Deploy Conditional Access App Control for featured apps

Applies to: Microsoft Cloud App Security

« Previous: Introduction to Conditional Access App Control
Next: Onboard and deploy Conditional Access App Control for any app »

Session controls in Microsoft Cloud App Security work with the featured apps. For a list of apps that are featured by Cloud App Security to work out-of-the-box, see Protect apps with Microsoft Cloud App Security Conditional Access App Control.

Prerequisites

To deploy Conditional Access App Control for Azure AD apps, you need a valid license for Azure AD Premium P1 as well as a Cloud App Security license.

Follow these steps to configure featured apps to be controlled by Microsoft Cloud App Security Conditional Access App Control.

Step 1: Go to the Azure AD portal and create a conditional access policy for the apps and route the session to Cloud App Security

Step 2: Sign in to each app using a user scoped to the policy

Step 3: Verify the apps are configured to use access and session controls

Step 4: Test the deployment

Step 1: Create an Azure AD conditional access test policy

  1. In Azure Active Directory, under Security, click Conditional Access.

  2. Click New policy and create a new policy.

  3. In the TEST policy, under Users, assign a test user or user that can be used for an initial sign-on and verification.

  4. In the TEST policy, under Cloud app, assign the apps you want to control with Conditional Access App Control.

  5. Under Session, set the policy to use either of the built-in policies, Monitor only or Block downloads. Or select Use custom policy to set an advanced policy in the Cloud App Security portal.

  6. Add any applicable Condition assignments or Grant controls (optional).

    Azure AD conditional access

  7. Click Enable and Save.

Step 2: Sign in to each app using a user scoped to the policy

Note

Before proceeding, make sure to first sign out of existing sessions.

After you've created the policy, sign in to each app configured in that policy. Make sure you sign in using a user configured in the policy.

Cloud App Security will sync your policy details to its servers for each new app you sign in to. This may take up to one minute.

Step 3: Verify the apps are configured to use access and session controls

The instructions above helped you create a built-in Cloud App Security policy for featured apps directly in Azure AD. In this step, verify that the access and session controls are configured for these apps.

  1. In the Cloud App Security portal, click the settings cog settings icon, and then select Conditional Access App Control.

  2. In the Conditional Access App Control apps table, look at the Available controls column and verify that both Access control and Session control appear for your apps.

    Note

    If session control doesn't appear for an app, it's not yet available for that specific app. You can either add it immediately as a custom app, or you can open a request to add it as a featured app by clicking Request session control.

    Conditional access app control request

Step 4: Test the deployment

  1. First sign out of any existing sessions. Then, try to sign in to each app that was successfully deployed. Sign in using a user that matches the policy configured in Azure AD.

  2. In the Cloud App Security portal, under Investigate, select Activity log, and make sure the login activities are captured for each app.

  3. You can filter by clicking on Advanced, and then filtering using Source equals Access control.

    Filter using Azure AD conditional access

  4. It's recommended that you sign into mobile and desktop apps from managed and unmanaged devices. This is to make sure that the activities are properly captured in the activity log.
    To verify that the activity is properly captured, click on a single sign-on log on activity so that it opens the activity drawer. Make sure the User agent tag properly reflects whether the device is a native client (meaning either a mobile or desktop app) or the device is a managed device (compliant, domain joined, or valid client certificate).

Note

After it is deployed, you can't remove an app from the Conditional Access App Control page. As long as you don't set a session or access policy on the app, the Conditional Access App Control won't change any behavior for the app.

« Previous: Introduction to Conditional Access App Control
Next: Onboard and deploy Conditional Access App Control for any app »

Next steps

Working with Cloud App Security Conditional Access App Control

Premier customers can also create a new support request directly in the Premier Portal.