This chapter covers Conditional Access App Control (CAAC) in Microsoft Cloud App Security (MCAS), a critical feature for real-time session monitoring and control of cloud app access. For the SC-200 exam, CAAC appears in approximately 5-8% of questions, often integrated with scenarios involving Defender for Cloud Apps and Azure AD Conditional Access. Understanding CAAC’s reverse proxy architecture, policy configuration, and integration with Microsoft Defender XDR is essential for exam success.
Jump to a section
Conditional Access App Control (CAAC) in Microsoft Cloud App Security (MCAS) works like an advanced airport security gate that doesn’t just check a passenger’s identity at the entrance but continues to monitor and control their behavior throughout the terminal. Imagine a traveler (user) presenting their boarding pass (authentication) at the gate. The gate agent (Azure AD Conditional Access policy) verifies the pass and grants entry. But CAAC is like a secondary checkpoint just past the gate: a transparent security booth that intercepts every action the traveler takes inside. Every time the traveler tries to enter a duty-free shop or board a plane (access a cloud app feature), the booth agent evaluates the request against a set of rules—checking if the traveler is trying to carry an oversized bag (download a sensitive file) or run toward a restricted area (access an admin portal). If the action is suspicious, the agent can block it, require additional screening (step-up authentication), or even tag the traveler for observation (session monitoring). Critically, the traveler never sees the booth; it’s seamlessly integrated into the terminal architecture. Similarly, CAAC uses reverse proxy technology to intercept traffic in real-time, enforcing controls without modifying the cloud app or client device. The booth agent also logs every interaction for later review, just as CAAC generates audit logs and alerts for security analysts.
What is Conditional Access App Control?
Conditional Access App Control (CAAC) is a feature of Microsoft Defender for Cloud Apps (MDCA) that enables real-time monitoring and control of user sessions when accessing cloud apps. It works by routing traffic through a reverse proxy, allowing security policies to be enforced at the session level—such as blocking downloads, requiring multi-factor authentication (MFA), or encrypting sensitive data. CAAC is not a standalone product; it integrates with Azure AD Conditional Access to trigger session policies based on user, device, location, or risk signals.
How Does CAAC Work Internally?
CAAC operates as a reverse proxy between the user and the cloud app. When a user attempts to access a cloud app that is governed by a CAAC policy, the process unfolds as follows: 1. User Authentication: The user authenticates to Azure AD. A Conditional Access policy evaluates the session (e.g., user risk, device compliance). If the policy requires session control, it redirects the user to the CAAC proxy. 2. Proxy Interception: The user’s browser is redirected to the CAAC proxy URL. The proxy then creates a new session with the cloud app on behalf of the user. The user’s browser communicates only with the proxy, not directly with the cloud app. 3. Policy Enforcement: The proxy inspects every HTTP request and response. Based on the policy, it can modify or block requests. For example, if a user tries to download a file, the proxy can block the download or apply data loss prevention (DLP) labels. 4. Session Termination: When the user closes the browser or the session times out, the proxy terminates the connection. The default session timeout for CAAC is 60 minutes of inactivity, configurable via Azure AD Conditional Access session controls.
Key Components and Defaults
Reverse Proxy: The core technology. CAAC uses a dedicated proxy infrastructure hosted in Microsoft’s global network. The proxy URL format is https://<tenant>.mcas.ms.
Session Policies: Defined in Defender for Cloud Apps under "Control" > "Policies" > "Session policies". Each policy includes filters (user, app, device tag) and actions (block, allow, or monitor).
App Connectors: For some apps (e.g., Exchange Online, SharePoint Online), CAAC can use native APIs for deeper control. However, the reverse proxy method works for any browser-based SaaS app.
Timers: The default idle session timeout is 60 minutes. The maximum session duration is 8 hours. These values can be configured in the Azure AD Conditional Access policy under "Session" > "App control".
Supported Browsers: CAAC supports the latest versions of Microsoft Edge, Google Chrome, Mozilla Firefox, and Apple Safari. It does not support Internet Explorer 11.
Configuration and Verification Commands
To configure CAAC, you must first enable it in Defender for Cloud Apps: 1. Navigate to Microsoft Defender for Cloud Apps > Settings > Conditional Access App Control. 2. Select Enable Conditional Access App Control for apps. 3. Create a session policy: Go to Policies > Session policies > Create policy. Define filters like: - User: Include specific users or groups. - App: Select the target cloud app (e.g., Salesforce, Box). - Action: Choose from "Block", "Allow", or "Monitor". - Control: For example, "Block download" or "Protect file with Azure Information Protection".
Verification can be done via the Activity log in Defender for Cloud Apps. After a user accesses the app, you should see events tagged with "Session control" and the applied action. You can also use the SIEM agent to forward logs to Azure Sentinel.
Interaction with Related Technologies
Azure AD Conditional Access: CAAC is triggered by a Conditional Access policy that includes the "Use Conditional Access App Control" session control. The policy must target specific cloud apps (e.g., Salesforce) and include conditions like user risk or device compliance.
Microsoft Defender for Cloud Apps: CAAC is a feature of MDCA. Policies are created and managed in the MDCA portal. MDCA also provides app discovery, DLP, and anomaly detection.
Microsoft Information Protection (MIP): CAAC can integrate with MIP to automatically apply sensitivity labels to files downloaded from cloud apps, ensuring consistent data classification.
Azure Sentinel: CAAC logs can be ingested into Sentinel for advanced threat hunting and correlation with other security events.
Exam-Relevant Details
CAAC only works for browser-based sessions. Non-browser traffic (e.g., mobile apps, thick clients) is not intercepted.
CAAC supports over 50 cloud apps out-of-the-box, including Microsoft 365, Salesforce, Box, Dropbox, and ServiceNow.
Session policies can be applied to unmanaged devices (e.g., personal computers) or high-risk users.
The reverse proxy can introduce latency. Microsoft recommends using CAAC only for critical apps and users.
CAAC cannot inspect encrypted traffic (HTTPS) beyond what the browser sends to the proxy. It relies on the cloud app’s API for deep inspection (e.g., SharePoint Online).
Create Azure AD Conditional Access Policy
In the Azure portal, navigate to Azure Active Directory > Security > Conditional Access. Create a new policy and assign it to users and groups. Under 'Cloud apps or actions', select the target cloud app (e.g., Salesforce). Under 'Conditions', set risk levels or device platforms. Under 'Grant', choose 'Require multi-factor authentication' or other controls. Under 'Session', select 'Use Conditional Access App Control' and choose the enforcement mode (e.g., 'Monitor only' or 'Block downloads'). Save the policy.
Enable CAAC in Defender for Cloud Apps
In the Microsoft Defender for Cloud Apps portal, go to Settings > Conditional Access App Control. Click 'Enable Conditional Access App Control for apps'. This activates the reverse proxy infrastructure for your tenant. You must also ensure that the cloud app you want to control is listed under 'Connected apps'. If not, you can add it manually using the 'App catalog'.
Create a Session Policy
In Defender for Cloud Apps, go to Policies > Session policies > Create policy. Give the policy a name (e.g., 'Block downloads from Salesforce for external users'). Under 'Session control type', choose 'Control file download (with inspection)' or 'Block activities'. Set the filters: user (e.g., 'External users'), app (e.g., 'Salesforce'), and action (e.g., 'Download'). Under 'Actions', select 'Block'. Optionally, enable 'Inspect for malware' or 'Apply sensitivity label'. Save the policy.
Test the Policy
As a test user, attempt to access the target cloud app from a browser. The user should be redirected to the CAAC proxy URL (e.g., https://yourtenant.mcas.ms). If the policy blocks downloads, any attempt to download a file should result in a blocked page. Check the Defender for Cloud Apps Activity log for events tagged with 'Session control' and the action taken (e.g., 'Block download'). Verify that the user cannot bypass the proxy by accessing the app directly.
Monitor and Refine
Regularly review session logs and alerts in Defender for Cloud Apps. Use the 'Investigate' section to analyze user activities. If legitimate users are blocked, adjust the policy filters (e.g., exclude specific IP ranges). You can also create multiple session policies with different priorities. Use the 'Policy preview' feature to simulate user sessions before enabling policies broadly.
Enterprise Scenario 1: Protecting Sensitive Data in Salesforce
A multinational corporation uses Salesforce to manage customer data. They need to ensure that external contractors cannot download sensitive reports to their unmanaged devices. The security team deploys CAAC by creating a Conditional Access policy that applies to all external users accessing Salesforce. In Defender for Cloud Apps, they create a session policy that blocks file downloads and applies a 'Confidential' sensitivity label via Microsoft Information Protection. In production, they observe that some users experience slight latency (200-300ms) due to the reverse proxy. They mitigate this by enabling CAAC only for external users, not internal employees. A common misconfiguration is forgetting to exclude internal IP ranges in the Conditional Access policy, causing unnecessary proxy overhead for internal traffic.
Enterprise Scenario 2: Enforcing MFA for Box Access
A healthcare organization uses Box to share patient records. Their compliance policy requires multi-factor authentication (MFA) for all access from outside the corporate network. They implement CAAC by creating a Conditional Access policy that triggers session control for Box when the device is not marked as compliant. The CAAC session policy then requires MFA before allowing any file download. In practice, this works seamlessly: the user authenticates via Azure AD, gets redirected to the CAAC proxy, and is prompted for MFA. However, users on mobile browsers (e.g., Safari on iPhone) may experience issues because CAAC does not support all mobile browsers fully. The team solves this by whitelisting corporate-managed devices using device tags.
Scenario 3: Malware Inspection for SharePoint Online
An enterprise uses SharePoint Online for document collaboration. They want to inspect all uploaded files for malware before they reach the library. CAAC can integrate with Microsoft Defender for Endpoint to scan files in transit. The security team creates a session policy with 'Inspect for malware' enabled. When a user uploads a file, the proxy sends it to the cloud for scanning. If malware is detected, the upload is blocked. This works well but can cause delays for large files (e.g., >100 MB). The team sets a file size limit of 50 MB for inspection to avoid timeouts. Misconfiguration often occurs when the policy is applied to all uploads, including internal transfers, causing unnecessary scanning overhead.
SC-200 Exam Focus
Conditional Access App Control is tested under objective 1.4: Monitor and manage security in Microsoft Defender for Cloud Apps. The exam expects you to understand: - How CAAC integrates with Azure AD Conditional Access: You must know that CAAC is triggered by a Conditional Access policy's session control, not by a standalone CAAC policy. - The difference between session policies and access policies: Session policies control behavior within a session (e.g., block downloads), while access policies control whether access is granted at all (e.g., block sign-in). - Supported cloud apps: The exam may list specific apps like Salesforce, Box, Dropbox, or ServiceNow. Know that CAAC works with any SAML-based or OAuth-based SaaS app, but out-of-the-box support exists for over 50 apps. - Reverse proxy limitations: CAAC only works for browser traffic. It cannot control native app traffic (e.g., Outlook client, OneDrive sync). This is a common trap.
Common Wrong Answers and Why Candidates Choose Them
"CAAC can control traffic from any device or app." This is false. CAAC only intercepts browser-based sessions. Native apps use different protocols (e.g., REST API) and are not proxied.
"CAAC policies are created in Azure AD Conditional Access." This is partially correct but misleading. The trigger (session control) is in Azure AD, but the actual rules (block download, inspect) are created in Defender for Cloud Apps.
"CAAC requires the cloud app to be configured with a custom domain." No. CAAC uses a Microsoft-owned proxy domain (tenant.mcas.ms). No app-side configuration is needed.
"CAAC can block downloads by inspecting the file content in real-time." It can block downloads, but deep content inspection (e.g., DLP) requires the app to support API integration (e.g., SharePoint Online). For other apps, CAAC can only block based on file extension or metadata.
Specific Numbers and Terms
Default session timeout: 60 minutes of inactivity.
Maximum session duration: 8 hours.
Supported browsers: Edge, Chrome, Firefox, Safari (latest versions).
Proxy URL format: https://<tenant>.mcas.ms.
Inspection types: 'Control file download (with inspection)' and 'Block activities'.
Edge Cases and Exceptions
Guest users: CAAC can be applied to B2B guest users. The Conditional Access policy must target 'External users'.
Hybrid Azure AD joined devices: If a device is already compliant, CAAC may not be triggered unless the policy explicitly requires session control.
Multiple cloud apps: A single session policy can target multiple apps, but each app may have different capabilities. For example, 'Inspect for malware' works only with SharePoint and OneDrive.
How to Eliminate Wrong Answers
Focus on the mechanism: CAAC is a reverse proxy that intercepts browser traffic. If an answer suggests it works with non-browser traffic, it's wrong. If it says policies are created only in Azure AD, it's wrong. Look for keywords like 'real-time', 'session control', and 'reverse proxy' in correct answers.
CAAC is a reverse proxy that only intercepts browser-based traffic; native apps are not controlled.
Session policies are created in Defender for Cloud Apps, triggered by Azure AD Conditional Access session control.
Default idle session timeout is 60 minutes; maximum session duration is 8 hours.
CAAC supports over 50 cloud apps out-of-the-box, including Salesforce, Box, and ServiceNow.
Deep file inspection (DLP, malware) is only available for apps with API integration (e.g., SharePoint Online).
CAAC requires a license for Defender for Cloud Apps (standalone or as part of Microsoft 365 E5).
The proxy URL format is https://<tenant>.mcas.ms.
These come up on the exam all the time. Here's how to tell them apart.
Conditional Access App Control (CAAC)
Works at the session level, controlling actions within an app (e.g., block downloads).
Uses reverse proxy to intercept browser traffic in real-time.
Requires Defender for Cloud Apps license and configuration.
Supports inspection of file content for DLP and malware (limited to certain apps).
Can apply sensitivity labels automatically on downloads.
Azure AD Conditional Access (Standard)
Works at the authentication level, controlling who can sign in (e.g., require MFA).
Does not intercept traffic; only evaluates access tokens.
Included with Azure AD P1/P2 licenses.
Cannot inspect file content or control actions within a session.
Cannot modify data or apply labels.
Mistake
CAAC can monitor and control traffic from mobile apps and desktop clients.
Correct
CAAC only works for browser-based sessions. Native apps (e.g., Outlook, OneDrive sync client, mobile apps) bypass the proxy and cannot be controlled by CAAC. For those, you need app governance or API-based controls.
Mistake
CAAC policies are created entirely within Azure AD Conditional Access.
Correct
The trigger (session control) is configured in Azure AD, but the actual enforcement rules (e.g., block download, inspect for malware) are defined in Defender for Cloud Apps session policies. Both are required.
Mistake
CAAC can inspect and block all types of file uploads and downloads in any cloud app.
Correct
Deep file inspection (e.g., DLP, malware scanning) is only available for apps that support API integration, such as SharePoint Online and OneDrive. For other apps, CAAC can only block based on file extension or metadata.
Mistake
CAAC requires the cloud app to be configured with a custom domain or federation.
Correct
No configuration is needed on the cloud app side. CAAC uses a reverse proxy URL (tenant.mcas.ms) that intercepts traffic transparently. The app sees traffic coming from the proxy, not the user.
Mistake
CAAC policies apply to all users and devices by default once enabled.
Correct
CAAC is only applied when a Conditional Access policy explicitly includes the 'Use Conditional Access App Control' session control. Without that policy, no session control occurs.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
An access policy controls whether a user can sign in to a cloud app (e.g., block sign-in from untrusted IPs). A session policy controls what the user can do after signing in, such as blocking downloads or requiring MFA within the session. Access policies are enforced at the authentication level, while session policies use the reverse proxy to monitor and control actions in real-time.
Yes, CAAC supports over 50 popular cloud apps including Salesforce, Box, Dropbox, ServiceNow, and Workday. The list is continuously updated. For unsupported apps, you can add them manually using the app catalog, but functionality may be limited.
CAAC supports the latest versions of Edge, Chrome, Firefox, and Safari on desktop. Mobile browsers are partially supported, but full functionality is not guaranteed. Microsoft recommends using desktop browsers for CAAC-controlled sessions.
The user cannot bypass the proxy because the Conditional Access policy redirects all traffic to the proxy. If the user attempts to access the cloud app directly, Azure AD will enforce the policy and redirect them to the proxy. However, if the user uses a native app (e.g., Salesforce mobile app), the proxy is not involved, and the policy may not be enforced.
The default idle session timeout is 60 minutes. If there is no activity for 60 minutes, the proxy terminates the session. The maximum session duration is 8 hours. These values can be configured in the Azure AD Conditional Access policy under 'Session' > 'App control'.
CAAC is available in all Azure commercial regions, but the proxy infrastructure is hosted in Microsoft's global network. Performance may vary depending on the user's geographic location. Microsoft recommends using CAAC only for critical apps to minimize latency impact.
Yes, CAAC can integrate with Microsoft Information Protection (MIP) to apply sensitivity labels and enforce DLP rules. For example, you can create a session policy that blocks download of files labeled 'Highly Confidential'. This integration works best with SharePoint Online and OneDrive, where deep inspection is possible.
You've just covered Conditional Access App Control in MCAS — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?