diff --git a/defender-for-cloud-apps/includes/entra-conditional-access-policy.md b/defender-for-cloud-apps/includes/entra-conditional-access-policy.md
index 3da8471a76..0ab8ab5109 100644
--- a/defender-for-cloud-apps/includes/entra-conditional-access-policy.md
+++ b/defender-for-cloud-apps/includes/entra-conditional-access-policy.md
@@ -38,6 +38,13 @@ For more information, see [Conditional Access policies](/azure/active-directory/
To protect your SaaS applications with Session Controls, you must allow access to this application.
>
>If you have any Conditional Access policies that have **“Block Access”** selected in the **“Grant Access”** Control under a Microsoft Entra ID Conditional Access policy scoped to this app, end users will not be able to access the protected applications under session controls.
->It's important to ensure that this application isn't unintentionally restricted by any Conditional Access policies. For policies that restrict all or certain applications, please ensure this application is listed as an exception in the **Target resources** or confirm that the blocking policy is deliberate.
+>It's important to ensure that this application isn't unintentionally restricted by any Conditional Access policies. For policies that restrict all or certain applications, please ensure this application is listed as an exception in the **Target resources** or confirm that the blocking policy is deliberate.
+>
+>You may need to add create the following service principal to make the app available in the Conditional Access app picker.
+># Connect with the appropriate scopes to create service principal
+Connect-MgGraph -Scopes "Application.ReadWrite.All"
+
+# Create service principal for the service **Microsoft Defender for Cloud Apps - Session Controls**
+New-MgServicePrincipal -AppId 8a0c2593-9cbc-4f86-a247-beb7aab00d83
>
>To ensure your location-based conditional access policies function correctly, include the **Microsoft Defender for Cloud Apps – Session Controls** application in those policies.