public endpoints, Microsoft Defender, Zoom, and GitHub—you can create an external dynamic list based on the feed URL.

Microsoft 365

Prisma Access gives you simple, centralized management for your SaaS applications, including Microsoft 365 apps.
Prisma Access gives you simple, centralized management for your SaaS applications, including Microsoft 365 apps.

Easy M365 Enablement

Built-in security and decryption rules, as well as a guided walkthrough, mean you can safely enable M365 in just a few clicks.
  • Built-in security rules allow M365 apps, and ensure that they connect only to Microsoft endpoints
  • Built-in decryption rules skip decryption for traffic destined to Microsoft-categorized Optimize endpoints (this is Microsoft’s recommendation)
  • The guided walkthrough will get you up and running with M365 in two steps.

M365 for Enterprise Use

Safely enable your Microsoft apps for enterprise use by:
To manage Microsoft 365 usage, go to
Manage
Configuration
NGFW and Prisma Access
. Select
Prisma Access
configuration scope, go to
Objects
SaaS App Management
and edit
Microsoft 365
settings.

Microsoft 365 Endpoint Lists

Microsoft publishes lists of the IP addresses and URL endpoints their SaaS applications use, and frequently updates these lists.
Palo Alto Networks hosts these lists for you, and from within Prisma Access, you can subscribe to the lists that are relevant to you (including optional and required lists). You can use the lists you’re subscribe to in policy. As Microsoft refreshes their endpoint lists, your policy dynamically enforces the latest version of the list; there’s no need for you to monitor list changes or make manual policy updates to catch the latest updates.
  1. Subscribe to an endpoint list
    1. Edit Microsoft 365 settings and go to
      Endpoint Lists
      .
    2. Select
      Customize Subscription
      and choose the endpoint lists you want to subscribe to, based on the services you’re using and the list type (IPv4, IPv6, or URL).
  2. Add the endpoint list to a security policy rule
    Your subscribed lists are available for you to use as match criteria in a security policy rule.
    1. Go to
      Manage
      Configuration
      NGFW and Prisma Access
      Security Services
      Security Policy
      and add or edit a rule.
    2. Add
      SaaS Application Endpoint
      lists as match criteria for the rule.

Microsoft 365 Tenant Restrictions

Tenant restrictions give you a way limit app usage to enterprise accounts (stop users from accessing their personal Microsoft accounts on the company network). To put tenant restrictions in place:
Specify the Microsoft 365 tenants to which you want to allow access.
  1. Specify the Microsoft 365 domains and tenants to which you want to allow access.
  2. Add the tenant restrictions to a security policy rule.
    While you can add tenant restrictions to a security policy rule directly from the Microsoft 365 settings here, any tenant restrictions you’ve configured can also be easily added to new and existing security policy rules:

Google Apps

Prisma Access gives you simple, centralized management for your SaaS applications, including Google apps.
Prisma Access gives you simple, centralized management for your SaaS applications – including Google apps – and you can enforce application traffic differently for personal and enterprise versions of the apps. For example, you can safely enable Google apps on your company network by restricting employees on managed devices to Google enterprise accounts, and block or limit access to personal Google accounts.
The EDL Hosting Service releases support for SaaS providers and endpoint list feeds that are not yet available directly in Prisma Access Cloud Management. To enforce policy for Google Cloud Platform (GCP) endpoints, you can create an external dynamic list based on the feed URL. Learn more about the EDL Hosting Service
To enable tenant restrictions for Google apps:
  1. Go to
    Manage
    Configuration
    NGFW and Prisma Access
    . Select
    Prisma Access
    configuration scope, go to
    Objects
    SaaS App Management
    , and edit
    Google Apps
    settings.
  2. Add approved domains and tenants for your users to access
  3. Assign the tenant restrictions to a security policy rule
    While you can add tenant restrictions to a security policy rule directly from the Google app settings here, all tenant restrictions you’ve configured for SaaS apps are available to you when you’re editing or creating security policy rules:

Dropbox

Prisma Access gives you simple, centralized management for your SaaS applications, including Dropbox.
Prisma Access gives you simple, centralized management for your SaaS applications, including Dropbox. You can safely enable Dropbox on your company network by restricting usage only to enterprise accounts.
Go to
Manage
Configuration
NGFW and Prisma Access
. Select
Prisma Access
configuration scope, go to
Objects
SaaS App Management
, and edit
Dropbox
settings.
To enable tenant restrictions:
  1. Add approved domains and tenants for your users to access
  2. Assign the tenant restrictions to a security policy rule
    While you can add tenant restrictions to a security policy rule directly from the Dropbox settings here, all tenant restrictions you’ve configured for SaaS apps are available to you when you’re editing or creating security policy rules:

YouTube

Prisma Access gives you simple, centralized management for your SaaS applications, including YouTube.
Prisma Access gives you simple, centralized management for your SaaS applications, including YouTube. For YouTube, you can enforce Safe Search settings.
Go to
Manage
Configuration
NGFW and Prisma Access
. Select
Prisma Access
configuration scope, go to
Objects
SaaS App Management
, and edit
YouTube
settings.
To enforce Safe Search for YouTube:
  1. Add the domains for which you want to enforce Safe Search
  2. Add the Safe Search settings to a security policy rule
    While you can add safe search to a security policy rule directly from the YouTube settings here, the settings you’ve configured for SaaS apps are also available to you when you’re editing or creating security policy rules:

Recommended For You