Skill

implementing-zero-trust-for-saas-applications

Implements zero-trust access control for SaaS apps using CASB, SSPM, conditional access policies, OAuth governance, and session controls. Enforces MFA, device compliance, and DLP on M365, Salesforce, Slack.

Powershell

Azure

Oauth

security

authentication

npx claudepluginhub killvxk/cybersecurity-skills-zh

Tool Access

This skill uses the workspace's default tool permissions.

Preview

- 需要保护 SaaS 应用访问安全时（Microsoft 365、Google Workspace、Salesforce、Slack）

Supporting Assets

LICENSEreferences/api-reference.mdscripts/agent.py

SKILL.md

Similar Skills

implementing-zero-trust-for-saas-applications

Implements zero trust access controls for SaaS apps using CASB, SSPM, conditional access policies, OAuth governance, and session controls to enforce MFA, device compliance, and DLP.

asi

implementing-zero-trust-for-saas-applications

5.9k

Implements zero trust access controls for SaaS apps using CASB, SSPM, conditional access policies, OAuth governance, and session controls with PowerShell examples for Entra ID.

3 files

cybersecurity-skills

deploying-cloudflare-access-for-zero-trust

Deploys Cloudflare Access and Tunnel for zero-trust access to self-hosted apps via identity-aware policies, device posture checks, and WARP client as VPN replacement. For securing internal web, SSH, RDP services without open ports.

7 files

cybersecurity-skills-zh

Stats

Stars10

Forks1

Last CommitMar 17, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

为 SaaS 应用实施零信任

适用场景

需要保护 SaaS 应用访问安全时（Microsoft 365、Google Workspace、Salesforce、Slack）
需要为 SaaS 实施条件访问策略（要求 MFA 和设备合规）时
需要部署 CASB 进行影子 IT（Shadow IT）发现和未授权应用阻断时
需要为敏感 SaaS 数据强制执行会话级控制（DLP、下载限制）时
需要治理 OAuth 应用权限并检测过度授权时

不适用场景：作为 SaaS 原生安全控制的替代方案（应先配置原生控制）；不支持 SAML/OIDC 的应用；SaaS 供应商不支持 CASB/SSPM API 集成时。

前置条件

支持条件访问的身份提供商：Microsoft Entra ID P1/P2、Okta
CASB 解决方案：Microsoft Defender for Cloud Apps、Netskope 或 Zscaler CASB
通过 SAML 2.0 或 OIDC 配置了 SSO 的 SaaS 应用
用于设备合规信号的 MDM 注册（Intune、Jamf）
已为敏感数据类别定义 DLP 策略

工作流程

步骤 1：通过身份提供商统一 SaaS 认证

将所有 SaaS 应用的认证集中到单一 IdP。

# 通过 Entra ID 为 Salesforce 配置 SAML SSO
Connect-MgGraph -Scopes "Application.ReadWrite.All"

# 为 Salesforce 创建企业应用
$app = New-MgServicePrincipal -AppId "SALESFORCE_APP_ID" -DisplayName "Salesforce"

# 配置 SAML SSO 设置
$samlSettings = @{
    preferredSingleSignOnMode = "saml"
    samlSingleSignOnSettings = @{
        relayState = ""
    }
}
Update-MgServicePrincipal -ServicePrincipalId $app.Id -BodyParameter $samlSettings

# 将用户组分配到应用
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $app.Id -BodyParameter @{
    principalId = "SALES_GROUP_ID"
    resourceId = $app.Id
    appRoleId = "DEFAULT_ROLE_ID"
}

步骤 2：为 SaaS 应用创建条件访问策略

在授予 SaaS 访问权限前强制执行身份和设备要求。

# 阻断不合规设备访问敏感 SaaS 应用
$policy = @{
    displayName = "ZT - Require Compliant Device for SaaS"
    state = "enabled"
    conditions = @{
        applications = @{
            includeApplications = @("SALESFORCE_APP_ID", "M365_APP_ID", "SLACK_APP_ID")
        }
        users = @{
            includeUsers = @("All")
            excludeGroups = @("BREAK_GLASS_GROUP")
        }
        clientAppTypes = @("browser", "mobileAppsAndDesktopClients")
    }
    grantControls = @{
        operator = "AND"
        builtInControls = @("mfa", "compliantDevice")
    }
    sessionControls = @{
        cloudAppSecurity = @{
            isEnabled = $true
            cloudAppSecurityType = "mcasConfigured"
        }
        signInFrequency = @{
            value = 8
            type = "hours"
            isEnabled = $true
        }
    }
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $policy

# 阻断非托管设备上的下载操作
$downloadPolicy = @{
    displayName = "ZT - Block Downloads on Unmanaged Devices"
    state = "enabled"
    conditions = @{
        applications = @{ includeApplications = @("SHAREPOINT_APP_ID") }
        users = @{ includeUsers = @("All") }
        devices = @{
            deviceFilter = @{
                mode = "include"
                rule = "device.isCompliant -ne True -or device.trustType -ne 'ServerAD'"
            }
        }
    }
    sessionControls = @{
        cloudAppSecurity = @{
            isEnabled = $true
            cloudAppSecurityType = "mcasConfigured"
        }
    }
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $downloadPolicy

步骤 3：部署 CASB 进行影子 IT 发现和应用治理

配置 Microsoft Defender for Cloud Apps 以发现和控制 SaaS 使用情况。

# 通过 Defender for Cloud Apps API 查询已发现的云应用
curl -X GET "https://api.cloudappsecurity.com/api/v1/discovery/" \
  -H "Authorization: Token ${MDCA_API_TOKEN}" \
  -H "Content-Type: application/json"

# 获取未授权应用列表
curl -X GET "https://api.cloudappsecurity.com/api/v1/discovery/discovered_apps/" \
  -H "Authorization: Token ${MDCA_API_TOKEN}" \
  -d '{
    "filters": {
      "appTag": {"eq": "unsanctioned"},
      "traffic": {"gte": 1000}
    },
    "sortField": "traffic",
    "sortDirection": "desc"
  }'

# 创建 DLP 执行的会话策略
curl -X POST "https://api.cloudappsecurity.com/api/v1/policies/" \
  -H "Authorization: Token ${MDCA_API_TOKEN}" \
  -d '{
    "name": "Block PII Upload to SaaS",
    "policyType": "SESSION",
    "severity": "HIGH",
    "enabled": true,
    "sessionPolicyType": "CONTROL_UPLOAD",
    "filters": {
      "fileType": {"eq": ["DOCUMENT", "SPREADSHEET"]},
      "contentInspection": {
        "dataType": ["CREDIT_CARD", "SSN", "PASSPORT"]
      }
    },
    "actions": {
      "block": true,
      "notify": {
        "emailRecipients": ["security-team@company.com"]
      }
    }
  }'

步骤 4：配置 OAuth 应用治理

审查并限制 OAuth 应用权限，防止过度授权。

# 查询具有高权限的 OAuth 应用
$oauthApps = Invoke-MgGraphRequest -Method GET `
  "https://graph.microsoft.com/v1.0/servicePrincipals?\$filter=tags/any(t:t eq 'WindowsAzureActiveDirectoryIntegratedApp')&\$select=displayName,appId,oauth2PermissionScopes"

# 审查授权
$grants = Get-MgOauth2PermissionGrant -All
$highRisk = $grants | Where-Object {
    $_.Scope -match "Mail.ReadWrite|Files.ReadWrite.All|Directory.ReadWrite.All"
}

Write-Host "高风险 OAuth 授权数量：$($highRisk.Count)"
$highRisk | ForEach-Object {
    $sp = Get-MgServicePrincipal -ServicePrincipalId $_.ClientId
    Write-Host "  应用：$($sp.DisplayName) | 权限范围：$($_.Scope) | 类型：$($_.ConsentType)"
}

# 配置应用授权策略要求管理员审批
$consentPolicy = @{
    displayName = "Require Admin Approval for High-Risk Permissions"
    conditions = @{
        clientApplications = @{ includeAllClientApplications = $true }
        permissions = @{
            permissionClassification = "high"
            permissions = @(
                @{ permissionValue = "Mail.ReadWrite"; permissionType = "delegated" }
                @{ permissionValue = "Files.ReadWrite.All"; permissionType = "delegated" }
            )
        }
    }
}

步骤 5：实施 SaaS 安全态势管理（SSPM）

审计并修复 SaaS 安全配置漂移。

# 通过 CASB API 查询 SaaS 安全态势
curl -X GET "https://api.cloudappsecurity.com/api/v1/security_config/" \
  -H "Authorization: Token ${MDCA_API_TOKEN}" \
  -d '{"app": "Microsoft 365"}'

# 常见 SSPM 检查项：
# - 所有管理员账户强制启用 MFA
# - SharePoint/OneDrive 外部共享限制
# - 阻断向外部域名转发邮件的规则
# - 配置空闲会话超时（< 8 小时）
# - 禁用旧版认证协议
# - 启用管理员授权审批工作流
# - 条件访问策略生效
# - 所有服务启用审计日志

核心概念

术语	定义
CASB	云访问安全代理（Cloud Access Security Broker）——在用户和 SaaS 应用之间强制执行安全策略的中间代理
SSPM	SaaS 安全态势管理（SaaS Security Posture Management）——持续监控 SaaS 应用安全配置
OAuth 治理	审查和控制通过 OAuth 授权流授予第三方应用的权限
会话控制	在 SaaS 会话活跃期间实施的实时访问限制（阻断下载、DLP 检查、水印）
影子 IT	员工在未经 IT 审批或安全审查情况下使用的未授权 SaaS 应用
条件访问	在授予 SaaS 访问权限前评估身份、设备、位置和风险信号的策略引擎

工具与系统

Microsoft Defender for Cloud Apps：提供影子 IT 发现、会话控制、DLP 和 SSPM 的 CASB 产品
Microsoft Entra ID 条件访问：针对 SaaS 应用进行基于身份访问控制的策略引擎
Netskope CASB：具有内联和基于 API 的 SaaS 安全控制的云原生 CASB
Okta Identity Governance：针对 SaaS 应用的 OAuth 应用治理和访问认证
SSPM 工具：AppOmni、Adaptive Shield、Valence Security 用于 SaaS 配置监控

常见场景

场景：为 1000 人组织保护 Microsoft 365 和 Salesforce

背景：一家拥有 1000 名用户的专业服务公司使用 Microsoft 365、Salesforce、Slack 及其他 20 余款 SaaS 应用。行业内多起数据泄露事件推动了针对所有 SaaS 访问的零信任计划。

实施方案：

通过 Entra ID 使用 SAML SSO 统一所有 SaaS 认证
为所有 SaaS 应用创建要求 MFA + 合规设备的条件访问策略
部署 Defender for Cloud Apps 进行影子 IT 发现（识别出 150 余款未授权应用）
将未授权应用标记为 unsanctioned，通过 SWG/代理阻断
配置会话控制：阻断非托管设备下载，对文件上传执行 DLP
审查 OAuth 应用权限：撤销 45 个高风险授权，启用管理员审批工作流
为 Microsoft 365 和 Salesforce 配置启用 SSPM 监控
为安全领导层设置每周自动化态势报告

常见问题：条件访问策略需要设置紧急访问账户排除项。部分旧版 SaaS 应用可能不支持现代认证。会话控制需要基于代理的 CASB，可能影响性能。OAuth 应用撤销可能破坏集成；请先与应用所有者协调。

输出格式

Zero Trust SaaS Security Report
==================================================
Organization: ProServices Corp
Report Date: 2026-02-23

SAAS INVENTORY:
  Sanctioned Apps: 25
  Unsanctioned (blocked): 127
  Shadow IT Users: 342 (discovered in last 30 days)

CONDITIONAL ACCESS:
  Policies active: 8
  Sign-ins evaluated: 456,789
  Blocked by policy: 2,345 (0.5%)
  MFA enforced: 100% of sign-ins

DEVICE COMPLIANCE:
  Compliant device required: All 25 sanctioned apps
  Sign-ins from compliant: 448,123 (98.1%)
  Sign-ins blocked (non-compliant): 8,666

CASB / DLP:
  DLP violations detected: 89
  Files blocked from upload: 34
  Downloads blocked (unmanaged): 1,234

OAUTH GOVERNANCE:
  Total OAuth apps: 312
  High-risk permissions: 12 (reviewed)
  Revoked consents: 45
  Pending admin approval: 8

SSPM FINDINGS:
  Critical misconfigurations: 3
  High: 7
  Medium: 15
  Remediated this month: 18