Forum Discussion
Solved
MCAS session policy with Conditional Access is blocking accessin external shares
Hi, I have a strange behavior between a test tenant and qualification tenant. Technical context On the source tenant MCAS is activated with session policy for all the MS services. On the targe...
- For people to know how it ends, this was a bug of MCAS in CASB proxy mode where the user was not redirect to the correct destination page. This has been solved by MS since.
Regards,
Keith_Fleming
Microsoft
MicrosoftHi Julien_Hacquard,
If the user is accessing from a shared link and SPO is authenticating the user the session will not redirect. You can use Purview DLP rules to block external access in this case.
Keith_Fleming
Thanks for your message.
In my case i would like be redirected to the shared resource. The only solution found is to deactivate conditional access for MCAS session policy on the user. So i decrease our security to be able to collaborate with other tenants; This is not a desirable solution.- Keith_Fleming
Julien_Hacquard let me confirm I'm understanding this correctly.
This is a cross tenant access scenario (B2B).
Session controls are enabled in the source tenant (let's call this tenant A)
Session controls are "not" enabled in the resource tenant (where the SPO site actually is stored - tenant B).
User 1 who is a normal user in tenant A is trying to access an SPO site in tenant B and does get proxied as expected
User 2 who is a normal user in tenant A is trying to access an SPO site in tenant B and gets an access denied message but when they are excluded from session controls they are able to access resources?
- For people to know how it ends, this was a bug of MCAS in CASB proxy mode where the user was not redirect to the correct destination page. This has been solved by MS since.
Regards,
