Implementing Zero Trust for SaaS Applications
When to Use
- When securing access to SaaS applications (Microsoft 365, Google Workspace, Salesforce, Slack)
- When implementing conditional access policies requiring MFA and device compliance for SaaS
- When deploying CASB for shadow IT discovery and unsanctioned app blocking
- When enforcing session-level controls (DLP, download restrictions) for sensitive SaaS data
- When governing OAuth application permissions and detecting excessive consent grants
Do not use as a replacement for SaaS-native security controls (configure those first), for applications with no SAML/OIDC support, or when SaaS vendor does not support API integration for CASB/SSPM.
Prerequisites
- Identity provider with conditional access: Microsoft Entra ID P1/P2, Okta
- CASB solution: Microsoft Defender for Cloud Apps, Netskope, or Zscaler CASB
- SaaS applications configured with SSO via SAML 2.0 or OIDC
- MDM enrollment for device compliance signals (Intune, Jamf)
- DLP policies defined for sensitive data categories
Workflow
Step 1: Federate SaaS Authentication Through Identity Provider
Centralize authentication for all SaaS applications through a single IdP.
# Configure SAML SSO for Salesforce via Entra ID
Connect-MgGraph -Scopes "Application.ReadWrite.All"
# Create enterprise application for Salesforce
$app = New-MgServicePrincipal -AppId "SALESFORCE_APP_ID" -DisplayName "Salesforce"
# Configure SAML SSO settings
$samlSettings = @{
preferredSingleSignOnMode = "saml"
samlSingleSignOnSettings = @{
relayState = ""
}
}
Update-MgServicePrincipal -ServicePrincipalId $app.Id -BodyParameter $samlSettings
# Assign user groups to the application
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $app.Id -BodyParameter @{
principalId = "SALES_GROUP_ID"
resourceId = $app.Id
appRoleId = "DEFAULT_ROLE_ID"
}
Step 2: Create Conditional Access Policies for SaaS Applications
Enforce identity and device requirements before granting SaaS access.
# Block access from non-compliant devices to sensitive SaaS apps
$policy = @{
displayName = "ZT - Require Compliant Device for SaaS"
state = "enabled"
conditions = @{
applications = @{
includeApplications = @("SALESFORCE_APP_ID", "M365_APP_ID", "SLACK_APP_ID")
}
users = @{
includeUsers = @("All")
excludeGroups = @("BREAK_GLASS_GROUP")
}
clientAppTypes = @("browser", "mobileAppsAndDesktopClients")
}
grantControls = @{
operator = "AND"
builtInControls = @("mfa", "compliantDevice")
}
sessionControls = @{
cloudAppSecurity = @{
isEnabled = $true
cloudAppSecurityType = "mcasConfigured"
}
signInFrequency = @{
value = 8
type = "hours"
isEnabled = $true
}
}
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $policy
# Block downloads on unmanaged devices
$downloadPolicy = @{
displayName = "ZT - Block Downloads on Unmanaged Devices"
state = "enabled"
conditions = @{
applications = @{ includeApplications = @("SHAREPOINT_APP_ID") }
users = @{ includeUsers = @("All") }
devices = @{
deviceFilter = @{
mode = "include"
rule = "device.isCompliant -ne True -or device.trustType -ne 'ServerAD'"
}
}
}
sessionControls = @{
cloudAppSecurity = @{
isEnabled = $true
cloudAppSecurityType = "mcasConfigured"
}
}
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $downloadPolicy
Step 3: Deploy CASB for Shadow IT Discovery and App Governance
Configure Microsoft Defender for Cloud Apps to discover and control SaaS usage.
# Query discovered cloud apps via Defender for Cloud Apps API
curl -X GET "https://api.cloudappsecurity.com/api/v1/discovery/" \
-H "Authorization: Token ${MDCA_API_TOKEN}" \
-H "Content-Type: application/json"
# Get list of unsanctioned apps
curl -X GET "https://api.cloudappsecurity.com/api/v1/discovery/discovered_apps/" \
-H "Authorization: Token ${MDCA_API_TOKEN}" \
-d '{
"filters": {
"appTag": {"eq": "unsanctioned"},
"traffic": {"gte": 1000}
},
"sortField": "traffic",
"sortDirection": "desc"
}'
# Create session policy for DLP enforcement
curl -X POST "https://api.cloudappsecurity.com/api/v1/policies/" \
-H "Authorization: Token ${MDCA_API_TOKEN}" \
-d '{
"name": "Block PII Upload to SaaS",
"policyType": "SESSION",
"severity": "HIGH",
"enabled": true,
"sessionPolicyType": "CONTROL_UPLOAD",
"filters": {
"fileType": {"eq": ["DOCUMENT", "SPREADSHEET"]},
"contentInspection": {
"dataType": ["CREDIT_CARD", "SSN", "PASSPORT"]
}
},
"actions": {
"block": true,
"notify": {
"emailRecipients": ["security-team@company.com"]
}
}
}'
Step 4: Configure OAuth App Governance
Review and restrict OAuth application permissions to prevent excessive consent.
# Query OAuth apps with high-privilege permissions
$oauthApps = Invoke-MgGraphRequest -Method GET `
"https://graph.microsoft.com/v1.0/servicePrincipals?\$filter=tags/any(t:t eq 'WindowsAzureActiveDirectoryIntegratedApp')&\$select=displayName,appId,oauth2PermissionScopes"
# Review consent grants
$grants = Get-MgOauth2PermissionGrant -All
$highRisk = $grants | Where-Object {
$_.Scope -match "Mail.ReadWrite|Files.ReadWrite.All|Directory.ReadWrite.All"
}
Write-Host "High-risk OAuth grants: $($highRisk.Count)"
$highRisk | ForEach-Object {
$sp = Get-MgServicePrincipal -ServicePrincipalId $_.ClientId
Write-Host " App: $($sp.DisplayName) | Scope: $($_.Scope) | Type: $($_.ConsentType)"
}
# Configure app consent policy to require admin approval
$consentPolicy = @{
displayName = "Require Admin Approval for High-Risk Permissions"
conditions = @{
clientApplications = @{ includeAllClientApplications = $true }
permissions = @{
permissionClassification = "high"
permissions = @(
@{ permissionValue = "Mail.ReadWrite"; permissionType = "delegated" }
@{ permissionValue = "Files.ReadWrite.All"; permissionType = "delegated" }
)
}
}
}
Step 5: Implement SaaS Security Posture Management (SSPM)
Audit and remediate SaaS security configuration drift.
# Query SaaS security posture via CASB API
curl -X GET "https://api.cloudappsecurity.com/api/v1/security_config/" \
-H "Authorization: Token ${MDCA_API_TOKEN}" \
-d '{"app": "Microsoft 365"}'
# Common SSPM checks:
# - MFA enforcement for all admin accounts
# - External sharing restrictions in SharePoint/OneDrive
# - Email forwarding rules to external domains blocked
# - Idle session timeout configured (< 8 hours)
# - Legacy authentication protocols disabled
# - Admin consent workflow enabled
# - Conditional access policies active
# - Audit logging enabled for all services
Key Concepts
| Term | Definition | |------|------------| | CASB | Cloud Access Security Broker - intermediary enforcing security policies between users and SaaS applications | | SSPM | SaaS Security Posture Management - continuous monitoring of SaaS application security configurations | | OAuth Governance | Review and control of third-party application permissions granted through OAuth consent flows | | Session Controls | Real-time access restrictions (block downloads, DLP inspection, watermarking) applied during active SaaS sessions | | Shadow IT | Unauthorized SaaS applications used by employees without IT approval or security review | | Conditional Access | Policy engine evaluating identity, device, location, and risk signals before granting SaaS access |
Tools & Systems
- Microsoft Defender for Cloud Apps: CASB providing shadow IT discovery, session controls, DLP, and SSPM
- Microsoft Entra ID Conditional Access: Policy engine for identity-based access control to SaaS applications
- Netskope CASB: Cloud-native CASB with inline and API-based SaaS security controls
- Okta Identity Governance: OAuth app governance and access certification for SaaS applications
- SSPM Tools: AppOmni, Adaptive Shield, Valence Security for SaaS configuration monitoring
Common Scenarios
Scenario: Securing Microsoft 365 and Salesforce for 1,000-User Organization
Context: A professional services firm with 1,000 users uses Microsoft 365, Salesforce, Slack, and 20+ other SaaS apps. Several data breaches in the industry drive a zero trust initiative for all SaaS access.
Approach:
- Federate all SaaS authentication through Entra ID with SAML SSO
- Create conditional access policies requiring MFA + compliant device for all SaaS apps
- Deploy Defender for Cloud Apps for shadow IT discovery (identify 150+ unauthorized apps)
- Mark unauthorized apps as unsanctioned and block via SWG/proxy
- Configure session controls: block downloads on unmanaged devices, DLP for file uploads
- Review OAuth app permissions: revoke 45 high-risk consent grants, enable admin approval workflow
- Enable SSPM monitoring for Microsoft 365 and Salesforce configurations
- Set up weekly automated posture reports for security leadership
Pitfalls: Conditional access policies need break-glass exclusions. Some legacy SaaS apps may not support modern authentication. Session controls require proxy-based CASB which can impact performance. OAuth app revocation may break integrations; coordinate with app owners first.
Output Format
Zero Trust SaaS Security Report
==================================================
Organization: ProServices Corp
Report Date: 2026-02-23
SAAS INVENTORY:
Sanctioned Apps: 25
Unsanctioned (blocked): 127
Shadow IT Users: 342 (discovered in last 30 days)
CONDITIONAL ACCESS:
Policies active: 8
Sign-ins evaluated: 456,789
Blocked by policy: 2,345 (0.5%)
MFA enforced: 100% of sign-ins
DEVICE COMPLIANCE:
Compliant device required: All 25 sanctioned apps
Sign-ins from compliant: 448,123 (98.1%)
Sign-ins blocked (non-compliant): 8,666
CASB / DLP:
DLP violations detected: 89
Files blocked from upload: 34
Downloads blocked (unmanaged): 1,234
OAUTH GOVERNANCE:
Total OAuth apps: 312
High-risk permissions: 12 (reviewed)
Revoked consents: 45
Pending admin approval: 8
SSPM FINDINGS:
Critical misconfigurations: 3
High: 7
Medium: 15
Remediated this month: 18