Conditional Access app control

%3CLINGO-SUB%20id%3D%22lingo-sub-2526142%22%20slang%3D%22en-US%22%3EConditional%20Access%20app%20control%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2526142%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20configured%20a%20CA%20policy%20to%20use%20a%20custom%20policy%20for%20CA%20app%20control.%20When%20i%20navigate%20to%20cloud%20app%20security%20and%20%22Conditional%20Access%20App%20Control%20apps%22%20and%20add%20an%20app%2C%20i%20search%20for%20Sharepoint.%20I%20then%20receive%20the%20message%20below.%20When%20i%20click%20%22start%20wizard%22%20its%20asking%20for%20a%20metadata%20file.%20Does%20this%20feature%20not%20work%20with%20O365%20applications%20like%20SharePoint%20and%20Exchange%20online%20%3F%20Also%20if%20i%20navigate%20to%20polices%20in%20MCAS%2C%20click%20on%20%22Conditional%20access%22%20and%20create%20a%20new%20session%20policy%20i%20receive%20the%20below%20message.%20Its%20asking%20me%20to%20first%20create%20CA%20app%20control%20%2C%20but%20as%20i%20previously%20mentioned%20its%20asking%20me%20for%20metadata%20file%2C%20but%20im%20trying%20to%20protect%20sharepoint%20online.%20Very%20confused%20here.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Skipster3111_0-1625700867326.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F294179i18C6906AE5AE7D6C%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Skipster3111_0-1625700867326.png%22%20alt%3D%22Skipster3111_0-1625700867326.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Skipster3111_1-1625701066958.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F294182i54C9CC95B5AC87BF%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Skipster3111_1-1625701066958.png%22%20alt%3D%22Skipster3111_1-1625701066958.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fproxy-deployment-aad%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fproxy-deployment-aad%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2526142%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EApp%20Connectors%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2526638%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20app%20control%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2526638%22%20slang%3D%22en-US%22%3EFor%20the%20featured%20apps%20(mostly%20Office%20365%20related)%20you%20can%20set%20up%20a%20CA%20policy%20directly%20in%20Azure%20AD%20to%20enable%20CAAC.%20Create%20a%20new%20policy%2C%20make%20sure%20that%20you%20select%20the%20correct%20cloud%20app%20under%20the%20Assignments%20tab%2C%20and%20then%20go%20to%20Session%20and%20select%20the%20'Conditional%20Access%20App%20Control'%20checkbox.%20It'll%20allow%20you%20to%20block%20downloads%20or%20monitor%20only.%20You%20still%20won't%20be%20able%20to%20define%20custom%20policies%20there%20for%20these%20apps%20though.%20The%20custom%20policies%20at%20a%20high%20level%20also%20offer%20the%20same%20actions.%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20is%20documented%20at%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fproxy-deployment-aad%23step-1--configure-your-idp-to-work-with-cloud-app-security%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fproxy-deployment-aad%23step-1--configure-your-idp-to-work-with-cloud-app-security%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EAlso%2C%20for%20greater%20insight%20into%20Office%20365%2C%20I%20would%20recommend%20connecting%20Office%20365%20to%20MCAS.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2528523%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20app%20control%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2528523%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F960791%22%20target%3D%22_blank%22%3E%40pvanberlo%3C%2FA%3E%26nbsp%3BThank%20you%20for%20the%20info.%20O365%20is%20connected%20to%20MCAS.%20I%20will%20read%20the%20article%20you%20posted.%20Thank%20you%20again%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Skipster3111_0-1625756761159.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F294415iE98C07CAEE0A3C30%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Skipster3111_0-1625756761159.png%22%20alt%3D%22Skipster3111_0-1625756761159.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

I have configured a CA policy to use a custom policy for CA app control. When i navigate to cloud app security and "Conditional Access App Control apps" and add an app, i search for Sharepoint. I then receive the message below. When i click "start wizard" its asking for a metadata file. Does this feature not work with O365 applications like SharePoint and Exchange online ? Also if i navigate to polices in MCAS, click on "Conditional access" and create a new session policy i receive the below message. Its asking me to first create CA app control , but as i previously mentioned its asking me for metadata file, but im trying to protect sharepoint online. Very confused here.

Skipster3111_0-1625700867326.png

Skipster3111_1-1625701066958.png

 

 

 

https://docs.microsoft.com/en-us/cloud-app-security/proxy-deployment-aad

 

2 Replies
For the featured apps (mostly Office 365 related) you can set up a CA policy directly in Azure AD to enable CAAC. Create a new policy, make sure that you select the correct cloud app under the Assignments tab, and then go to Session and select the 'Conditional Access App Control' checkbox. It'll allow you to block downloads or monitor only. You still won't be able to define custom policies there for these apps though. The custom policies at a high level also offer the same actions.

This is documented at https://docs.microsoft.com/en-us/cloud-app-security/proxy-deployment-aad#step-1--configure-your-idp-...

Also, for greater insight into Office 365, I would recommend connecting Office 365 to MCAS.

@pvanberlo Thank you for the info. O365 is connected to MCAS. I will read the article you posted. Thank you again

Skipster3111_0-1625756761159.png

 

www.000webhost.com