Forum Discussion
Conditional Access App Control issues
I'm trying to create a Cloud App policy to detect and block logins to any of our cloud apps that are leveraging SSO with Entra from Tor or anonymous IP's. I read an article where you can use Conditional Access App Control to apply cloud app policies during login via Entra.
I've created the initial CA policy (report only), applied to users, applied to specific cloud app, set to use Use Conditional Access App Control choosing "Use custom policy..." and logged onto the cloud app.
I then check the users signin log and confirmed the CA rule was marked as success.
Next I go to Defender portal, Cloud Apps, Policy management and try to create an access policy and I get this error:
You don't have any apps deployed with Conditional Access App Control. Go to the Conditional Access App Control page to deploy an app.
Missing a step?
2 Replies
Try to take action at the following:
- Deploy the App in Defender for Cloud Apps
Go to Microsoft Defender Portal → Settings → Cloud Apps → Conditional Access App Control apps.
From there, click + Add and follow the wizard to onboard the app:- Provide the app name
- SAML metadata or manual configuration (Assertion Consumer Service URL, SAML cert, etc.)
- Verify Prerequisites
- Ensure the app uses SAML 2.0 or OpenID Connect for SSO
- Necessary licenses (Microsoft Defender for Cloud Apps + Microsoft Entra ID P1/P2)
- The CA policy is set to Use custom policy and not just Monitor only
Hello, I believe your questions might have been answered here: you dont have any apps deployed with conditional access app control | Microsoft Community Hub. I believe the issue here could be that the CA is configured as report-only and not as on? Maybe reduce the scope of the policy to a test user, enable the policy and try again? Let me know if this fixed the issue.
