MCAS pre and post authentication

%3CLINGO-SUB%20id%3D%22lingo-sub-431753%22%20slang%3D%22en-US%22%3EMCAS%20pre%20and%20post%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-431753%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EHi%20guys%2C%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%3EI've%20got%20a%20couple%20of%20questions%20related%20to%20the%20authentication%20flow%20and%20when%20MCAS%20takes%20actions%3A%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E1.%20As%20far%20as%20I%20understand%2C%20all%20the%20proxy%20sessions%20get%20applied%20AFTER%20the%20user%20authentication%20and%20AFTER%20the%20Conditional%20Access%20policies%3A%20is%20this%20correct%3F%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E2.%20Is%20there%20any%20scenario%20where%20MCAS%20can%20do%20actions%20(policies%2C%20alarms%2C%20etc...)%20before%20the%20user%20authentication%3F%20If%20not%2C%20is%20it%20correct%20to%20assume%20that%20to%20use%20MCAS%20the%20users%20must%20be%20logged%20to%20Azure%20AD%3F%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%3EMany%20thanks%2C%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3EDario%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-431753%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-438045%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20pre%20and%20post%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-438045%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Dario%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E1.%20Correct.%20MCAS%20apply%20the%20session%20controls%20after%20authentication%20and%20initial%20risk%20assessment%20of%20the%20session.%3C%2FP%3E%0A%3CP%3E2.%20Is%20there%20a%20specific%20pre-authentication%20scenario%20you%20have%20in%20mind%3F%3CBR%20%2F%3EIn%20general%2C%20as%20a%20CASB%2C%20MCAS%20focus%20on%20the%20user%20activity%20within%20the%20apps%2C%20hence%2C%20after%20the%20authentication.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%0A%3CP%3ENiv%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-438176%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20pre%20and%20post%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-438176%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Niv%2C%3C%2FP%3E%3CP%3EFirst%20of%20all%2C%20thanks%20for%20the%20answer.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERelated%20to%20point%202%2C%20I%20would%20like%20to%20know%20which%20are%20the%20controls%20or%20the%20capabilities%20I%20can%20use%20pre-authentication.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3EDario%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-453945%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20pre%20and%20post%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-453945%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F37951%22%20target%3D%22_blank%22%3E%40Niv%20Goldenberg%3C%2FA%3Eany%20news%20please%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-455273%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20pre%20and%20post%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-455273%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20pre-authentication%20controls%20you%20can%20use%20are%20the%20control%20provided%20by%20AAD.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-455313%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20pre%20and%20post%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-455313%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F37951%22%20target%3D%22_blank%22%3E%40Niv%20Goldenberg%3C%2FA%3EThanks.%20Azure%20AD%20does%20not%20provide%20pre-auth%20access%20afaik%2C%20the%20conditional%20access%20gets%20applied%20after%20the%20authentication.%3C%2FP%3E%3CP%3EIf%20i'm%20wrong%20please%20tell%20me%20which%20controls%20can%20do%20AAD%20pre-auth.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMany%20thanks!%3C%2FP%3E%3CP%3EDario%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-455328%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20pre%20and%20post%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-455328%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20controls%20are%20applied%20during%20the%20authentication.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-455331%22%20slang%3D%22en-US%22%3ERe%3A%20MCAS%20pre%20and%20post%20authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-455331%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F37951%22%20target%3D%22_blank%22%3E%40Niv%20Goldenberg%3C%2FA%3Eok%2C%20I%20see%2C%20it%20means%20I%20have%20to%20provide%20the%20password%20before%20anything%20happen.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMany%20thanks%2C%3C%2FP%3E%3CP%3EDario%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi guys,

I've got a couple of questions related to the authentication flow and when MCAS takes actions:
1. As far as I understand, all the proxy sessions get applied AFTER the user authentication and AFTER the Conditional Access policies: is this correct?
2. Is there any scenario where MCAS can do actions (policies, alarms, etc...) before the user authentication? If not, is it correct to assume that to use MCAS the users must be logged to Azure AD?

Many thanks,
Dario

7 Replies
Highlighted

Hi Dario,

 

1. Correct. MCAS apply the session controls after authentication and initial risk assessment of the session.

2. Is there a specific pre-authentication scenario you have in mind?
In general, as a CASB, MCAS focus on the user activity within the apps, hence, after the authentication.

 

Thanks,

Niv

Highlighted

Hi Niv,

First of all, thanks for the answer.

 

Related to point 2, I would like to know which are the controls or the capabilities I can use pre-authentication. 

 

Thanks,

Dario

Highlighted

@Niv Goldenbergany news please?

Highlighted

The pre-authentication controls you can use are the control provided by AAD. 

Highlighted

@Niv GoldenbergThanks. Azure AD does not provide pre-auth access afaik, the conditional access gets applied after the authentication.

If i'm wrong please tell me which controls can do AAD pre-auth.

 

Many thanks!

Dario

Highlighted

The controls are applied during the authentication.

Highlighted

@Niv Goldenbergok, I see, it means I have to provide the password before anything happen.

 

Many thanks,

Dario