SOLVED

MCAS session policy with Conditional Access is blocking accessin external shares

Copper Contributor

Hi,

I have a strange behavior between a test tenant and qualification tenant.

Technical context

  • On the source tenant MCAS is activated with session policy for all the MS services.
  • On the target tenant MCAS is not enabled.
  • User A from the source tenant is under conditional access policy to force MCAS session policy control.
  • User B from the source tenant is not.

Now the strange behavior

  • When user B tries to access a shared resource from the target tenant, he's able to access it.
  • When user A tries to access a shared resource from the target tenant, he's presenting a page with "Request Access" explaining "You need permission to access this site".

2023-02-23 09_22_17-Permissions access requests page.png

When we look at the traces (F12 > Network) for both connection context

  • User B nothing in particular
  • User A all the URLs are in form "*.mcas.ms"

When we deactivate the CA for the user A

  • No more issue with the access to the shared resource
  • All the URLs are normal without "*.mcas.ms"
  • to confirm activate CA and MCAS session policy for user B create the same issue with the permission access page so it really comes from here.

How and why MCAS session policy control from source tenant can block access to shared resource from target tenant ? Is it incompatible usage ?

4 Replies

Hi @Julien_Hacquard,

 

If the user is accessing from a shared link and SPO is authenticating the user the session will not redirect. You can use Purview DLP rules to block external access in this case.

@Keith_Fleming 
Thanks for your message.


In my case i would like be redirected to the shared resource. The only solution found is to deactivate conditional access for MCAS session policy on the user. So i decrease our security to be able to collaborate with other tenants; This is not a desirable solution.

@Julien_Hacquard let me confirm I'm understanding this correctly.

 

This is a cross tenant access scenario (B2B).

 

Session controls are enabled in the source tenant (let's call this tenant A)

Session controls are "not" enabled in the resource tenant (where the SPO site actually is stored - tenant B).

 

User 1 who is a normal user in tenant A is trying to access an SPO site in tenant B and does get proxied as expected

 

User 2 who is a normal user in tenant A is trying to access an SPO site in tenant B and gets an access denied message but when they are excluded from session controls they are able to access resources?

 

 

best response confirmed by Julien_Hacquard (Copper Contributor)
Solution
For people to know how it ends, this was a bug of MCAS in CASB proxy mode where the user was not redirect to the correct destination page. This has been solved by MS since.
Regards,
1 best response

Accepted Solutions
best response confirmed by Julien_Hacquard (Copper Contributor)
Solution
For people to know how it ends, this was a bug of MCAS in CASB proxy mode where the user was not redirect to the correct destination page. This has been solved by MS since.
Regards,

View solution in original post