Forum Discussion
Conditional access policy not recognised
Hello everyone, We're evaulating Cloud Apps session/conditional access/session policies but have hit a weird snag. We have created a conditional access policy in EntraID with session control ...
Hello HidMov,
The issue you’re experiencing is likely due to a synchronization delay or configuration misalignment between Entra ID Conditional Access and the Cloud App Security portal. When creating Conditional Access policies, it’s important to ensure that they have the appropriate session control settings enabled, specifically the Use Conditional Access App Control option. If using the Monitor Only (Preview) mode, there may be limitations or inconsistencies, as preview features can sometimes behave differently. It would be advisable to switch the session control to a more stable setting like Block or Monitor and Enforce to see if this resolves the problem.
Additionally, verify that the integration between Entra ID and Cloud App Security is correctly configured by navigating to the Defender for Cloud Apps portal and checking the integration status under Settings - Conditional Access App Control. If the status is not connected or shows any errors, re-establish the connection. Also, check if the targeted applications in your Conditional Access policies match those you’re trying to control through Cloud App Security, as a mismatch can cause policies to not be recognized. Since you also mentioned using a custom policy configuration, ensure that the newly created policies are correctly targeting the users and applications for which you want to enforce session controls.
If the issue persists, try creating a fresh Conditional Access policy, assigning it to a different test user, and seeing if it is recognized by Cloud App Security. If none of these steps resolve the issue, there may be a backend synchronization problem or a bug in the current implementation of these features, and opening a support case with Microsoft would be recommended for further investigation.
Kind regards.
The issue you’re experiencing is likely due to a synchronization delay or configuration misalignment between Entra ID Conditional Access and the Cloud App Security portal. When creating Conditional Access policies, it’s important to ensure that they have the appropriate session control settings enabled, specifically the Use Conditional Access App Control option. If using the Monitor Only (Preview) mode, there may be limitations or inconsistencies, as preview features can sometimes behave differently. It would be advisable to switch the session control to a more stable setting like Block or Monitor and Enforce to see if this resolves the problem.
Additionally, verify that the integration between Entra ID and Cloud App Security is correctly configured by navigating to the Defender for Cloud Apps portal and checking the integration status under Settings - Conditional Access App Control. If the status is not connected or shows any errors, re-establish the connection. Also, check if the targeted applications in your Conditional Access policies match those you’re trying to control through Cloud App Security, as a mismatch can cause policies to not be recognized. Since you also mentioned using a custom policy configuration, ensure that the newly created policies are correctly targeting the users and applications for which you want to enforce session controls.
If the issue persists, try creating a fresh Conditional Access policy, assigning it to a different test user, and seeing if it is recognized by Cloud App Security. If none of these steps resolve the issue, there may be a backend synchronization problem or a bug in the current implementation of these features, and opening a support case with Microsoft would be recommended for further investigation.
Kind regards.
Thanks josequintino - I've run through everything and it still looks like it should be set up correctly, but still not seeing that a CA is configured. I've raised a ticket with MS who can hopefully give something a kick in the backend.
- Hi Mark,
I've actually got the exact same issue. I'm trying to block print from OWA on a non-compliance device. The creation of the CA and the Session Policy is very straightforward as you could also have noticed. However, I'm getting the same error.
The admin user has the Defender for Cloud Apps license applied; I've also applied the same license to the target users, but it hasn't made any difference.
Any luck from Microsoft Support?
Meantime if I find the cause of that error message, I will let you know.- Hi davide984
Still with MS support, I'm afraid. They've informed me that our EntraID tenant and Exchange Tenant do not match and asked us why. I've informed them that we've done nothing knowningly to make them different, if it were even possible for us to do so. They've gone back to the back end team for further investigation.
We've extended our trial, but it's frustrating that this showstopper doesn't seem to have an easy fix.
