Jun 10 2019 08:29 AM
Greetings everyone
We have setup AAD Conditional Access to proxy traffic for Workplace by Facebook to MCAS. We also setup an MCAS session policy to control file download and other activities.
We get redirected to MCAS during sign-in but we end up in Workplace direct URL(my.workplace.com) without session control. The same policy works for Salesforce, Azure and Offce365 Apps, enforcing session as expected.
We tried this on production environment and also test lab, with same behavior. Did anybody experience the same behavior? I can upload fiddler traces for a clearer picture if you wish.
Thanks in advance ofr your help.
Regards,
Federico
Jun 12 2019 01:45 AM
@strav970 Would you be able to confirm the following?
1. In the Azure AD Conditional Access Policy, check that Workplace by Facebook is selected as a Cloud App
2. In the MCAS Session Policy, if you have App Selected in the filter, check that Workplace by Facebook is added
3. In the MCAS Confirm that Session Control is enabled for Workplace by Facebook
Jun 13 2019 11:23 AM
Thank you very much Anisha for your feedback.
Indeed we do have all those configurations in place, but still can’t accomplish session control.
This is a screenshot from our lab tenant but we get same behavior in production.
I’m also attaching a fiddler trace in case you want to review.
I’m suspecting of ReplyURL and SAML configuration from Workplace, since they starting to change their URLs to my.workplace.com, but I don’t have enough evidence to justify since it doesn’t seem obvious to me how this would affect MCAS.
SP Initiated is working ok, but IdpInit is throwing error from Workplace side, nonetheless its stated in MS Docs that SP Init is only support.
Thanks again for your help.
Jun 13 2019 07:48 PM
@strav970
> I’m suspecting of ReplyURL and SAML configuration from Workplace, since they starting to change their URLs to my.workplace.com.
In this case, you can add in a User Defined Domain within the settings of the application:
1. Navigate to Conditional Access Control Apps
2. Click the 3 Dots to the right and select Edit App
3. Select View App Domains to see what domains MCAS recognizes (in this case my.workplace.com is not categorized)
4. Add in my.workplace.com into the User-designed domains textbox to associate the domain
Jun 17 2019 07:21 AM
Thanks @Anisha Gupta
I cant seem to find the Edit App option for any of my Session Controlled Apps:
These Apps are integrated through the Azure AD gallery.
Can you think of a reason why?
Thanks again for your help.
Jul 24 2019 04:52 PM
SolutionYou should now be able to access the Edit App. The feature was rolled out with the new Any App Support for Session Control!
Jul 24 2019 07:30 PM
Jul 29 2019 06:48 AM
Of course @strav970,
I am glad you were able to connect with Alex! Love the feedback!
Mar 27 2021 02:22 AM
Jul 24 2019 04:52 PM
SolutionYou should now be able to access the Edit App. The feature was rolled out with the new Any App Support for Session Control!