Conditional Access and MCAS policies matching

%3CLINGO-SUB%20id%3D%22lingo-sub-2217333%22%20slang%3D%22en-US%22%3EConditional%20Access%20and%20MCAS%20policies%20matching%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2217333%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20you%20create%20a%20CA%20policy%20you%20can%20use%20Custom%20Policy%20in%20the%20Session%20settings%20%3CSTRONG%3Eto%20redirect%20users%20through%20MCAS%3C%2FSTRONG%3E.%20Then%20in%20MCAS%20you%20can%20create%20say%20Session%20policies%20that%20are%20targeted%20to%20specific%20users%2Fgroups.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELet's%20say%20I%20have%20CA%20policy1%20that%20targets%20%3CSTRONG%3EAlice%20and%20Bob%3C%2FSTRONG%3E%20for%20a%20specific%20cloud%20app%2C%20then%20in%20MCAS%20I%20have%20sesion-policy1%20targeted%20to%20Alice%20and%20Bob%20to%20take%20certain%20actions.%3C%2FP%3E%3CP%3EThen%20I%20have%20CA%20policy2%20for%20%3CSTRONG%3EAlice%2C%20Bob%20and%20John%3C%2FSTRONG%3E%20(with%20different%20settings)%2C%20and%20also%20an%20MCAS%20session-policy2%20for%20them%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20are%20CA%20and%20MCAS%20policies%20%22matched%22%3F%20e.g.%20I%20want%20policy1%20to%20meet%20session-policy1%20but%20not%26nbsp%3Bsession-policy2%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22mikkele_0-1615993136628.jpeg%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F264854i5A8A6F392EF05571%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22mikkele_0-1615993136628.jpeg%22%20alt%3D%22mikkele_0-1615993136628.jpeg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2217333%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2232470%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20and%20MCAS%20policies%20matching%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2232470%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F355824%22%20target%3D%22_blank%22%3E%40mikkele%3C%2FA%3E%26nbsp%3BMy%20guess%20the%20match%20is%20made%20based%20on%20the%20controls%20in%20your%20session%20policy.%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22LouisMastelinck_0-1616594038465.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F266669i5FA5C1FCE99F011C%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22LouisMastelinck_0-1616594038465.png%22%20alt%3D%22LouisMastelinck_0-1616594038465.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20I%20think%20you%20will%20have%20to%20scope%20your%20session%20policy%20to%20the%20same%20scope%20of%20your%20CA%20policy.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKind%20regards%3C%2FP%3E%3CP%3ELouis%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2236973%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20and%20MCAS%20policies%20matching%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2236973%22%20slang%3D%22en-US%22%3Eyeah%20but%20still%20if%20you%20look%20at%20my%20example%20above%20you%20can%20still%20have%20multiple%20CA%20policies%20that%20will%20be%20hitting%20an%20MCAS%20policies%20even%20if%20not%20planned%3CBR%20%2F%3ECA%20policy1%20and%20CA%20policy%202%20will%20both%20hit%20MCAS%20policy2%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2282493%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20and%20MCAS%20policies%20matching%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2282493%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F355824%22%20target%3D%22_blank%22%3E%40mikkele%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3ESo%20I%20have%20done%20additional%20testing.%26nbsp%3B%3CBR%20%2F%3EAs%20soon%20you%20enable%20Conditional%20app%20access%20control%20all%20of%20the%20people%20who%20match%20the%20CA%20policy%20are%20forward%20to%20MCAS.%26nbsp%3B%3CBR%20%2F%3EIf%20the%20session%20control%20policy%20in%20MCAS%20had%20no%20group%20or%20user%20scope%20than%20it%20will%20apply%20all%20non%20scoped%20session%20control%20policies.%26nbsp%3B%3CBR%20%2F%3EIf%20you%20specify%20in%20the%20Session%20control%20policy%20the%20requirements%20then%20you%20will%20be%20able%20to%20scope%20them%20according%20to%20my%20tests.%26nbsp%3B%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%222021-04-23%2014_24_29-Excalidraw%20and%2030%20more%20pages%20-%20Work%20-%20Microsoft%E2%80%8B%20Edge.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F274957iFC387FA6A1E208CC%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%222021-04-23%2014_24_29-Excalidraw%20and%2030%20more%20pages%20-%20Work%20-%20Microsoft%E2%80%8B%20Edge.png%22%20alt%3D%222021-04-23%2014_24_29-Excalidraw%20and%2030%20more%20pages%20-%20Work%20-%20Microsoft%20Edge.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20I%20believe%20you%20will%20have%20to%20recreate%20your%20conditions%20as%20good%20as%20possible%20in%20MCAS.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2344009%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20and%20MCAS%20policies%20matching%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2344009%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F585791%22%20target%3D%22_blank%22%3E%40LouisMastelinck%3C%2FA%3E%26nbsp%3Bthanks%20so%20much%20for%20your%20reply%20and%20drawing.%3C%2FP%3E%3CP%3EI%20can%20see%20the%20difference%20in%20your%20example%20is%20that%20you%20have%201%20group%20in%20each%20CA%20(Marketing%20and%20HR)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELet's%20see%20if%20we%20have%20more%20than%20one%20group%20in%20a%20CA%20policy%3A%3C%2FP%3E%3CP%3ECA1%3A%3C%2FP%3E%3CP%3ETargets%3A%20%3CSTRONG%3EMarketing%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EScope%3A%20Teams%3C%2FP%3E%3CP%3ESession%3A%20direct%20to%20MCAS%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECA2%3A%3C%2FP%3E%3CP%3ETargets%3A%20%3CSTRONG%3EMarketing%2C%20HR%2C%20Sales%20%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EScope%3A%20Teams%3C%2FP%3E%3CP%3ESession%3A%20direct%20to%20MCAS%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EMCAS%20session-policy-1%3C%2FP%3E%3CP%3ETargets%3A%20%3CSTRONG%3EMarketing%20%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EAction%3A%20prevent%20uploading%20files%20in%20Teams%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMCAS%20session-policy-2%3C%2FP%3E%3CP%3ETargets%3A%20%3CSTRONG%3EMarketing%2C%20HR%2C%20Sales%20%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EAction%3A%20cannot%20download%20sensitive%20files%20from%20Teams%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20idea%20was%20to%20have%20a%20matching%20so%20that%20CA1%20would%20hit%20only%20MCAS%20policy1%20and%20CA2%20hit%20only%20MCAS%20policy%202%2C%20but%20that's%20not%20the%20way%20it%20works%20I%20guess.%3CBR%20%2F%3EIf%20I%20understand%20correctly%20CA1%20will%20hit%20both%20MCAS-policy-1%20and%20MCAS-policy2%3CBR%20%2F%3EI%20believe%20there%20is%20also%20an%20evaluation%20priority%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

When you create a CA policy you can use Custom Policy in the Session settings to redirect users through MCAS. Then in MCAS you can create say Session policies that are targeted to specific users/groups.

 

Let's say I have CA policy1 that targets Alice and Bob for a specific cloud app, then in MCAS I have sesion-policy1 targeted to Alice and Bob to take certain actions.

Then I have CA policy2 for Alice, Bob and John (with different settings), and also an MCAS session-policy2 for them

 

How are CA and MCAS policies "matched"? e.g. I want policy1 to meet session-policy1 but not session-policy2

 

mikkele_0-1615993136628.jpeg

 

4 Replies

@mikkele My guess the match is made based on the controls in your session policy. 

LouisMastelinck_0-1616594038465.png

 

So I think you will have to scope your session policy to the same scope of your CA policy. 

 

Kind regards

Louis

yeah but still if you look at my example above you can still have multiple CA policies that will be hitting an MCAS policies even if not planned
CA policy1 and CA policy 2 will both hit MCAS policy2

@mikkele 
So I have done additional testing. 
As soon you enable Conditional app access control all of the people who match the CA policy are forward to MCAS. 
If the session control policy in MCAS had no group or user scope than it will apply all non scoped session control policies. 
If you specify in the Session control policy the requirements then you will be able to scope them according to my tests. 
2021-04-23 14_24_29-Excalidraw and 30 more pages - Work - Microsoft​ Edge.png

 

So I believe you will have to recreate your conditions as good as possible in MCAS. 

@LouisMastelinck thanks so much for your reply and drawing.

I can see the difference in your example is that you have 1 group in each CA (Marketing and HR)

 

Let's see if we have more than one group in a CA policy:

CA1:

Targets: Marketing

Scope: Teams

Session: direct to MCAS

 

CA2:

Targets: Marketing, HR, Sales

Scope: Teams

Session: direct to MCAS


MCAS session-policy-1

Targets: Marketing

Action: prevent uploading files in Teams

 

MCAS session-policy-2

Targets: Marketing, HR, Sales

Action: cannot download sensitive files from Teams

 

My idea was to have a matching so that CA1 would hit only MCAS policy1 and CA2 hit only MCAS policy 2, but that's not the way it works I guess.
If I understand correctly CA1 will hit both MCAS-policy-1 and MCAS-policy2
I believe there is also an evaluation priority