u/Suspicious_Tension37

Hey everyone,

I have been doing some hands-on testing with Microsoft Defender for Cloud Apps session policies and CA App Control and stumbled across some behaviour that is confusing me.

My understanding of how it works: The Conditional Access policy with "Use Conditional Access App Control -- Use custom policy" session control acts as the on-ramp that routes the user's browser session through the MDCA proxy. Once routed, MDCA enforces the session policy rules like block downloads, block uploads etc.

What I found through testing: I disabled the CA policy entirely and left only the MDCA session policy active with a user filter scoped to my own account. When I tried to download a file from SharePoint, the download was still blocked even though:

There was no monitoring banner
The URL did not change to .mcas.ms
The CA policy was completely disabled

This suggests the session policy is enforcing independently without the CA policy routing the session through the proxy.

My environment:

Microsoft 365 E5
Microsoft Defender for Endpoint P2 integrated with MDCA
Managed Windows device enrolled in Intune
Session policy type: Control file download with inspection
Filter: specific user account

My theories:

The MDE integration is allowing MDCA to enforce session policies at the endpoint level rather than through proxy routing
MDCA has a separate enforcement mechanism for directly targeted users that does not rely on proxy routing
The CA policy is only needed for the monitoring banner and proxy routing but not for actual policy enforcement

Has anyone else encountered this? Is this expected behaviour or something worth investigating further?

Eastwest Gold cashback?

MDCA Session Policy enforcing without CA App Control policy active, is this expected behaviour?