Conditional access policy not recognised

Steel Contributor

Hello everyone,

 

We're evaulating Cloud Apps session/conditional access/session policies but have hit a weird snag.

 

We have created a conditional access policy in EntraID with session control of Use Conditional Access App Control. This was initially set to Monitor Only (Preview)

 

I then signed in with the test user and logged into the various 365 services, and confirmed these apps were onboarded into the Conditional Access App Control apps page.

 

So far so good. However when I've attempted to create either a Access or Session Policy in the Cloud Apps Policy Management section, there is an error saying that there are no conditional access policies set up.

 

HidMov_0-1727863438304.png

 

I changed the conditional access policies in Entra ID to "Custom Policy" and waited a few hours, but still getting the error. I have created additional conditional access policies in EntraID from scratch and waited over night, but it still seems that EntraID and the Cloud Apps parts aren't talking with each other.

 

When I create a policy, I get a warning that there isn't a corresponding CA policy. The Access/Session policy is reated, but has [Entra ID Policy Missing] in the title.

 

HidMov_1-1727863626842.png

 

 

I'm not sure where I'm going wrong with this. I've followed various guides and checked various forums but aside from the obvious I'm at a loss. Has anyone else come up against this before, or should I raise a ticket with MS to look at the back end?

 

Thanks in advance,

Mark

2 Replies
Hello @HidMov,

The issue you’re experiencing is likely due to a synchronization delay or configuration misalignment between Entra ID Conditional Access and the Cloud App Security portal. When creating Conditional Access policies, it’s important to ensure that they have the appropriate session control settings enabled, specifically the Use Conditional Access App Control option. If using the Monitor Only (Preview) mode, there may be limitations or inconsistencies, as preview features can sometimes behave differently. It would be advisable to switch the session control to a more stable setting like Block or Monitor and Enforce to see if this resolves the problem.

Additionally, verify that the integration between Entra ID and Cloud App Security is correctly configured by navigating to the Defender for Cloud Apps portal and checking the integration status under Settings - Conditional Access App Control. If the status is not connected or shows any errors, re-establish the connection. Also, check if the targeted applications in your Conditional Access policies match those you’re trying to control through Cloud App Security, as a mismatch can cause policies to not be recognized. Since you also mentioned using a custom policy configuration, ensure that the newly created policies are correctly targeting the users and applications for which you want to enforce session controls.

If the issue persists, try creating a fresh Conditional Access policy, assigning it to a different test user, and seeing if it is recognized by Cloud App Security. If none of these steps resolve the issue, there may be a backend synchronization problem or a bug in the current implementation of these features, and opening a support case with Microsoft would be recommended for further investigation.

Kind regards.
Thanks @josequintino - I've run through everything and it still looks like it should be set up correctly, but still not seeing that a CA is configured. I've raised a ticket with MS who can hopefully give something a kick in the backend.