Forum Discussion

strav970's avatar
strav970
Copper Contributor
Jun 10, 2019
Solved

Workplace by Facebook session control not enforced

Greetings everyone

We have setup AAD Conditional Access to proxy traffic for Workplace by Facebook to MCAS. We also setup an MCAS session policy to control file download and other activities.

We get redirected to MCAS during sign-in but we end up in Workplace direct URL(my.workplace.com) without session control. The same policy works for Salesforce, Azure and Offce365 Apps, enforcing session as expected.

We tried this on production environment and also test lab, with same behavior. Did anybody experience the same behavior? I can upload fiddler traces for a clearer picture if you wish.

Thanks in advance ofr your help.

Regards,

Federico

 

  • You should now be able to access the Edit App. The feature was rolled out with the new Any App Support for Session Control! 

8 Replies

  • strav970 Would you be able to confirm the following? 

    1. In the Azure AD Conditional Access Policy, check that Workplace by Facebook is selected as a Cloud App 

     

    2. In the MCAS Session Policy, if you have App Selected in the filter, check that Workplace by Facebook is added


    3. In the MCAS Confirm that Session Control is enabled for Workplace by Facebook 


    • strav970's avatar
      strav970
      Copper Contributor

      Thank you very much Anisha for your feedback.
      Indeed we do have all those configurations in place, but still can’t accomplish session control.

       

      This is a screenshot from our lab tenant but we get same behavior in production.
      I’m also attaching a fiddler trace in case you want to review.
      I’m suspecting of ReplyURL and SAML configuration from Workplace, since they starting to change their URLs to my.workplace.com, but I don’t have enough evidence to justify since it doesn’t seem obvious to me how this would affect MCAS.
      SP Initiated is working ok, but IdpInit is throwing error from Workplace side, nonetheless its stated in MS Docs that SP Init is only support.

      Thanks again for your help.

       

      Anisha Gupta 

      • Anisha Gupta's avatar
        Anisha Gupta
        Former Employee

        strav970 
        I’m suspecting of ReplyURL and SAML configuration from Workplace, since they starting to change their URLs to my.workplace.com. 

        In this case, you can add in a User Defined Domain within the settings of the application: 

         

        1. Navigate to Conditional Access Control Apps 

        2. Click the 3 Dots to the right and select Edit App 

        3. Select View App Domains to see what domains MCAS recognizes (in this case my.workplace.com is not categorized) 


        4. Add in my.workplace.com into the User-designed domains textbox to associate the domain 

         

         

         

Resources