MicrosoftDocs
diff --git a/‎CloudAppSecurityDocs/app-onboarding.md‎
Lines changed: 65 additions & 0 deletions b/‎CloudAppSecurityDocs/app-onboarding.md‎
Lines changed: 65 additions & 0 deletions
diff --git a/‎CloudAppSecurityDocs/media/caac-app-onboarding/filter.png‎
15.6 KB b/‎CloudAppSecurityDocs/media/caac-app-onboarding/filter.png‎
15.6 KB
diff --git a/‎CloudAppSecurityDocs/media/caac-app-onboarding/process.png‎
63.5 KB b/‎CloudAppSecurityDocs/media/caac-app-onboarding/process.png‎
63.5 KB
diff --git a/‎CloudAppSecurityDocs/media/caac-app-onboarding/recommendation.png‎
14.3 KB b/‎CloudAppSecurityDocs/media/caac-app-onboarding/recommendation.png‎
14.3 KB
diff --git a/‎CloudAppSecurityDocs/toc.yml‎
Lines changed: 19 additions & 16 deletions b/‎CloudAppSecurityDocs/toc.yml‎
Lines changed: 19 additions & 16 deletions
@@ -0,0 +1,65 @@
+---  
+title: Automatically onboard Microsoft Entra ID apps 
+description:  Learn how to automatically onboard Microsoft Entra ID apps to Microsoft Defender for Cloud Apps conditional access app control
+author:  Adipkmic
+ms.author: adipavekatz  
+manager:  raynew
+ms.date: 10/10/2024  
+ms.topic:  concept-article
+ms.service: defender-for-cloud-apps
+ms.custom: QuickDraft, ai-usage
+ms.reviewer: adipavekatz  
+search.appverid: MET150  
+---  
+
+# Automatically onboard Microsoft Entra ID apps to conditional access app control
+
+All SaaS applications that exist in the Microsoft Entra ID catalog will be available automatically in the policy app filter. The following image shows the high-level process for configuring and implementing Conditional Access app control:
+
+:::image type="content" source="media/caac-app-onboarding/process.png" alt-text="Diagram of the process for configuring and implementing conditional access app control.":::
+
+## Prerequisites
+
+- Your organization must have the following licenses to use Conditional Access App Control:
+  - Microsoft Defender for Cloud Apps
+- Apps must be configured with single sign-on in Microsoft Entra ID
+
+Fully performing and testing the procedures in this article requires that you have a session or access policy configured. For more information, see:
+
+- [Create Microsoft Defender for Cloud Apps access policies](https://example.com)
+- [Create Microsoft Defender for Cloud Apps session policies](https://example.com)
+
+## Supported Apps
+
+All SaaS apps listed in the Microsoft Entra ID catalog will be available for filtering within the Microsoft Defender for Cloud Apps session and access policies. Each app chosen in the filter will automatically be onboarded into the system and will be controlled.
+
+:::image type="content" source="media/caac-app-onboarding/filter.png" alt-text="Screenshot of the filter showing automatically onboarded apps.":::
+
+If an application isn't listed, you have the option to manually onboard it as outlined in the provided instructions.
+
+**Note:** Dependency on Microsoft Entra ID Conditional Access policy:
+
+All apps listed in the Microsoft Entra ID catalog will be available for filtering within Microsoft Defender for Cloud Apps session and access policies. However, only those applications that are included in Microsoft Entra ID's conditional policy with Microsoft Defender for Cloud Apps permissions will be actively managed within access or session policies.
+
+When creating a policy, if the relevant Microsoft Entra ID's conditional policy is missing, an alert will appear, both during the policy creation process and upon saving the policy.
+
+**Note:** To ensure that this policy runs as expected, we recommend checking the Microsoft Entra Conditional Access policies created in Microsoft Entra ID. You can see the full Microsoft Entra Conditional Access policies list in a banner on the create policy page.
+
+:::image type="content" source="media/caac-app-onboarding/recommendation.png" alt-text="Screenshot of the recommendation shown in the portal.":::
+
+## Conditional Access App Control Configuration Page
+
+Admins will be able to control app configurations such as:
+
+- **Status:** App status - Disable or Enable
+- **Policies:** Does at least one inline policy connect
+- **IDP:** Onboarded app via IDP via Microsoft Entra or Non-MS IDP
+- **Edit app:** Edit app configuration such as adding domains or disabling the app.
+
+All apps that automatically onboarded will be set to "enabled" by default. Following the initial sign-in by a user, administrators will have the ability to view the application under **Settings** \> **Connected apps** \> **Conditional Access App Control apps**.
+
+
+## Common App Misconfigurations
+
+- [Second sign-in (also known as 'second sign-in')](troubleshooting-proxy.md#second-sign-in-also-known-as-second-login)
+- [Missing domains](troubleshooting-proxy.md#add-domains-for-your-app)
@@ -208,7 +208,6 @@ items:
     - name: Troubleshoot policies
       href: troubleshoot-policies.md
   - name: Configure threat protection
-
     items:
     - name: Detect suspicious user activity with UEBA
       href: tutorial-suspicious-activity.md
@@ -237,22 +236,26 @@ items:
     - name: Identity-managed devices with conditional access app control
       displayName: Conditional Access app control, caac
       href: conditional-access-app-control-identity.md
-    - name: Manual onboarding for Microsoft IdP
-      href: apps-manual-onboarding-with-microsoft-entra-id.md
-    - name: Onboard catalog and custom apps with a non-Microsoft IdP
+    - name: App onboarding
       items:
-      - name: Onboard non-Microsoft IdP catalog apps 
-        displayName: Conditional Access app control, caac
-        href: proxy-deployment-featured-idp.md
-      - name: Onboard non-Microsoft IdP custom apps
-        displayName: Conditional Access app control, caac
-        href: proxy-deployment-any-app-idp.md
-      - name: Deploy for any web app with PingOne
-        href: proxy-idp-pingone.md
-      - name: Deploy for any web app using AD FS
-        href: proxy-idp-adfs.md
-      - name: Deploy for any web app using Okta
-        href: proxy-idp-okta.md     
+      - name: Automatic onboarding for Microsoft IdP
+        href: app-onboarding.md
+      - name: Manual onboarding for Microsoft IdP
+        href: apps-manual-onboarding-with-microsoft-entra-id.md
+      - name: Onboard catalog and custom apps with a non-Microsoft IdP
+        items:
+        - name: Onboard non-Microsoft IdP catalog apps 
+          displayName: Conditional Access app control, caac
+          href: proxy-deployment-featured-idp.md
+        - name: Onboard non-Microsoft IdP custom apps
+          displayName: Conditional Access app control, caac
+          href: proxy-deployment-any-app-idp.md
+        - name: Deploy for any web app with PingOne
+          href: proxy-idp-pingone.md
+        - name: Deploy for any web app using AD FS
+          href: proxy-idp-adfs.md
+        - name: Deploy for any web app using Okta
+          href: proxy-idp-okta.md     
     - name: Use in-browser protection (Microsoft Edge for Business)
       href: in-browser-protection.md    
     - name: Require step-up authentication upon risky action