Implementing Zero Trust for SaaS Applications
When to Use
- When securing access to SaaS applications (Microsoft 365, Google Workspace, Salesforce, Slack)
- When implementing conditional access policies requiring MFA and device compliance for SaaS
- When deploying CASB for shadow IT discovery and unsanctioned app blocking
- When enforcing session-level controls (DLP, download restrictions) for sensitive SaaS data
- When governing OAuth application permissions and detecting excessive consent grants
Do not use as a replacement for SaaS-native security controls (configure those first), for applications with no SAML/OIDC support, or when SaaS vendor does not support API integration for CASB/SSPM.
Prerequisites
- Identity provider with conditional access: Microsoft Entra ID P1/P2, Okta
- CASB solution: Microsoft Defender for Cloud Apps, Netskope, or Zscaler CASB
- SaaS applications configured with SSO via SAML 2.0 or OIDC
- MDM enrollment for device compliance signals (Intune, Jamf)
- DLP policies defined for sensitive data categories
Workflow
Step 1: Federate SaaS Authentication Through Identity Provider
Centralize authentication for all SaaS applications through a single IdP.
# Configure SAML SSO for Salesforce via Entra ID
Connect-MgGraph -Scopes "Application.ReadWrite.All"
# Create enterprise application for Salesforce
$app = New-MgServicePrincipal -AppId "SALESFORCE_APP_ID" -DisplayName "Salesforce"
# Configure SAML SSO settings
$samlSettings = @{
preferredSingleSignOnMode = "saml"
samlSingleSignOnSettings = @{
relayState = ""
}
}
Update-MgServicePrincipal -ServicePrincipalId $app.Id -BodyParameter $samlSettings
# Assign user groups to the application
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $app.Id -BodyParameter @{
principalId = "SALES_GROUP_ID"
resourceId = $app.Id
appRoleId = "DEFAULT_ROLE_ID"
}Step 2: Create Conditional Access Policies for SaaS Applications
Enforce identity and device requirements before granting SaaS access.
# Block access from non-compliant devices to sensitive SaaS apps
$policy = @{
displayName = "ZT - Require Compliant Device for SaaS"
state = "enabled"
conditions = @{
applications = @{
includeApplications = @("SALESFORCE_APP_ID", "M365_APP_ID", "SLACK_APP_ID")
}
users = @{
includeUsers = @("All")
excludeGroups = @("BREAK_GLASS_GROUP")
}
clientAppTypes = @("browser", "mobileAppsAndDesktopClients")
}
grantControls = @{
operator = "AND"
builtInControls = @("mfa", "compliantDevice")
}
sessionControls = @{
cloudAppSecurity = @{
isEnabled = $true
cloudAppSecurityType = "mcasConfigured"
}
signInFrequency = @{
value = 8
type = "hours"
isEnabled = $true
}
}
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $policy
# Block downloads on unmanaged devices
$downloadPolicy = @{
displayName = "ZT - Block Downloads on Unmanaged Devices"
state = "enabled"
conditions = @{
applications = @{ includeApplications = @("SHAREPOINT_APP_ID") }
users = @{ includeUsers = @("All") }
devices = @{
deviceFilter = @{
mode = "include"
rule = "device.isCompliant -ne True -or device.trustType -ne 'ServerAD'"
}
}
}
sessionControls = @{
cloudAppSecurity = @{
isEnabled = $true
cloudAppSecurityType = "mcasConfigured"
}
}
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $downloadPolicyStep 3: Deploy CASB for Shadow IT Discovery and App Governance
Configure Microsoft Defender for Cloud Apps to discover and control SaaS usage.
# Query discovered cloud apps via Defender for Cloud Apps API
curl -X GET "https://api.cloudappsecurity.com/api/v1/discovery/" \
-H "Authorization: Token ${MDCA_API_TOKEN}" \
-H "Content-Type: application/json"
# Get list of unsanctioned apps
curl -X GET "https://api.cloudappsecurity.com/api/v1/discovery/discovered_apps/" \
-H "Authorization: Token ${MDCA_API_TOKEN}" \
-d '{
"filters": {
"appTag": {"eq": "unsanctioned"},
"traffic": {"gte": 1000}
},
"sortField": "traffic",
"sortDirection": "desc"
}'
# Create session policy for DLP enforcement
curl -X POST "https://api.cloudappsecurity.com/api/v1/policies/" \
-H "Authorization: Token ${MDCA_API_TOKEN}" \
-d '{
"name": "Block PII Upload to SaaS",
"policyType": "SESSION",
"severity": "HIGH",
"enabled": true,
"sessionPolicyType": "CONTROL_UPLOAD",
"filters": {
"fileType": {"eq": ["DOCUMENT", "SPREADSHEET"]},
"contentInspection": {
"dataType": ["CREDIT_CARD", "SSN", "PASSPORT"]
}
},
"actions": {
"block": true,
"notify": {
"emailRecipients": ["security-team@company.com"]
}
}
}'Step 4: Configure OAuth App Governance
Review and restrict OAuth application permissions to prevent excessive consent.
# Query OAuth apps with high-privilege permissions
$oauthApps = Invoke-MgGraphRequest -Method GET `
"https://graph.microsoft.com/v1.0/servicePrincipals?\$filter=tags/any(t:t eq 'WindowsAzureActiveDirectoryIntegratedApp')&\$select=displayName,appId,oauth2PermissionScopes"
# Review consent grants
$grants = Get-MgOauth2PermissionGrant -All
$highRisk = $grants | Where-Object {
$_.Scope -match "Mail.ReadWrite|Files.ReadWrite.All|Directory.ReadWrite.All"
}
Write-Host "High-risk OAuth grants: $($highRisk.Count)"
$highRisk | ForEach-Object {
$sp = Get-MgServicePrincipal -ServicePrincipalId $_.ClientId
Write-Host " App: $($sp.DisplayName) | Scope: $($_.Scope) | Type: $($_.ConsentType)"
}
# Configure app consent policy to require admin approval
$consentPolicy = @{
displayName = "Require Admin Approval for High-Risk Permissions"
conditions = @{
clientApplications = @{ includeAllClientApplications = $true }
permissions = @{
permissionClassification = "high"
permissions = @(
@{ permissionValue = "Mail.ReadWrite"; permissionType = "delegated" }
@{ permissionValue = "Files.ReadWrite.All"; permissionType = "delegated" }
)
}
}
}Step 5: Implement SaaS Security Posture Management (SSPM)
Audit and remediate SaaS security configuration drift.
# Query SaaS security posture via CASB API
curl -X GET "https://api.cloudappsecurity.com/api/v1/security_config/" \
-H "Authorization: Token ${MDCA_API_TOKEN}" \
-d '{"app": "Microsoft 365"}'
# Common SSPM checks:
# - MFA enforcement for all admin accounts
# - External sharing restrictions in SharePoint/OneDrive
# - Email forwarding rules to external domains blocked
# - Idle session timeout configured (< 8 hours)
# - Legacy authentication protocols disabled
# - Admin consent workflow enabled
# - Conditional access policies active
# - Audit logging enabled for all servicesKey Concepts
| Term | Definition |
|---|---|
| CASB | Cloud Access Security Broker - intermediary enforcing security policies between users and SaaS applications |
| SSPM | SaaS Security Posture Management - continuous monitoring of SaaS application security configurations |
| OAuth Governance | Review and control of third-party application permissions granted through OAuth consent flows |
| Session Controls | Real-time access restrictions (block downloads, DLP inspection, watermarking) applied during active SaaS sessions |
| Shadow IT | Unauthorized SaaS applications used by employees without IT approval or security review |
| Conditional Access | Policy engine evaluating identity, device, location, and risk signals before granting SaaS access |
Tools & Systems
- Microsoft Defender for Cloud Apps: CASB providing shadow IT discovery, session controls, DLP, and SSPM
- Microsoft Entra ID Conditional Access: Policy engine for identity-based access control to SaaS applications
- Netskope CASB: Cloud-native CASB with inline and API-based SaaS security controls
- Okta Identity Governance: OAuth app governance and access certification for SaaS applications
- SSPM Tools: AppOmni, Adaptive Shield, Valence Security for SaaS configuration monitoring
Common Scenarios
Scenario: Securing Microsoft 365 and Salesforce for 1,000-User Organization
Context: A professional services firm with 1,000 users uses Microsoft 365, Salesforce, Slack, and 20+ other SaaS apps. Several data breaches in the industry drive a zero trust initiative for all SaaS access.
Approach:
- Federate all SaaS authentication through Entra ID with SAML SSO
- Create conditional access policies requiring MFA + compliant device for all SaaS apps
- Deploy Defender for Cloud Apps for shadow IT discovery (identify 150+ unauthorized apps)
- Mark unauthorized apps as unsanctioned and block via SWG/proxy
- Configure session controls: block downloads on unmanaged devices, DLP for file uploads
- Review OAuth app permissions: revoke 45 high-risk consent grants, enable admin approval workflow
- Enable SSPM monitoring for Microsoft 365 and Salesforce configurations
- Set up weekly automated posture reports for security leadership
Pitfalls: Conditional access policies need break-glass exclusions. Some legacy SaaS apps may not support modern authentication. Session controls require proxy-based CASB which can impact performance. OAuth app revocation may break integrations; coordinate with app owners first.
Output Format
Zero Trust SaaS Security Report
==================================================
Organization: ProServices Corp
Report Date: 2026-02-23
SAAS INVENTORY:
Sanctioned Apps: 25
Unsanctioned (blocked): 127
Shadow IT Users: 342 (discovered in last 30 days)
CONDITIONAL ACCESS:
Policies active: 8
Sign-ins evaluated: 456,789
Blocked by policy: 2,345 (0.5%)
MFA enforced: 100% of sign-ins
DEVICE COMPLIANCE:
Compliant device required: All 25 sanctioned apps
Sign-ins from compliant: 448,123 (98.1%)
Sign-ins blocked (non-compliant): 8,666
CASB / DLP:
DLP violations detected: 89
Files blocked from upload: 34
Downloads blocked (unmanaged): 1,234
OAUTH GOVERNANCE:
Total OAuth apps: 312
High-risk permissions: 12 (reviewed)
Revoked consents: 45
Pending admin approval: 8
SSPM FINDINGS:
Critical misconfigurations: 3
High: 7
Medium: 15
Remediated this month: 18Verification Criteria
Confirm successful execution by validating:
- [ ] All prerequisite tools and access requirements are satisfied
- [ ] Each workflow step completed without errors
- [ ] Output matches expected format and contains expected data
- [ ] No security warnings or misconfigurations detected
- [ ] Results are documented and evidence is preserved for audit
Compliance Framework Mapping
This skill supports compliance evidence collection across multiple frameworks:
- SOC 2: CC6.1 (Logical Access), CC6.2 (Credentials), CC6.3 (Provisioning)
- ISO 27001: A.9.1 (Access Control), A.9.4 (System Access Control), A.13.1 (Network Security)
- NIST 800-53: AC-2 (Account Management), AC-3 (Access Enforcement), SC-7 (Boundary Protection)
- NIST CSF: PR.AC (Access Control), PR.PT (Protective Technology)
Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.
Deploying This Skill with Claw GRC
Agent Execution
Register this skill with your Claw GRC agent for automated execution:
# Install via CLI
npx claw-grc skills add implementing-zero-trust-for-saas-applications
# Or load dynamically via MCP
grc.load_skill("implementing-zero-trust-for-saas-applications")Audit Trail Integration
When executed through Claw GRC, every step of this skill generates tamper-evident audit records:
- SHA-256 chain hashing ensures no step can be modified after execution
- Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
- Trust score impact — successful execution increases your agent's trust score
Continuous Compliance
Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.