MCAS Conditional Access App Control UX for personal cloud services

%3CLINGO-SUB%20id%3D%22lingo-sub-1469629%22%20slang%3D%22en-US%22%3EMCAS%20Conditional%20Access%20App%20Control%20UX%20for%20personal%20cloud%20services%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1469629%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFrom%20what%20I've%20seen%20online%2C%20MCAS%20Conditional%20Access%20App%20Control%20requires%20IdP%20app%20enrollment%20(enforcing%20SSO%20via%20AAD)%2C%20an%20extremly%20lengthy%20process%20in%20comparrion%20to%20API-Connected%20App%20integration.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECompany%20X%20is%20considering%20implementing%20this%20for%20non-enterprise%20related%20services%2C%20so%20they%20can%20gain%20additional%20visibility%20(and%20potentially%20enforcement%20upload%20or%20download%20blocking%20down%20the%20track)%20for%20users%20accessing%20personal%20Dropbox%20and%20G-Suite.%20They%20do%20not%20plan%20to%20have%20an%20enterprise%20tenant%2Faccount%20for%20these%20services.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EQuestion%20is%20-%20what%20is%20the%20expected%20user%20experience%2C%20once%20this%20have%20been%20implemented%20for%20all%20users.%20Will%20all%20users%20be%20impacted%20by%20a%20initial%20sign-on%20permission%20propt%20(to%20accept%20the%20company's%20AAD%20to%20manage%20thier%20authentication)...%20and%20from%20that%20point%20onwards%20no%20longer%20need%20to%20enter%20their%20creditentials%20when%20accessing%20their%20personal%20Dropbox%2FG-suite%20account%20from%20that%20machine%3F%20(BTW%2C%20MCAS%20is%20integrated%20in%20this%20instance%20with%20workstations%20having%20Defender%20ATP%20installed).%20Thanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Esuch%20as%20drop%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1469629%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1475441%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20Conditional%20Access%20App%20Control%20UX%20for%20personal%20cloud%20services%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1475441%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F699102%22%20target%3D%22_blank%22%3E%40BradK78%3C%2FA%3E%26nbsp%3BHi%2C%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EConditional%20Access%20App%20Control%20is%20actually%20designed%20to%20help%20protect%20corporate%20apps%2C%20not%20personal%20apps%2C%20such%20as%20personal%20dropbox%2C%20OneDrive%2C%20etc.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20will%20have%20more%20to%20announce%20in%20the%20future%20for%20our%20plan%20to%20help%20protect%20customers'%20data%20being%20uploaded%20to%20unsanctioned%20%2F%20unapproved%20apps.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Established Member

Hi all,

 

From what I've seen online, MCAS Conditional Access App Control requires IdP app enrollment (enforcing SSO via AAD), an extremly lengthy process in comparrion to API-Connected App integration.

 

Company X is considering implementing this for non-enterprise related services, so they can gain additional visibility (and potentially enforcement upload or download blocking down the track) for users accessing personal Dropbox and G-Suite. They do not plan to have an enterprise tenant/account for these services. 

 

Question is - what is the expected user experience, once this have been implemented for all users. Will all users be impacted by a initial sign-on permission propt (to accept the company's AAD to manage thier authentication)... and from that point onwards no longer need to enter their creditentials when accessing their personal Dropbox/G-suite account from that machine? (BTW, MCAS is integrated in this instance with workstations having Defender ATP installed). Thanks

1 Reply

@BradK78 Hi, 

 

Conditional Access App Control is actually designed to help protect corporate apps, not personal apps, such as personal dropbox, OneDrive, etc.

 

We will have more to announce in the future for our plan to help protect customers' data being uploaded to unsanctioned / unapproved apps.