Aug 06 2021 02:07 PM
Hello
I have setup an authentication context and published it to CA polices. The Authentication Context name is "trusted device". I created the CA policy per below . When i log into the application from a non trusted device, and do a copy and or paste, i should be getting prompted from cloud app security to step up authentication, but i dont. Any help is greatly appreciated
In cloud app security i created session policy , category = "Compliance". Below are the settings
Aug 06 2021 06:37 PM
Aug 07 2021 06:54 AM
Aug 07 2021 12:54 PM
If needed, you can always manually add an app to MCAS if you have the required information. You don't necessarily need to use conditional access app control. But for now that's not relevant.
Have you tried both Cornerstone and the Admin Center? Which browser did you use when testing? And what do the MCAS and Signin Logs tell you?
Aug 09 2021 08:24 AM
Aug 09 2021 08:40 AM
Hit the reply button too soon. Below is what i see for user activity in cloud app security. Looks like the activity is correct, but the session policy is not firing.
Regarding the Azure AD sig-in logs. I see a bunch of successful sign-on's to the application, even though i signed on from my personal laptop which is not a compliant device.
Aug 09 2021 08:57 AM
@Skipster311-1 @R_Gijsbers_Rademakers
Azure AD Sign-in logs are suggesting that the authentication context policy is not applying because of application. In the CA policy if i select "Authentication Context" I dont get the ability to select an application. So this is a bit confusing
Aug 09 2021 11:13 AM
I've just tested it myself and I wasn't completely right with my earlier statement. I came to the following conclusion.
You will need two separate Conditional Access policies for this to work.
Within MCAS you configure the session policy to use step-up authentication with the corresponding authentication context.
Aug 09 2021 11:31 AM
Aug 09 2021 01:02 PM
SolutionHe doesn't explicitly mention it indeed. But if you look at the screenshots near the end of the article, you can see the second policy above the MCAS policy screenshot. Underneath the screenshot he mentions: You also need session policy to be enabled on conditional access targeting apps
Aug 09 2021 01:50 PM
Aug 09 2021 02:02 PM
The policy with the authentication context should have the "require mfa" and "require compliant device controls.
Aug 09 2021 02:13 PM
Aug 09 2021 01:02 PM
SolutionHe doesn't explicitly mention it indeed. But if you look at the screenshots near the end of the article, you can see the second policy above the MCAS policy screenshot. Underneath the screenshot he mentions: You also need session policy to be enabled on conditional access targeting apps