SOLVED

Autht cloud app security

Iron Contributor

Hello

I have setup an authentication context and published it to CA polices. The Authentication Context name is "trusted device". I created the CA policy per below . When i log into the application from a non trusted device, and do a copy and or paste, i should be getting prompted from cloud app security to step up authentication, but i dont. Any help is greatly appreciated

Skipster3111_0-1628283645094.png

Skipster3111_1-1628283666847.png

Skipster3111_2-1628283691737.png

 

In cloud app security i created session policy , category = "Compliance". Below are the settings

Skipster3111_3-1628283859491.png

 

Skipster3111_4-1628283876846.png

 

12 Replies
Your conditional access policy doesn't need the conditional access app control setting. The policy will be triggered based on authentication context from the session policy in MCAS
Okay, but that shouldn't be the reason why the session policy in cloud app security is not working. Also if you want the app to show up in cloud app security , you need a CA policy that has "use conditional access app control" selected. If not the app will never be available in cloud app security

@Skipster311-1 

If needed, you can always manually add an app to MCAS if you have the required information. You don't necessarily need to use conditional access app control. But for now that's not relevant.

 

Have you tried both Cornerstone and the Admin Center? Which browser did you use when testing? And what do the MCAS and Signin Logs tell you?

I tried both apps, using multiple browsers. The result was the same. I tired Firefox, Chrome, and Edge browsers. On a side note, how do i add an application to cloud app security manually ?

@RGijsbersRademakers 

Hit the reply button too soon. Below is what i see for user activity in cloud app security. Looks like the activity is correct, but the session policy is not firing.

Skipster3111_0-1628523367807.png

Regarding the Azure AD sig-in logs. I see a bunch of successful sign-on's to the application, even though i signed on from my personal laptop which is not a compliant device. 

@Skipster311-1 @R_Gijsbers_Rademakers 

 

Azure AD Sign-in logs are suggesting that the authentication context policy is not applying because of application. In the CA policy if i select "Authentication Context" I dont get the ability to select an application. So this is a bit confusing 

Skipster3111_0-1628524597941.png

 

@Skipster311-1 

I've just tested it myself and I wasn't completely right with my earlier statement. I came to the following conclusion.

 

You will need two separate Conditional Access policies for this to work.

  • A policy for the Authentication Context as you created it.
  • A policy for the application you want to protect with Use Conditional Access App Control set to custom policy. In this Cornerstone)

Within MCAS you configure the session policy to use step-up authentication with the corresponding authentication context.

Interesting, and thank you for testing this in your lab. Creating two CA polices contradicts what the author of this posts has done. Scroll down to the "Configuration for MS Cloud App Security and Azure Portal Action" part of the article.
https://securecloud.blog/2021/05/22/deep-diver-azure-ad-conditional-access-authentication-context-se...
best response confirmed by Skipster311-1 (Iron Contributor)
Solution

@Skipster311-1 

He doesn't explicitly mention it indeed. But if you look at the screenshots near the end of the article, you can see the second policy above the MCAS policy screenshot. Underneath the screenshot he mentions: You also need session policy to be enabled on conditional access targeting apps

Okay, i didn't notice that. Which CA policy should have the "require mfa" and "require compliant device" ?

@Skipster311-1 

The policy with the authentication context should have the "require mfa" and "require compliant device controls. 

Hahahaha. It works with the second CA policy. Thank you very much for all your help. Much appreciated
1 best response

Accepted Solutions
best response confirmed by Skipster311-1 (Iron Contributor)
Solution

@Skipster311-1 

He doesn't explicitly mention it indeed. But if you look at the screenshots near the end of the article, you can see the second policy above the MCAS policy screenshot. Underneath the screenshot he mentions: You also need session policy to be enabled on conditional access targeting apps

View solution in original post