Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Use Microsoft Defender for Cloud Apps Conditional Access app control to create access and session policies that monitor and control user access to cloud apps in real time. This guide walks through onboarding your apps, setting up a Conditional Access policy, and creating and testing your access and session policies.
Conditional Access app control usage flow (Preview)
The following image shows the high level process for configuring and implementing Conditional Access app control:
Which identity provider are you using?
Before you start using Conditional Access app control, understand whether your apps are managed by Microsoft Entra or another identity provider (IdP).
Microsoft Entra apps are automatically onboarded for Conditional Access app control, and are immediately available for you to use in your access and session policy conditions (Preview). Can be manually onboarded before you can select them in your access and session policy conditions.
Apps that use non-Microsoft IdPs must be manually onboarded before you can select them in your access and session policy conditions.
If you're working with a catalog app from a non-Microsoft IdP, configure the integration between your IdP and Defender for Cloud Apps to onboard all catalog apps. For more information, see Onboard non-Microsoft IdP catalog apps for Conditional Access app control.
If you're working with custom apps, you need to both configure the integration between your IdP and Defender for Cloud Apps, and also onboard each custom app. For more information, see Onboard non-Microsoft IdP custom apps for Conditional Access app control.
Sample procedures
The following articles provide sample processes for configuring a non-Microsoft IdP to work with Defender for Cloud Apps:
Prerequisites:
Before you configure Conditional Access app control, make sure the following prerequisites are met:
- Make sure your firewall allows traffic from all IP addresses listed in Network requirements.
- Check that your app has a full certificate chain. Missing parts of the chain can cause unexpected app behavior with Conditional Access app control policies.
Create a Microsoft Entra ID Conditional Access policy
Your access or session policy requires a Microsoft Entra ID Conditional Access policy to control traffic.
For a sample of creating a Conditional Access policy, see the access policy and session policy creation docs.
For more information, see Conditional Access policies and Building a Conditional Access policy.
Create your access and session policies
After you've confirmed that your apps are onboarded, either automatically because they're Microsoft Entra ID apps, or manually, and you have a Microsoft Entra ID Conditional Access policy ready, you can continue with creating access and session policies for any scenario you need.
For more information, see:
Test your policies
Make sure to test your policies and update any conditions or settings as needed. For more information, see:
Related content
For more information, see Protect apps with Microsoft Defender for Cloud Apps Conditional Access app control.