BYPASS SESSION CONTROL

%3CLINGO-SUB%20id%3D%22lingo-sub-2902695%22%20slang%3D%22en-US%22%3EBYPASS%20SESSION%20CONTROL%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2902695%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20testing%20a%20real-time%20content%20inspection%20policy%20(Block%20upload)%20in%20conditional%20access%20app%20control.%20The%20policy%20is%20setup%20to%20block%20the%20upload%20of%20any%20files%20containing%20an%20SSN%20into%20a%20browser%20session%20app.%20The%20problem%20is%20the%20policy%20fails%20to%20block%20the%20upload%20although%20it%20logs%20a%20match%20anytime%20I%20try%20uploading%20a%20file%20into%20the%20app.%20I%20have%20tried%20with%20both%20Microsoft%20edge%20and%20Google%20chrome.%20Below%20is%20a%20screen%20shot.%20I%20will%20like%20to%20know%20what%20%22Bypass%20session%20control%22%20also%20means%20since%20that%20is%20what%20I%20suspect%20might%20be%20the%20clue%20to%20resolving%20the%20issue.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22richrico_0-1635548373916.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F321698i3B63375B165B6117%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22richrico_0-1635548373916.png%22%20alt%3D%22richrico_0-1635548373916.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%40%3CSPAN%3EAnisha%20Gupta%2C%26nbsp%3B%40%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2902695%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2908347%22%20slang%3D%22en-US%22%3ERe%3A%20BYPASS%20SESSION%20CONTROL%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2908347%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1109295%22%20target%3D%22_blank%22%3E%40richrico%3C%2FA%3E%3C%2FP%3E%3CP%3EWhat%20does%20your%20policy%20look%20like%3F%3C%2FP%3E%3CP%3EAlso%2C%20is%20the%20application%20onboarded%20for%20session%20controls%20in%20MCAS%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2910868%22%20slang%3D%22en-US%22%3ERe%3A%20BYPASS%20SESSION%20CONTROL%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2910868%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20first%20used%20the%20template%20(Block%20upload%20based%20on%20real-time%20content%20inspection)%20and%20then%20created%20it%20from%20scratch.%20Both%20had%20the%20same%20result%20(didn't%20block%20the%20upload).%20And%20yes%2C%20the%20application%20is%20perfectly%20onboarded%20(shows%20connected)%20in%20MCAS%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22richrico_0-1635802629256.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F322533i5E7962B5854CF77D%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22richrico_0-1635802629256.png%22%20alt%3D%22richrico_0-1635802629256.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1177839%22%20target%3D%22_blank%22%3E%40Jonhed%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I am testing a real-time content inspection policy (Block upload) in conditional access app control. The policy is setup to block the upload of any files containing an SSN into a browser session app. The problem is the policy fails to block the upload although it logs a match anytime I try uploading a file into the app. I have tried with both Microsoft edge and Google chrome. Below is a screen shot. I will like to know what "Bypass session control" also means since that is what I suspect might be the clue to resolving the issue.

 

richrico_0-1635548373916.png

 

3 Replies

@richrico

What does your policy look like?

Also, is the application onboarded for session controls in MCAS? 

 

I first used the template (Block upload based on real-time content inspection) and then created it from scratch. Both had the same result (didn't block the upload). And yes, the application is perfectly onboarded (shows connected) in MCAS

richrico_0-1635802629256.png

 

 

@Jonhed 

Never mind, I found a solution to the problem. The session is being bypassed because the app is using an Oauth code login flow. Hence enabling "Treat access token and code requests as app logins" on the configuration page of the app rectified the issue. 

 

richrico_0-1641576707052.png

 

@Jonhed