Del via


Classic portal: Deploy Conditional Access App Control for catalog apps with Microsoft Entra ID

Note

This docset refers to the Microsoft Defender for Cloud Apps classic portal. Microsoft Defender for Cloud Apps is now part of Microsoft Defender XDR, which correlates signals from across the Microsoft Defender suite and provides incident-level detection, investigation, and powerful response capabilities.

As of June 2024, all customers using the classic Defender for Cloud Apps portal are automatically redirected to Microsoft Defender XDR, with no option to revert back to the classic portal. For more information, see Microsoft Defender for Cloud Apps in Microsoft Defender XDR and the Microsoft Defender for Cloud Apps documentation.

Access and session controls in Microsoft Defender for Cloud Apps work with applications from the Cloud app catalog and with custom applications.

Defender for Cloud Apps preonboards the following apps to work out-of-the-box:

  • Box
  • Concur
  • CornerStone on Demand
  • DocuSign
  • Dropbox
  • Egnyte
  • GitHub
  • Google Workspace
  • HighQ
  • JIRA/Confluence
  • LinkedIn Learning
  • Microsoft Azure DevOps Services (Visual Studio Team Services)
  • Microsoft Azure portal
  • Microsoft Dynamics 365 CRM
  • Microsoft Exchange Online
  • Microsoft OneDrive
  • Microsoft Power BI
  • Microsoft SharePoint Online
  • Microsoft Teams
  • Microsoft Yammer
  • Salesforce
  • Slack
  • Tableau
  • Workday
  • Workiva
  • Workplace from Meta

If you're interested in a specific app being preonboarded, send us details about the app. Be sure to send the use case you're interested in for onboarding it.

Prerequisites

  • Your organization must have the following licenses to use Conditional Access App Control:

  • Apps must be configured with single sign-on

  • Apps must use one of the following authentication protocols:

    IdP Protocols
    Microsoft Entra ID SAML 2.0 or OpenID Connect
    Other SAML 2.0

To deploy catalog apps

Follow the steps below to configure catalog apps to be controlled by Microsoft Defender for Cloud Apps Conditional Access App Control.

Configure integration with Microsoft Entra ID

Note

When configuring an application with SSO in Microsoft Entra ID, or other identity providers, one field that may be listed as optional is the sign-on URL setting. Note that this field may be required for Conditional Access App Control to work.

Use the following steps to create a Microsoft Entra Conditional Access policy that routes app sessions to Defender for Cloud Apps. For other IdP solutions, see Configure integration with other IdP solutions.

  1. In Microsoft Entra ID, browse to Security > Conditional Access.

  2. On the Conditional Access pane, in the toolbar at the top, select New policy -> Create new policy.

  3. On the New pane, in the Name textbox, enter the policy name.

  4. Under Assignments, select Users or workload identities and assign the users and groups that will be onboarding (initial sign-on and verification) the app.

  5. Under Assignments, select Cloud apps or actions and assign the apps and actions you want to control with Conditional Access App Control.

  6. Under Access controls, select Session, select Use Conditional Access App Control, and choose a built-in policy (Monitor only (Preview) or Block downloads (Preview)) or Use custom policy to set an advanced policy in Defender for Cloud Apps, and then select Select.

    Microsoft Entra Conditional Access.

  7. Optionally, add conditions and grant controls as required.

  8. Set Enable policy to On and then select Create.

Note

Before proceeding, make sure to first sign out of existing sessions.

After you've created the policy, sign in to each app configured in that policy. Make sure you sign in using a user configured in the policy.

Defender for Cloud Apps will sync your policy details to its servers for each new app you sign in to. This may take up to one minute.

The preceding instructions helped you create a built-in Defender for Cloud Apps policy for catalog apps directly in Microsoft Entra ID. In this step, verify that the access and session controls are configured for these apps.

  1. In the Defender for Cloud Apps portal, select the settings cog settings icon., and then select Conditional Access App Control.

  2. In the Conditional Access App Control apps table, look at the Available controls column and verify that both Access control or Microsoft Entra Conditional Access, and Session control appear for your apps.

    Note

    If the app isn’t enabled for session control, you can add it by selecting Onboard with session control and checking Use this app with session controls. Onboard with session control.

Once you're ready to enable the app for use in your organization's production environment, do the following steps.

  1. In Defender for Cloud Apps, select the settings cog settings icon., and then select Conditional Access App Control.

  2. In the list of apps, on the row in which the app you're deploying appears, choose the three dots at the end of the row, and then choose Edit app.

  3. Select Use the app with session controls and then select Save.

    Edit this app dialogue.

  4. First sign out of any existing sessions. Then, try to sign in to each app that was successfully deployed. Sign in using a user that matches the policy configured in Microsoft Entra ID, or for a SAML app configured with your identity provider.

  5. In the Defender for Cloud Apps portal, under Investigate, select Activity log, and make sure the login activities are captured for each app.

  6. You can filter by clicking on Advanced, and then filtering using Source equals Access control.

    Filter using Microsoft Entra Conditional Access.

  7. It's recommended that you sign into mobile and desktop apps from managed and unmanaged devices. This is to make sure that the activities are properly captured in the activity log.
    To verify that the activity is properly captured, select a single sign-on login activity so that it opens the activity drawer. Make sure the User agent tag properly reflects whether the device is a native client (meaning either a mobile or desktop app) or the device is a managed device (compliant, domain joined, or valid client certificate).

Note

After it is deployed, you can't remove an app from the Conditional Access App Control page. As long as you don't set a session or access policy on the app, the Conditional Access App Control won't change any behavior for the app.

Next steps

If you run into any problems, we're here to help. To get assistance or support for your product issue, please open a support ticket.