Edit

Use Defender for Cloud Apps Conditional Access app control

Use Microsoft Defender for Cloud Apps Conditional Access app control to create access and session policies that monitor and control user access to cloud apps in real time. This guide walks through onboarding your apps, setting up a Conditional Access policy, and creating and testing your access and session policies.

Conditional Access app control usage flow (Preview)

The following image shows the high level process for configuring and implementing Conditional Access app control:

Diagram of the Conditional Access app control process flow.

Which identity provider are you using?

Before you start using Conditional Access app control, understand whether your apps are managed by Microsoft Entra or another identity provider (IdP).

  • Microsoft Entra apps are automatically onboarded for Conditional Access app control, and are immediately available for you to use in your access and session policy conditions (Preview). Can be manually onboarded before you can select them in your access and session policy conditions.

  • Apps that use non-Microsoft IdPs must be manually onboarded before you can select them in your access and session policy conditions.

Sample procedures

The following articles provide sample processes for configuring a non-Microsoft IdP to work with Defender for Cloud Apps:

Prerequisites:

Before you configure Conditional Access app control, make sure the following prerequisites are met:

  1. Make sure your firewall allows traffic from all IP addresses listed in Network requirements.
  2. Check that your app has a full certificate chain. Missing parts of the chain can cause unexpected app behavior with Conditional Access app control policies.

Create a Microsoft Entra ID Conditional Access policy

Your access or session policy requires a Microsoft Entra ID Conditional Access policy to control traffic.

For a sample of creating a Conditional Access policy, see the access policy and session policy creation docs.

For more information, see Conditional Access policies and Building a Conditional Access policy.

Create your access and session policies

After you've confirmed that your apps are onboarded, either automatically because they're Microsoft Entra ID apps, or manually, and you have a Microsoft Entra ID Conditional Access policy ready, you can continue with creating access and session policies for any scenario you need.

For more information, see:

Test your policies

Make sure to test your policies and update any conditions or settings as needed. For more information, see:

For more information, see Protect apps with Microsoft Defender for Cloud Apps Conditional Access app control.