Conditional access app control vs. Conditional access

Frequent Contributor

Hello all


I'm trying to understand when i would use one vs. the other? On the surface it looks like "Conditional access app control" is used when i want to redirect my 3rd party saml apps to MCAS, and "Conditional access" in cloud app security only applies to the built in O365 apps ? Is this correct ?

1 Reply
Conditional Access is a feature of Azure Active Directory Premium

Conditional Access App Control is a feature of MDCA.

Conditional Access in Azure AD is similar in functionality to Access Policies in MDCA. They do not proxy the entire session, but rather evaluate access at sign-in or token refresh time. Azure AD does not have a reverse proxy for SaaS apps, like the CAAC session proxy in MDCA.

Generally speaking, you should use Azure AD for CA for scenarios where its features meet your needs and only use CAAC, when necessary. The primary cases for MDC CAAC would be (1) using device certificates to evaluate device trust with access policies, (2) reverse proxying the entire user session through the CAAC session proxy to achieve download/upload controls, or other real-time controls, or (3) doing conditional access for a SAML app that relies on some IDP other than Azure AD.

Hope that helps.