Mar 17 2021 08:02 AM
When you create a CA policy you can use Custom Policy in the Session settings to redirect users through MCAS. Then in MCAS you can create say Session policies that are targeted to specific users/groups.
Let's say I have CA policy1 that targets Alice and Bob for a specific cloud app, then in MCAS I have sesion-policy1 targeted to Alice and Bob to take certain actions.
Then I have CA policy2 for Alice, Bob and John (with different settings), and also an MCAS session-policy2 for them
How are CA and MCAS policies "matched"? e.g. I want policy1 to meet session-policy1 but not session-policy2
Mar 24 2021 06:55 AM
@mikkele My guess the match is made based on the controls in your session policy.
So I think you will have to scope your session policy to the same scope of your CA policy.
Kind regards
Louis
Mar 25 2021 11:14 PM
Apr 23 2021 05:26 AM
@mikkele
So I have done additional testing.
As soon you enable Conditional app access control all of the people who match the CA policy are forward to MCAS.
If the session control policy in MCAS had no group or user scope than it will apply all non scoped session control policies.
If you specify in the Session control policy the requirements then you will be able to scope them according to my tests.
So I believe you will have to recreate your conditions as good as possible in MCAS.
May 11 2021 03:28 AM
@LouisMastelinck thanks so much for your reply and drawing.
I can see the difference in your example is that you have 1 group in each CA (Marketing and HR)
Let's see if we have more than one group in a CA policy:
CA1:
Targets: Marketing
Scope: Teams
Session: direct to MCAS
CA2:
Targets: Marketing, HR, Sales
Scope: Teams
Session: direct to MCAS
MCAS session-policy-1
Targets: Marketing
Action: prevent uploading files in Teams
MCAS session-policy-2
Targets: Marketing, HR, Sales
Action: cannot download sensitive files from Teams
My idea was to have a matching so that CA1 would hit only MCAS policy1 and CA2 hit only MCAS policy 2, but that's not the way it works I guess.
If I understand correctly CA1 will hit both MCAS-policy-1 and MCAS-policy2
I believe there is also an evaluation priority