This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 46%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER4%3C/text%3E%3C/svg%3E)
With the upcoming Conditional Access changes happening this month, I am trying to update Conditional Access Apps to exclude two custom Apps. The problem is they are not listed. I have tried to create a new C.A policy and set the Session control for the App Policy to Monitor and the over all C.A policy to on and it blocks the App and never shows up in Defender. The App is listed in Enterprise Apps. Is there a way to manually enter in the App ID and SAML information in Defender.
A tool that provides visibility, control, and threat protection for cloud-based applications and services
For added information the policy that seems to be the problem is one used for anonymous IP and TOR. The App liste getting blocked it Microsoft 365 which is interest since that is what is used for Auth but it don't list the actual App
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 90%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPM%3C/text%3E%3C/svg%3E)
Hello,
No, you cannot manually enter an App ID or SAML metadata for Microsoft Entra ID enterprise apps into Defender for Cloud Apps Conditional Access App Control, and this behavior is by design. Defender only surfaces applications that have been onboarded through Conditional Access session redirection, meaning the app must be routed via a Conditional Access policy using Use Conditional Access App Control and a user must successfully sign in so the reverse proxy can observe and register the app; there is no supported way to force-add an Entra ID app by typing its App ID or SAML details manually. In scenarios involving anonymous IP or Tor blocking, it is common for the sign-in logs and Defender to show Microsoft 365 as the blocked resource because the authentication flow is evaluated at the identity provider layer, even though the downstream relying party is your custom app, especially with the recent Conditional Access enforcement changes that now evaluate policies targeting all resources more consistently. To make the custom app appear, ensure it uses SAML or OIDC via Entra ID, is included or implicitly covered by a Conditional Access policy with session control enabled, and that a real user sign-in occurs so Defender can onboard it automatically rather than expecting manual entry. Relevant references include https://techcommunity.microsoft.com/blog/microsoft-entra-blog/upcoming-conditional-access-change-improved-enforcement-for-policies-with-resour/4488925, and the official onboarding behavior for Conditional Access App Control at https://learn.microsoft.com/defender-cloud-apps/proxy-deployment-aad.
Custom Microsoft Entra ID (Azure AD) apps cannot be added to Defender for Cloud Apps access/session policies by manually typing an App ID or SAML metadata. They must appear as onboarded apps on the Conditional Access App Control apps page and/or be targeted via Conditional Access.
Key points and steps to resolve the “app not listed” issue:
In summary, to exclude the two custom apps, ensure they are properly onboarded and visible under Conditional Access App Control apps via the supported onboarding flows; direct manual entry of App ID/SAML in Defender for Cloud Apps is not supported.
References: