Forum Discussion
Conditional Access and MCAS policies matching
When you create a CA policy you can use Custom Policy in the Session settings to redirect users through MCAS. Then in MCAS you can create say Session policies that are targeted to specific users/groups.
Let's say I have CA policy1 that targets Alice and Bob for a specific cloud app, then in MCAS I have sesion-policy1 targeted to Alice and Bob to take certain actions.
Then I have CA policy2 for Alice, Bob and John (with different settings), and also an MCAS session-policy2 for them
How are CA and MCAS policies "matched"? e.g. I want policy1 to meet session-policy1 but not session-policy2
- LouisMastelinckBrass Contributor
mikkele My guess the match is made based on the controls in your session policy.
So I think you will have to scope your session policy to the same scope of your CA policy.
Kind regards
Louis
- mikkeleIron Contributoryeah but still if you look at my example above you can still have multiple CA policies that will be hitting an MCAS policies even if not planned
CA policy1 and CA policy 2 will both hit MCAS policy2- LouisMastelinckBrass Contributor
mikkele
So I have done additional testing.
As soon you enable Conditional app access control all of the people who match the CA policy are forward to MCAS.
If the session control policy in MCAS had no group or user scope than it will apply all non scoped session control policies.
If you specify in the Session control policy the requirements then you will be able to scope them according to my tests.So I believe you will have to recreate your conditions as good as possible in MCAS.