Conditional Access App Control keeps Bypassing

Copper Contributor

Hi all,

 

I've setup a Conditional Access policy in Entra ID with the following settings:

  • Targeted User: me (as a test)
  • Targeted Resource: Office 365 (I'm interested specifically in SharePoint and OWA)
  • Session Control: Use Conditional Access App Control > Custom Policy

I've then setup two policies in the Defender CAS service, one that prevents downloads and one that prevents Cut/Copy. I've not used the templates as I'd like to learn how to create these from scratch anyway.

 

The targets for both policies in CAS are simply App > Manual Onboarding > Microsoft Online Services. My understanding is that using "Microsoft Online Services" here should basically encompass all services I want. If I go to Settings in Defender Microsoft Exchange Online and Microsoft SharePoint both show as onboarded and enabled.

 

When I sign into one of these services, I can see it try and redirect me to the mcas.ms URL but then falls back to the original and the controls in my policies are not applied. If I check in the Activity Log my sign-ins show as "Bypass Session Control".

 

Does anyone know what I might be missing?

 

TIA

1 Reply
Tough to say like that. Can you please share a capture of your policy filters? (please tag me in your response so i'll be notified).