Deploy Conditional Access App Control
Conditional App Access Control is a feature of Microsoft Cloud App Services that allows you to implement policies to monitor and control apps in real time. These policies can implement a number of controls, including:
- Protecting downloads by either labeling and protecting downloaded files with Azure Information Protection or blocking the copying or downloading of sensitive documents to unmanaged devices.
- Blocking the upload of files that are potentially malicious, or that are unlabeled.
- Blocking access or activities based on risk factors.
- Monitoring and logging the activity of risky users.
Any web app that uses Security Assertion Markup Language (SAML) 2.0 or OpenID Connect is supported for Conditional Access App Control. Any Microsoft Entra app that uses Microsoft Entra application proxy is also supported for Conditional Access App Control.
The process of using a web app protected by Conditional Access App Control is as follows:
- User browses to web app.
- User authenticates using web app's identity provider.
- Identity provider redirects to Microsoft Defender for Cloud Apps and Microsoft Defender for Cloud Apps applies a session policy.
- The web session is proxied by Microsoft Defender for Cloud Apps.
- Session activity is audited and governed.
Steps to add an app to Conditional Access App Control
These are the steps to add a featured app to Conditional Access App Control:
Go to the Azure portal, select Microsoft Entra ID in the side menu, select Security in the side menu, and select Conditional Access in the side menu.
Either select an existing policy, or select New policy to create a new policy.
Select Session, select Use Conditional App Access Control, and select Use custom policy.
Save the policy and Conditional App Access Control works instantly for featured apps. Other apps can be onboarded in the Defender for Cloud Apps portal.
The following video walks through the steps to add an app to Conditional Access App Control: