Deploy Conditional Access App Control for Azure AD apps
Applies to: Microsoft Cloud App Security
Follow these steps to configure Azure AD apps to be controlled by Microsoft Cloud App Security Conditional Access App Control.
Step 3: If you did not select a built-in Cloud App Security policy in Azure AD or if you want to apply the policy to a non-featured app, go to the Cloud App Security portal
To deploy Conditional Access App Control for Azure AD apps, you need a valid license for Azure AD Premium P1 as well as a Cloud App Security license.
In Azure Active Directory, under Security, click on Conditional access.
Click New policy and create a new policy.
In the TEST policy, under Users, assign a test user or user that can be used for an initial sign-on and verification.
In the TEST policy, under Cloud app, assign the apps you want to control with Conditional Access App Control.
Under Session, set the policy to use either of the built-in policies, Monitor only or Block downloads. Or select Use custom policy to set an advanced policy in the Cloud App Security portal.
Add any applicable Condition assignments or Grant controls (optional).
Conditional Access App Control supports any SAML or Open ID Connect app that is configured with single sign-on in Azure AD, including these featured apps. Non-featured apps can be configured with access control in the Cloud App Security portal by making a request to onboarded them with session control.
After you've created the policy, sign in to each app configured in that policy. Make sure you sign in using a user configured in the policy. Make sure to first sign out of existing sessions.
Cloud App Security will sync your policy details to its servers for each new app you log in to. This may take up to one minute.
The instructions above helped you create a built-in Cloud App Security policy for featured apps directly in Azure AD.
To request support for a non-featured application:
In the Cloud App Security portal, go to the settings cog and choose Conditional Access App Control. You should see a message letting you know that new Azure AD apps were discovered by Conditional Access App Control.
Click View new apps.
In the screen that opens, you can see all the apps that you logged into in the previous step. For each app, click on the + sign, and then click Add.
If an app does not appear in the Cloud App Security app catalog, it will appear in the dialog under unidentified apps along with the login URL. When you click the + sign for these apps, you can onboard the application as a custom app.
In the Conditional Access App Control apps table, look at the Available controls column and verify that both Azure AD conditional access and Session control appear.
If Session control doesn't appear for an app, it's not yet available for that specific app. You'll see the Request session control link instead.
Click Request session control to request that the app be onboarded to session control. The onboarding process will be performed with you by the Microsoft Cloud App Security team.
Identify devices using client certificates (optional).
Go to the settings cog and choose Device identification.
Upload one or more root or intermediate certificates.
After the certificate is uploaded, you can create access policies and session policies based on Device tag and Valid client certificate.
A certificate is only requested from a user if the session matches a policy that uses the valid client certificate filter.
First sign out of any existing sessions. Then, try to sign in to each app that was successfully deployed. Sign in using a user that matches the policy configured in Azure AD.
In the Cloud App Security portal, under Investigate, select Activity log, and make sure the login activities are captured for each app.
You can filter by clicking on Advanced, and then filtering using Source equals Access control.
It's recommended that you sign into mobile and desktop apps from managed and unmanaged devices. This is to make sure that the activities are properly captured in the activity log.
To verify that the activity is properly captured, click on a single sign-on log on activity so that it opens the activity drawer. Make sure the User agent tag properly reflects whether the device is a native client (meaning either a mobile or desktop app) or the device is a managed device (compliant, domain joined, or valid client certificate).
After it is deployed, you can't remove an app from the Conditional Access App Control page. As long as you don't set a session or access policy on the app, the Conditional Access App Control won't change any behavior for the app.
We’d love to hear your thoughts. Choose the type you’d like to provide:
Our feedback system is built on GitHub Issues. Read more on our blog.