Workplace by Facebook session control not enforced

Occasional Contributor

Greetings everyone

We have setup AAD Conditional Access to proxy traffic for Workplace by Facebook to MCAS. We also setup an MCAS session policy to control file download and other activities.

We get redirected to MCAS during sign-in but we end up in Workplace direct URL( without session control. The same policy works for Salesforce, Azure and Offce365 Apps, enforcing session as expected.

We tried this on production environment and also test lab, with same behavior. Did anybody experience the same behavior? I can upload fiddler traces for a clearer picture if you wish.

Thanks in advance ofr your help.




8 Replies

@strav970 Would you be able to confirm the following? 

1. In the Azure AD Conditional Access Policy, check that Workplace by Facebook is selected as a Cloud App 



2. In the MCAS Session Policy, if you have App Selected in the filter, check that Workplace by Facebook is added

3. In the MCAS Confirm that Session Control is enabled for Workplace by Facebook 

Thank you very much Anisha for your feedback.
Indeed we do have all those configurations in place, but still can’t accomplish session control.



This is a screenshot from our lab tenant but we get same behavior in production.
I’m also attaching a fiddler trace in case you want to review.
I’m suspecting of ReplyURL and SAML configuration from Workplace, since they starting to change their URLs to, but I don’t have enough evidence to justify since it doesn’t seem obvious to me how this would affect MCAS.
SP Initiated is working ok, but IdpInit is throwing error from Workplace side, nonetheless its stated in MS Docs that SP Init is only support.

Thanks again for your help.


@Anisha Gupta 

I’m suspecting of ReplyURL and SAML configuration from Workplace, since they starting to change their URLs to 

In this case, you can add in a User Defined Domain within the settings of the application: 


1. Navigate to Conditional Access Control Apps 

2. Click the 3 Dots to the right and select Edit App 


3. Select View App Domains to see what domains MCAS recognizes (in this case is not categorized) 


4. Add in into the User-designed domains textbox to associate the domain 





Thanks @Anisha Gupta 

I cant seem to find the Edit App option for any of my Session Controlled Apps:

Annotation 2019-06-17 111921.png

These Apps are integrated through the Azure AD gallery.

Can you think of a reason why?

Thanks again for your help.

best response confirmed by strav970 (Occasional Contributor)

You should now be able to access the Edit App. The feature was rolled out with the new Any App Support for Session Control! 

Thanks Anisha!
Alex Esivob handed that information a few weeks ago, that's why I didnt bother you.
Great feature!! MCAS is setting the bar.

Of course @strav970

I am glad you were able to connect with Alex! Love the feedback!

Do you find with mcas on that it doesn’t load in tab info unless you refresh? Pretty much rendering Mobile app and browser useless?