would this work for apps like Slack or Google Workspace? for example, if I’m trying to restrict a non compliant device (managed via intune) from being able to access corp apps like the ones mentioned + 365 apps, are session policies or access control policies the solution?
Yes it would work for slack and google workspace. For that use case if you are using defender for cloud apps use the access policy. As that will cover the largest scenarios for those.(slack thick client) session policy would only work on web access. However, the best way to handle this is probably a ca policy that requires the device to be compliant. Look up my Secure Endpoint video on CA. May give you some ideas.
I haven't been able to get Device Exclusions to work in the CA policy. When trying to exclude Compliant devices, specifically, the Conditional Access App Control policy is applied regardless. As a result, I'm getting stumped trying to allow downloads from Exchange Online on compliant devices. We're not hybrid and it's looking the only solution is going to be with certificates. Have you seen this issue?
If you are using chome make sure you have the Microsoft sso extension installed. Also make sure you are signed into the machine as an entra if user.(not a local machine user) if none of those work check the dsregcmd status.
Many times you don’t need it. But if something doesn’t go right or work you have some of the diagnostic tools you need to fix the app. learn.microsoft.com/en-us/defender-cloud-apps/proxy-deployment-any-app
@@DougDoesTech Thank you for your clarification. One more point please We have custom mobile app that using azure ad for authentication. We have tried to onboard it to MCAS but it seems it didn’t So, is the MCAS support only web not mobile app
As far as I know session policy’s like blocking download can only be applied to web based sessions. You can use access policy to control access to mobile and desktop apps. But it won’t do the block download type controls.
would this work for apps like Slack or Google Workspace? for example, if I’m trying to restrict a non compliant device (managed via intune) from being able to access corp apps like the ones mentioned + 365 apps, are session policies or access control policies the solution?
Yes it would work for slack and google workspace. For that use case if you are using defender for cloud apps use the access policy. As that will cover the largest scenarios for those.(slack thick client) session policy would only work on web access. However, the best way to handle this is probably a ca policy that requires the device to be compliant. Look up my Secure Endpoint video on CA. May give you some ideas.
Good to see you're back to making videos.
I haven't been able to get Device Exclusions to work in the CA policy. When trying to exclude Compliant devices, specifically, the Conditional Access App Control policy is applied regardless. As a result, I'm getting stumped trying to allow downloads from Exchange Online on compliant devices. We're not hybrid and it's looking the only solution is going to be with certificates. Have you seen this issue?
If you are using chome make sure you have the Microsoft sso extension installed. Also make sure you are signed into the machine as an entra if user.(not a local machine user) if none of those work check the dsregcmd status.
Thanks a bunch for this Video, Really you explain very well
Good Stuff! Keep doing all the MS Security stuff.
Me fue de mucha utilidad, gracias! Nuevo suscriptor
Thank you very much for these videos, it has been really helpful. You are one of the best instructor I watch. Thanks again.
Hey so glad it was helpful! and thank you for the compliment!
Thank you for this video, it was really helpful. I was struggling to find an end-to-end guide in a single video/article. Appreciate this 🙂
Hi,
What is the value of adding the admin user in onboarding page ?
I don’t have one configured and I was able to onboarding the app
Many times you don’t need it. But if something doesn’t go right or work you have some of the diagnostic tools you need to fix the app. learn.microsoft.com/en-us/defender-cloud-apps/proxy-deployment-any-app
@@DougDoesTech Thank you for your clarification. One more point please
We have custom mobile app that using azure ad for authentication. We have tried to onboard it to MCAS but it seems it didn’t
So, is the MCAS support only web not mobile app
As far as I know session policy’s like blocking download can only be applied to web based sessions. You can use access policy to control access to mobile and desktop apps. But it won’t do the block download type controls.