Feb 28 2023 02:43 AM - edited Feb 28 2023 02:45 AM
Hi,
I have a strange behavior between a test tenant and qualification tenant.
Technical context
Now the strange behavior
When we look at the traces (F12 > Network) for both connection context
When we deactivate the CA for the user A
How and why MCAS session policy control from source tenant can block access to shared resource from target tenant ? Is it incompatible usage ?
Feb 28 2023 04:07 AM
Hi @Julien_Hacquard,
If the user is accessing from a shared link and SPO is authenticating the user the session will not redirect. You can use Purview DLP rules to block external access in this case.
Feb 28 2023 05:38 AM
@Keith_Fleming
Thanks for your message.
In my case i would like be redirected to the shared resource. The only solution found is to deactivate conditional access for MCAS session policy on the user. So i decrease our security to be able to collaborate with other tenants; This is not a desirable solution.
Feb 28 2023 07:20 AM
@Julien_Hacquard let me confirm I'm understanding this correctly.
This is a cross tenant access scenario (B2B).
Session controls are enabled in the source tenant (let's call this tenant A)
Session controls are "not" enabled in the resource tenant (where the SPO site actually is stored - tenant B).
User 1 who is a normal user in tenant A is trying to access an SPO site in tenant B and does get proxied as expected
User 2 who is a normal user in tenant A is trying to access an SPO site in tenant B and gets an access denied message but when they are excluded from session controls they are able to access resources?
Jul 06 2023 05:26 AM
SolutionJul 06 2023 05:26 AM
Solution