cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Multiple Instances of the same app in Conditional Access App Control?

JoeDLP
Copper Contributor

‎Sep 29 2022 12:07 PM

‎Sep 29 2022 12:07 PM

Multiple Instances of the same app in Conditional Access App Control?

We have 4 ServiceNow instances (dev,test,stage,prod).  We have all 4 instances added to App connectors.  However, after adding one of the instances in Conditional Access App Control I've found I can't add the other 3.  When I go to Add and search for ServiceNow, it is there but I can't click on it.  Is there no way to add multiple instances of the same app to CAAC or am I missing something?

893 Views
0 Likes
4 Replies
Reply
4 Replies
Keith_Fleming

‎Sep 30 2022 09:28 AM

‎Sep 30 2022 09:28 AM

Re: Multiple Instances of the same app in Conditional Access App Control?

Hi @JoeDLP,

 

As a first step you'll need to complete a login to the app for it to appear.  There can be some limitations though with apps where there are overlapping domains.  If all 4 instances share namespaces, you should be able to configure your CA policy to send the session to Defender for Cloud Apps proxy which should allow you to control the session.  The caveat is that all the data would be attributed to the same app.

0 Likes
Reply
JoeDLP

‎Sep 30 2022 10:05 AM

‎Sep 30 2022 10:05 AM

Re: Multiple Instances of the same app in Conditional Access App Control?

@Keith_Fleming 

 

Hello.  Yes we have the one instance of Servicenow configured and are able to apply Access and Session controls.  Each of the 4 instances (acme-prod.service-now.com, acme-test.service-now.com, etc) each have their own SAML signin page and configuration.  So now I'm trying to figure out how to add the the other 3 instances.  You can see below if I try to add ServiceNow again it is greyed out and wont let me.  Also, the configuration for the instance I've already configured (see below) requires the ACS url of the instance, but each of our 4 instances has a different ACS URL.  And I don't see any way to add the other 3 ACS URLs of the other instances here.

 

CAAC_SN2 - Copy.jpgCAAC_SN1 - Copy.jpgCAAC_SN3.jpg

0 Likes
Reply
best response confirmed by JoeDLP (Copper Contributor)
Keith_Fleming

‎Oct 03 2022 01:27 PM

‎Oct 03 2022 01:27 PM

Solution

Re: Multiple Instances of the same app in Conditional Access App Control?

@JoeDLP can you try manually adding the app from the cloud app catalog?  This should allow you to select it so you can enter a different ACS address.  It's possible this might work but I don't believe it's actually been tested.

 

With 3rd party IDP (Ping, Okta, etc..) this can be a bit more challenging because the ACS endpoint is required but it's not for AAD. 

0 Likes
Reply
JoeDLP

‎Oct 05 2022 06:50 AM

‎Oct 05 2022 06:50 AM

Re: Multiple Instances of the same app in Conditional Access App Control?

Thank you, this worked. Specifically, on the Cloud Discovery page you can go to Actions > Add new custom app, and input the specific URL of the SN instance. Once that was complete, I was able to go to Connected apps > Conditional Access App Control apps > Add the new custom app I created. I created some test Access and Session control policies for the app and they work as expected.
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by JoeDLP (Copper Contributor)
Keith_Fleming

‎Oct 03 2022 01:27 PM

‎Oct 03 2022 01:27 PM

Solution

Re: Multiple Instances of the same app in Conditional Access App Control?

@JoeDLP can you try manually adding the app from the cloud app catalog?  This should allow you to select it so you can enter a different ACS address.  It's possible this might work but I don't believe it's actually been tested.

 

With 3rd party IDP (Ping, Okta, etc..) this can be a bit more challenging because the ACS endpoint is required but it's not for AAD. 

View solution in original post

0 Likes
Reply