Mar 19 2019 12:44 AM
The whitelist you are maintaining at the application level could easily be configured at the Azure AD level, with IP reputation check in addition, plus verifying if the device is managed by your organization. This is one of the reason I'm recommending this approach.
Regarding the redirection to MCAS before reaching the application, this is not possible as this is something done at the identity provider level. The IdP verify the conditions (user, app, device, risk, ...) and is the one that decides if the session must be redirected to the reverse proxy before going to the app.