MCAS pre and post authentication

%3CLINGO-SUB%20id%3D%22lingo-sub-431753%22%20slang%3D%22en-US%22%3EMCAS%20pre%20and%20post%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-431753%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EHi%20guys%2C%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%3EI've%20got%20a%20couple%20of%20questions%20related%20to%20the%20authentication%20flow%20and%20when%20MCAS%20takes%20actions%3A%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E1.%20As%20far%20as%20I%20understand%2C%20all%20the%20proxy%20sessions%20get%20applied%20AFTER%20the%20user%20authentication%20and%20AFTER%20the%20Conditional%20Access%20policies%3A%20is%20this%20correct%3F%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E2.%20Is%20there%20any%20scenario%20where%20MCAS%20can%20do%20actions%20(policies%2C%20alarms%2C%20etc...)%20before%20the%20user%20authentication%3F%20If%20not%2C%20is%20it%20correct%20to%20assume%20that%20to%20use%20MCAS%20the%20users%20must%20be%20logged%20to%20Azure%20AD%3F%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%3EMany%20thanks%2C%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3EDario%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-431753%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-438045%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20pre%20and%20post%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-438045%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Dario%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E1.%20Correct.%20MCAS%20apply%20the%20session%20controls%20after%20authentication%20and%20initial%20risk%20assessment%20of%20the%20session.%3C%2FP%3E%0A%3CP%3E2.%20Is%20there%20a%20specific%20pre-authentication%20scenario%20you%20have%20in%20mind%3F%3CBR%20%2F%3EIn%20general%2C%20as%20a%20CASB%2C%20MCAS%20focus%20on%20the%20user%20activity%20within%20the%20apps%2C%20hence%2C%20after%20the%20authentication.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%0A%3CP%3ENiv%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-438176%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20pre%20and%20post%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-438176%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Niv%2C%3C%2FP%3E%3CP%3EFirst%20of%20all%2C%20thanks%20for%20the%20answer.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERelated%20to%20point%202%2C%20I%20would%20like%20to%20know%20which%20are%20the%20controls%20or%20the%20capabilities%20I%20can%20use%20pre-authentication.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3EDario%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-453945%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20pre%20and%20post%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-453945%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F37951%22%20target%3D%22_blank%22%3E%40Niv%20Goldenberg%3C%2FA%3Eany%20news%20please%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-455273%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20pre%20and%20post%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-455273%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20pre-authentication%20controls%20you%20can%20use%20are%20the%20control%20provided%20by%20AAD.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-455313%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20pre%20and%20post%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-455313%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F37951%22%20target%3D%22_blank%22%3E%40Niv%20Goldenberg%3C%2FA%3EThanks.%20Azure%20AD%20does%20not%20provide%20pre-auth%20access%20afaik%2C%20the%20conditional%20access%20gets%20applied%20after%20the%20authentication.%3C%2FP%3E%3CP%3EIf%20i'm%20wrong%20please%20tell%20me%20which%20controls%20can%20do%20AAD%20pre-auth.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMany%20thanks!%3C%2FP%3E%3CP%3EDario%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-455328%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20pre%20and%20post%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-455328%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20controls%20are%20applied%20during%20the%20authentication.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-455331%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20pre%20and%20post%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-455331%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F37951%22%20target%3D%22_blank%22%3E%40Niv%20Goldenberg%3C%2FA%3Eok%2C%20I%20see%2C%20it%20means%20I%20have%20to%20provide%20the%20password%20before%20anything%20happen.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMany%20thanks%2C%3C%2FP%3E%3CP%3EDario%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi guys,

I've got a couple of questions related to the authentication flow and when MCAS takes actions:
1. As far as I understand, all the proxy sessions get applied AFTER the user authentication and AFTER the Conditional Access policies: is this correct?
2. Is there any scenario where MCAS can do actions (policies, alarms, etc...) before the user authentication? If not, is it correct to assume that to use MCAS the users must be logged to Azure AD?

Many thanks,
Dario

7 Replies

Hi Dario,

 

1. Correct. MCAS apply the session controls after authentication and initial risk assessment of the session.

2. Is there a specific pre-authentication scenario you have in mind?
In general, as a CASB, MCAS focus on the user activity within the apps, hence, after the authentication.

 

Thanks,

Niv

Hi Niv,

First of all, thanks for the answer.

 

Related to point 2, I would like to know which are the controls or the capabilities I can use pre-authentication. 

 

Thanks,

Dario

@Niv Goldenbergany news please?

The pre-authentication controls you can use are the control provided by AAD. 

@Niv GoldenbergThanks. Azure AD does not provide pre-auth access afaik, the conditional access gets applied after the authentication.

If i'm wrong please tell me which controls can do AAD pre-auth.

 

Many thanks!

Dario

The controls are applied during the authentication.

@Niv Goldenbergok, I see, it means I have to provide the password before anything happen.

 

Many thanks,

Dario