I wanted to share an important and exciting new feature that we are rolling out for Session Controls in Microsoft Cloud App Security, with impact to current users of Session Controls.
We are making big improvements to our architecture for our proxy-based session controls, to leverage one unified suffix, without a named region (i.e., for commercial customers, “*.[region].cas.ms” will become “*.mcas.ms”). This change will start to hit customer tenants as early as June 7th, but will continue to roll out gradually. This is important for several reasons:
- Customers who blacklist domains by default in their network appliance or gateway will need to ensure they whitelist all the domains listed here: https://docs.microsoft.com/en-us/cloud-app-security/network-requirements#access-and-session-controls
- Note 1: during initial deployment and roll-out of this feature, customers may transition from the previous, geo-specific domains to the unified suffix domains. Therefore, it’s important to whitelist all domains listed on this page.
- Note 2: If a customer is whitelisting specific IPs, they must whitelist all IPs currently listed in the network requirements across all listed Data centers.
- Note 3: Customers should continue to check this page for the latest information on new IP addresses, as we are constantly increasing our region sizes to scale with demand.
- Our architecture becomes more scalable – one region will serve any DC, meaning when we deploy a new region, it’s automatically available to any customer in MCAS
- Users will see a new suffix URL when Session Controls are applied, and should be aware of these changes, if the IT/IS admins in the org choose to do so.
- Users will no longer see DC name in the URL, which has often been confused with the location of the proxy node (which it’s not)
Here is a GIF showing the new domain for Commercial customers:
Let me know if you have any questions.