Cloud app security certificate

%3CLINGO-SUB%20id%3D%22lingo-sub-2979681%22%20slang%3D%22en-US%22%3ECloud%20app%20security%20certificate%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2979681%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20I%20setup%20cloud%20app%20security%20thorugh%20this%20guide%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fchrisonsecurity.net%2F2021%2F06%2F24%2Fconditional-access-using-certificates%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fchrisonsecurity.net%2F2021%2F06%2F24%2Fconditional-access-using-certificates%2F%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EI%20am%20using%20mac%20and%20testet%20on%20machine%20where%20it%20first%20time%20ask%20for%20certificate%20for%20entering%20outlook.%20So%20work%20as%20it%20should%3C%2FP%3E%3CP%3EDo%20I%20however%2C%20go%20in%20afterwards%20and%20remove%20the%20certificates%2C%20I%20am%20afterwards%20still%20able%20to%20access%20outlook%20-%20also%20even%20I%20wait%20several%20hours.%20Should%20MCAS%20go%20in%20and%20block%20if%20the%20certificate%20is%20missing%20or%20is%20it%20only%20first%20time%20%3F-%20because%20then%20it%20is%20not%20usable%20for%20us%20as%20we%20then%20cannot%20block%20devices%20if%20needed%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

So I setup cloud app security thorugh this guide

https://chrisonsecurity.net/2021/06/24/conditional-access-using-certificates/

I am using mac and testet on machine where it first time ask for certificate for entering outlook. So work as it should

Do I however, go in afterwards and remove the certificates, I am afterwards still able to access outlook - also even I wait several hours. Should MCAS go in and block if the certificate is missing or is it only first time ?- because then it is not usable for us as we then cannot block devices if needed

1 Reply
CAAC feature cannot reliably support apps because not all apps use interactive sign-in flows, like browsers do. This is one example of why that is the case. If the app is not using an interactive sign-in flow based on 302 redirects (like browser-based SSO works), then the identity provider (usually Azure AD) is unable to redirect the client session to the session proxy. The result is that your session policy is ineffective for that client because the client is still talking directly to Exchange Online, not through the session proxy.

This is discussed here: https://docs.microsoft.com/en-us/defender-cloud-apps/proxy-intro-aad#supported-apps-and-clients