cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

MCAS session policy with Conditional Access is blocking accessin external shares

Julien_Hacquard
Copper Contributor

‎Feb 28 2023 02:43 AM - edited ‎Feb 28 2023 02:45 AM

‎Feb 28 2023 02:43 AM - edited ‎Feb 28 2023 02:45 AM

MCAS session policy with Conditional Access is blocking accessin external shares

Hi,

I have a strange behavior between a test tenant and qualification tenant.

Technical context

  • On the source tenant MCAS is activated with session policy for all the MS services.
  • On the target tenant MCAS is not enabled.
  • User A from the source tenant is under conditional access policy to force MCAS session policy control.
  • User B from the source tenant is not.

Now the strange behavior

  • When user B tries to access a shared resource from the target tenant, he's able to access it.
  • When user A tries to access a shared resource from the target tenant, he's presenting a page with "Request Access" explaining "You need permission to access this site".

2023-02-23 09_22_17-Permissions access requests page.png

When we look at the traces (F12 > Network) for both connection context

  • User B nothing in particular
  • User A all the URLs are in form "*.mcas.ms"

When we deactivate the CA for the user A

  • No more issue with the access to the shared resource
  • All the URLs are normal without "*.mcas.ms"
  • to confirm activate CA and MCAS session policy for user B create the same issue with the permission access page so it really comes from here.

How and why MCAS session policy control from source tenant can block access to shared resource from target tenant ? Is it incompatible usage ?

1,388 Views
0 Likes
4 Replies
Reply
4 Replies
Keith_Fleming

‎Feb 28 2023 04:07 AM

‎Feb 28 2023 04:07 AM

Re: MCAS session policy with Conditional Access is blocking accessin external shares

Hi @Julien_Hacquard,

 

If the user is accessing from a shared link and SPO is authenticating the user the session will not redirect. You can use Purview DLP rules to block external access in this case.

1 Like
Reply
Julien_Hacquard

‎Feb 28 2023 05:38 AM

‎Feb 28 2023 05:38 AM

Re: MCAS session policy with Conditional Access is blocking accessin external shares

@Keith_Fleming 
Thanks for your message.


In my case i would like be redirected to the shared resource. The only solution found is to deactivate conditional access for MCAS session policy on the user. So i decrease our security to be able to collaborate with other tenants; This is not a desirable solution.

0 Likes
Reply
Keith_Fleming

‎Feb 28 2023 07:20 AM

‎Feb 28 2023 07:20 AM

Re: MCAS session policy with Conditional Access is blocking accessin external shares

@Julien_Hacquard let me confirm I'm understanding this correctly.

 

This is a cross tenant access scenario (B2B).

 

Session controls are enabled in the source tenant (let's call this tenant A)

Session controls are "not" enabled in the resource tenant (where the SPO site actually is stored - tenant B).

 

User 1 who is a normal user in tenant A is trying to access an SPO site in tenant B and does get proxied as expected

 

User 2 who is a normal user in tenant A is trying to access an SPO site in tenant B and gets an access denied message but when they are excluded from session controls they are able to access resources?

 

 

0 Likes
Reply
best response confirmed by Julien_Hacquard (Copper Contributor)
Julien_Hacquard

‎Jul 06 2023 05:26 AM

‎Jul 06 2023 05:26 AM

Solution

Re: MCAS session policy with Conditional Access is blocking accessin external shares

For people to know how it ends, this was a bug of MCAS in CASB proxy mode where the user was not redirect to the correct destination page. This has been solved by MS since.
Regards,
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Julien_Hacquard (Copper Contributor)
Julien_Hacquard

‎Jul 06 2023 05:26 AM

‎Jul 06 2023 05:26 AM

Solution

Re: MCAS session policy with Conditional Access is blocking accessin external shares

For people to know how it ends, this was a bug of MCAS in CASB proxy mode where the user was not redirect to the correct destination page. This has been solved by MS since.
Regards,

View solution in original post

0 Likes
Reply