Conditional Access App Control & Session Policies: A Complete SC-300 Guide
Why Is Conditional Access App Control Important?
In modern enterprise environments, users access cloud applications from a variety of devices and locations. While Conditional Access policies can gate whether a user gains access, they traditionally cannot control what happens during a session. Conditional Access App Control bridges this gap by enabling real-time, in-session monitoring and control of user activities within cloud apps. This is critical for:
• Preventing data exfiltration from sensitive cloud applications
• Enforcing granular controls on unmanaged or risky devices
• Monitoring and logging user behavior within SaaS applications
• Protecting workload identities and service principals that interact with cloud apps
• Meeting compliance requirements for data loss prevention (DLP)
What Is Conditional Access App Control?
Conditional Access App Control is a capability within Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security) that works in conjunction with Microsoft Entra Conditional Access. It uses a reverse proxy architecture to intercept and control user sessions in real time.
There are two main policy types involved:
1. Access Policies: These control whether a user can access a cloud app at the point of sign-in. They evaluate conditions in real time and can block or allow access based on signals such as device state, location, user risk, and more.
2. Session Policies: These go beyond access decisions and control what users can do within a session. Session policies can:
• Monitor all activities – Log all user actions for auditing purposes
• Block downloads – Prevent users from downloading sensitive files
• Block uploads – Prevent users from uploading files to cloud apps
• Block copy/cut/print – Restrict clipboard and print actions
• Protect downloads with labeling – Apply sensitivity labels to downloaded files
• Block custom activities – Define specific activities to restrict
How Does It Work?
The architecture relies on the following flow:
Step 1: Configure a Conditional Access Policy in Microsoft Entra ID
• Create a Conditional Access policy targeting the desired users, groups, or workload identities
• Under Session controls, select "Use Conditional Access App Control"
• Choose either "Monitor only" or "Block downloads", or select "Use custom policy" for advanced scenarios
Step 2: Route Traffic Through Microsoft Defender for Cloud Apps
• When a user signs in to a targeted app, the Conditional Access policy redirects the session through the Defender for Cloud Apps reverse proxy
• The app URL changes to include a suffix (e.g., app.mcas.ms), indicating the session is proxied
• All traffic flows through the reverse proxy, enabling real-time inspection
Step 3: Define Session Policies in Microsoft Defender for Cloud Apps
• Navigate to the Defender for Cloud Apps portal → Policies → Session policies
• Create a session policy specifying:
- Session control type (e.g., Block downloads, Monitor only, Control file upload)
- Activity filters (e.g., device type, IP address, app)
- Content inspection (optional – scan for sensitive content using DLP policies or built-in types)
- Actions (Block, Protect with labeling, Audit/Alert)
Step 4: Enforcement and Monitoring
• The session policy is enforced in real time as the user interacts with the app
• Alerts are generated and activities are logged in the Defender for Cloud Apps activity log
• Admins can review sessions, investigate incidents, and refine policies
Key Concepts for the SC-300 Exam:
• Featured Apps vs. Custom Apps: Microsoft provides pre-configured (featured) apps like Exchange Online, SharePoint Online, and many popular SaaS apps. Custom apps can also be onboarded but require additional configuration.
• Reverse Proxy: Conditional Access App Control uses a reverse proxy architecture. This is a critical concept — the proxy sits between the user and the app, enabling inspection without requiring agents on the device.
• Integration Point: The Conditional Access policy in Microsoft Entra ID is the trigger, but the session policy in Defender for Cloud Apps is where granular controls are defined.
• Workload Identities: While Conditional Access App Control primarily targets user sessions, understanding how workload identities (service principals, managed identities) interact with Conditional Access is important. Workload identity Conditional Access policies can restrict tokens issued to service principals, though session-level proxy controls are primarily user-focused.
• License Requirements: Conditional Access App Control requires Microsoft Defender for Cloud Apps licensing (included in Microsoft 365 E5, EMS E5, or as a standalone license), plus Microsoft Entra ID P1 (minimum) for Conditional Access.
Common Scenarios Tested on the Exam:
1. "You need to prevent users on unmanaged devices from downloading files from SharePoint Online."
→ Create a Conditional Access policy with session control set to Use Conditional Access App Control, then create a session policy in Defender for Cloud Apps to block downloads when the device is not compliant/managed.
2. "You need to monitor all activities in a specific SaaS application without blocking anything."
→ Configure Conditional Access App Control with Monitor only, and create a session policy with the activity monitoring template.
3. "You need to apply sensitivity labels to files downloaded from a cloud app."
→ Create a session policy with the control type set to "Control file download (with inspection)" and configure the action to apply a sensitivity label.
4. "You need to block uploads containing credit card numbers to a cloud app."
→ Create a session policy with control file upload, enable content inspection using a DLP policy or built-in sensitive information type for credit card numbers, and set the action to block.
Exam Tips: Answering Questions on Conditional Access App Control and Session Policies
✅ Tip 1: Remember the Two-Part Configuration
Always remember that Conditional Access App Control requires configuration in two places: (1) the Conditional Access policy in Microsoft Entra ID to route traffic, and (2) the session/access policy in Microsoft Defender for Cloud Apps for granular control. If an exam question only mentions one, it is likely incomplete or a distractor.
✅ Tip 2: Know the Difference Between Access Policies and Session Policies
Access policies evaluate at sign-in time and can block or allow access. Session policies evaluate during the session and control in-session activities. If a question asks about blocking downloads or monitoring activities, the answer involves a session policy, not just an access policy.
✅ Tip 3: Reverse Proxy Is the Key Mechanism
If a question asks how Conditional Access App Control inspects traffic or enforces session controls, the answer is reverse proxy. It does not use agents, APIs for real-time control, or VPN tunnels for this purpose.
✅ Tip 4: "Use Custom Policy" Is for Advanced Scenarios
When the built-in session control options (Monitor only, Block downloads) in the Conditional Access policy are insufficient, you select "Use custom policy" and then define the detailed policy in Defender for Cloud Apps. This is the most flexible option and is commonly the correct answer for complex scenarios.
✅ Tip 5: Content Inspection Requires Specific Configuration
If a question mentions scanning for sensitive data (credit cards, SSNs, custom patterns) in uploads or downloads, remember that content inspection must be enabled in the session policy. This is an additional configuration step beyond just blocking downloads.
✅ Tip 6: Watch for Licensing Distractors
Questions may include answer options that reference features requiring specific licenses. Remember that Conditional Access App Control requires Defender for Cloud Apps — not just Microsoft Entra ID P1/P2 alone.
✅ Tip 7: Device State Matters
Many scenarios involve differentiation between managed and unmanaged devices. Conditional Access can filter by device compliance or hybrid join status, and session policies can further restrict activities for non-compliant devices. If a question specifies "unmanaged devices," think about session policies that limit downloads or activities.
✅ Tip 8: Featured Apps vs. Custom Apps
Know that featured apps (like Microsoft 365 apps and popular SaaS apps) are easy to onboard. Custom or line-of-business apps require additional onboarding steps such as adding the app to Defender for Cloud Apps and configuring SSO. Exam questions about custom apps may require extra steps.
✅ Tip 9: Distinguish from Other DLP/Protection Mechanisms
Don't confuse Conditional Access App Control session policies with:
• Microsoft Purview DLP policies (which protect data at rest and in transit within Microsoft 365)
• Endpoint DLP (which protects data on devices)
• Defender for Cloud Apps file policies (which use API-based scanning, not real-time proxy)
Session policies are specifically for real-time, in-session control via reverse proxy.
✅ Tip 10: Read Questions Carefully for "Real-Time" Keywords
If a question emphasizes real-time enforcement, in-session control, or proxied traffic, the answer almost certainly involves Conditional Access App Control and session policies. If the question describes retroactive scanning or API-based discovery, it likely involves a different feature such as file policies or app governance.
