SOLVED

Workplace by Facebook session control not enforced

%3CLINGO-SUB%20id%3D%22lingo-sub-680720%22%20slang%3D%22en-US%22%3EWorkplace%20by%20Facebook%20session%20control%20not%20enforced%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-680720%22%20slang%3D%22en-US%22%3E%3CP%3EGreetings%20everyone%3C%2FP%3E%3CP%3EWe%20have%20setup%20AAD%20Conditional%20Access%20to%20proxy%20traffic%20for%20Workplace%20by%20Facebook%20to%20MCAS.%20We%20also%20setup%20an%20MCAS%20session%20policy%20to%20control%20file%20download%20and%20other%20activities.%3C%2FP%3E%3CP%3EWe%20get%20redirected%20to%20MCAS%20during%20sign-in%20but%20we%20end%20up%20in%20Workplace%20direct%20URL(my.workplace.com)%20without%20session%20control.%20The%20same%20policy%20works%20for%20Salesforce%2C%20Azure%20and%20Offce365%20Apps%2C%20enforcing%20session%20as%20expected.%3C%2FP%3E%3CP%3EWe%20tried%20this%20on%20production%20environment%20and%20also%20test%20lab%2C%20with%20same%20behavior.%20Did%20anybody%20experience%20the%20same%20behavior%3F%20I%20can%20upload%20fiddler%20traces%20for%20a%20clearer%20picture%20if%20you%20wish.%3C%2FP%3E%3CP%3EThanks%20in%20advance%20ofr%20your%20help.%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EFederico%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-680720%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-686490%22%20slang%3D%22en-US%22%3ERe%3A%20Workplace%20by%20Facebook%20session%20control%20not%20enforced%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-686490%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F357580%22%20target%3D%22_blank%22%3E%40strav970%3C%2FA%3E%20Would%20you%20be%20able%20to%20confirm%20the%20following%3F%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E1.%20In%20the%20Azure%20AD%20Conditional%20Access%20Policy%2C%20check%20that%20Workplace%20by%20Facebook%20is%20selected%20as%20a%20Cloud%20App%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20468px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F117868iFF7C4CF491D8DAE0%2Fimage-dimensions%2F468x213%3Fv%3D1.0%22%20width%3D%22468%22%20height%3D%22213%22%20alt%3D%22new.PNG%22%20title%3D%22new.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E2.%20In%20the%20MCAS%20Session%20Policy%2C%20if%20you%20have%20App%20Selected%20in%20the%20filter%2C%20check%20that%20Workplace%20by%20Facebook%20is%20added%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F117870i0B12967840B65DED%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22session2.PNG%22%20title%3D%22session2.PNG%22%20%2F%3E%3C%2FSPAN%3E%3CBR%20%2F%3E3.%20In%20the%20MCAS%20Confirm%20that%20Session%20Control%20is%20enabled%20for%20Workplace%20by%20Facebook%26nbsp%3B%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F117871i9D5BE576C7863551%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22Session.PNG%22%20title%3D%22Session.PNG%22%20%2F%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-690903%22%20slang%3D%22en-US%22%3ERe%3A%20Workplace%20by%20Facebook%20session%20control%20not%20enforced%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-690903%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20very%20much%20Anisha%20for%20your%20feedback.%3CBR%20%2F%3EIndeed%20we%20do%20have%20all%20those%20configurations%20in%20place%2C%20but%20still%20can%E2%80%99t%20accomplish%20session%20control.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F118072i4A2CF14F95E53454%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Session.png%22%20title%3D%22Session.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EThis%20is%20a%20screenshot%20from%20our%20lab%20tenant%20but%20we%20get%20same%20behavior%20in%20production.%3CBR%20%2F%3EI%E2%80%99m%20also%20attaching%20a%20fiddler%20trace%20in%20case%20you%20want%20to%20review.%3CBR%20%2F%3EI%E2%80%99m%20suspecting%20of%20ReplyURL%20and%20SAML%20configuration%20from%20Workplace%2C%20since%20they%20starting%20to%20change%20their%20URLs%20to%20my.workplace.com%2C%20but%20I%20don%E2%80%99t%20have%20enough%20evidence%20to%20justify%20since%20it%20doesn%E2%80%99t%20seem%20obvious%20to%20me%20how%20this%20would%20affect%20MCAS.%3CBR%20%2F%3ESP%20Initiated%20is%20working%20ok%2C%20but%20IdpInit%20is%20throwing%20error%20from%20Workplace%20side%2C%20nonetheless%20its%20stated%20in%20MS%20Docs%20that%20SP%20Init%20is%20only%20support.%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%20again%20for%20your%20help.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F222323%22%20target%3D%22_blank%22%3E%40Anisha%20Gupta%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-691660%22%20slang%3D%22en-US%22%3ERe%3A%20Workplace%20by%20Facebook%20session%20control%20not%20enforced%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-691660%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F357580%22%20target%3D%22_blank%22%3E%40strav970%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3CEM%3E%26gt%3B%26nbsp%3B%3C%2FEM%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20font-family%3A%20'SegoeUI'%2C'Lato'%2C'Helvetica%20Neue'%2CHelvetica%2CArial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CEM%3EI%E2%80%99m%20suspecting%20of%20ReplyURL%20and%20SAML%20configuration%20from%20Workplace%2C%20since%20they%20starting%20to%20change%20their%20URLs%20to%20my.workplace.com.%26nbsp%3B%3C%2FEM%3E%3CBR%20%2F%3E%3CBR%20%2F%3EIn%20this%20case%2C%20you%20can%20add%20in%20a%20User%20Defined%20Domain%20within%20the%20settings%20of%20the%20application%3A%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20font-family%3A%20'SegoeUI'%2C'Lato'%2C'Helvetica%20Neue'%2CHelvetica%2CArial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E1.%20Navigate%20to%20%3CSTRONG%3EConditional%20Access%20Control%20Apps%3C%2FSTRONG%3E%3C%2FSPAN%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20font-family%3A%20'SegoeUI'%2C'Lato'%2C'Helvetica%20Neue'%2CHelvetica%2CArial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E2.%20Click%20the%203%20Dots%20to%20the%20right%20and%20select%20%3CSTRONG%3EEdit%20App%3C%2FSTRONG%3E%3C%2FSPAN%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22text-align%3A%20center%3B%22%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20font-family%3A%20'SegoeUI'%2C'Lato'%2C'Helvetica%20Neue'%2CHelvetica%2CArial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20619px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F118099i064D44D6F87AB34A%2Fimage-dimensions%2F619x116%3Fv%3D1.0%22%20width%3D%22619%22%20height%3D%22116%22%20alt%3D%22fb-workplace3.PNG%22%20title%3D%22fb-workplace3.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E3.%20Select%20%3CSTRONG%3EView%20App%20Domains%26nbsp%3B%3C%2FSTRONG%3Eto%20see%20what%20domains%20MCAS%20recognizes%20(in%20this%20case%20my.workplace.com%20is%20not%20categorized)%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22text-align%3A%20center%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20428px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F118100iCC19E845EDD2633F%2Fimage-dimensions%2F428x251%3Fv%3D1.0%22%20width%3D%22428%22%20height%3D%22251%22%20alt%3D%22fb-workplace2.PNG%22%20title%3D%22fb-workplace2.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22text-align%3A%20left%3B%22%3E%3CBR%20%2F%3E4.%20Add%20in%20my.workplace.com%20into%20the%20User-designed%20domains%20textbox%20to%20associate%20the%20domain%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F118101iC13E5BCAD3BDDC0D%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22fb-workplace.PNG%22%20title%3D%22fb-workplace.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-696288%22%20slang%3D%22en-US%22%3ERe%3A%20Workplace%20by%20Facebook%20session%20control%20not%20enforced%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-696288%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F222323%22%20target%3D%22_blank%22%3E%40Anisha%20Gupta%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20cant%20seem%20to%20find%20the%20Edit%20App%20option%20for%20any%20of%20my%20Session%20Controlled%20Apps%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F118289iFECBA4626823274A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Annotation%202019-06-17%20111921.png%22%20title%3D%22Annotation%202019-06-17%20111921.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EThese%20Apps%20are%20integrated%20through%20the%20Azure%20AD%20gallery.%3C%2FP%3E%3CP%3ECan%20you%20think%20of%20a%20reason%20why%3F%3C%2FP%3E%3CP%3EThanks%20again%20for%20your%20help.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-772631%22%20slang%3D%22en-US%22%3ERe%3A%20Workplace%20by%20Facebook%20session%20control%20not%20enforced%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-772631%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20should%20now%20be%20able%20to%20access%20the%20Edit%20App.%20The%20feature%20was%20rolled%20out%20with%20the%20new%20Any%20App%20Support%20for%20Session%20Control!%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-772787%22%20slang%3D%22en-US%22%3ERe%3A%20Workplace%20by%20Facebook%20session%20control%20not%20enforced%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-772787%22%20slang%3D%22en-US%22%3EThanks%20Anisha!%3CBR%20%2F%3EAlex%20Esivob%20handed%20that%20information%20a%20few%20weeks%20ago%2C%20that's%20why%20I%20didnt%20bother%20you.%3CBR%20%2F%3EGreat%20feature!!%20MCAS%20is%20setting%20the%20bar.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-777455%22%20slang%3D%22en-US%22%3ERe%3A%20Workplace%20by%20Facebook%20session%20control%20not%20enforced%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-777455%22%20slang%3D%22en-US%22%3E%3CP%3EOf%20course%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F357580%22%20target%3D%22_blank%22%3E%40strav970%3C%2FA%3E%2C%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EI%20am%20glad%20you%20were%20able%20to%20connect%20with%20Alex!%20Love%20the%20feedback!%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Greetings everyone

We have setup AAD Conditional Access to proxy traffic for Workplace by Facebook to MCAS. We also setup an MCAS session policy to control file download and other activities.

We get redirected to MCAS during sign-in but we end up in Workplace direct URL(my.workplace.com) without session control. The same policy works for Salesforce, Azure and Offce365 Apps, enforcing session as expected.

We tried this on production environment and also test lab, with same behavior. Did anybody experience the same behavior? I can upload fiddler traces for a clearer picture if you wish.

Thanks in advance ofr your help.

Regards,

Federico

 

7 Replies
Highlighted

@strav970 Would you be able to confirm the following? 

1. In the Azure AD Conditional Access Policy, check that Workplace by Facebook is selected as a Cloud App 

new.PNG

 

2. In the MCAS Session Policy, if you have App Selected in the filter, check that Workplace by Facebook is added

session2.PNG
3. In the MCAS Confirm that Session Control is enabled for Workplace by Facebook 
Session.PNG

Highlighted

Thank you very much Anisha for your feedback.
Indeed we do have all those configurations in place, but still can’t accomplish session control.

 

Session.png

This is a screenshot from our lab tenant but we get same behavior in production.
I’m also attaching a fiddler trace in case you want to review.
I’m suspecting of ReplyURL and SAML configuration from Workplace, since they starting to change their URLs to my.workplace.com, but I don’t have enough evidence to justify since it doesn’t seem obvious to me how this would affect MCAS.
SP Initiated is working ok, but IdpInit is throwing error from Workplace side, nonetheless its stated in MS Docs that SP Init is only support.

Thanks again for your help.

 

@Anisha Gupta 

Highlighted

@strav970 
I’m suspecting of ReplyURL and SAML configuration from Workplace, since they starting to change their URLs to my.workplace.com. 

In this case, you can add in a User Defined Domain within the settings of the application: 

 

1. Navigate to Conditional Access Control Apps 

2. Click the 3 Dots to the right and select Edit App 

fb-workplace3.PNG

3. Select View App Domains to see what domains MCAS recognizes (in this case my.workplace.com is not categorized) 

fb-workplace2.PNG


4. Add in my.workplace.com into the User-designed domains textbox to associate the domain 

 

fb-workplace.PNG

 

 

Highlighted

Thanks @Anisha Gupta 

I cant seem to find the Edit App option for any of my Session Controlled Apps:

Annotation 2019-06-17 111921.png

These Apps are integrated through the Azure AD gallery.

Can you think of a reason why?

Thanks again for your help.

Highlighted
Best Response confirmed by strav970 (Occasional Contributor)
Solution

You should now be able to access the Edit App. The feature was rolled out with the new Any App Support for Session Control! 

Thanks Anisha!
Alex Esivob handed that information a few weeks ago, that's why I didnt bother you.
Great feature!! MCAS is setting the bar.
Highlighted

Of course @strav970

I am glad you were able to connect with Alex! Love the feedback!