Microsoft Cloud App Security (now part of Microsoft Defender for Cloud Apps) integrates with Azure AD Conditional Access to enable real-time monitoring and control over user sessions in cloud applications. This feature, called Conditional Access App Control, acts as a reverse proxy. When a user session is routed through it, administrators can enforce granular policies, such as blocking file downloads, protecting files on download with sensitivity labels, or monitoring specific user activities within the app. This provides a powerful way to prevent data leakage and enforce security compliance in real time for sanctioned applications.

Microsoft Learn. "Deploy Conditional Access App Control for featured apps." Microsoft Defender for Cloud Apps Documentation. States, "Session controls in Microsoft Defender for Cloud Apps work with Azure AD Conditional Access to monitor and control user app sessions in real time, based on access and session policies."

Microsoft Learn. "Conditional Access - Session." Azure Active Directory Documentation. Under the "Use Conditional Access App Control" section, it explains, "Conditional Access App Control uses signals from Microsoft Defender for Cloud Apps to apply access controls on an organization's cloud apps."

Microsoft Learn. "What is a session policy?" Microsoft Defender for Cloud Apps Documentation. Describes the capability: "Defender for Cloud Apps session policies enable real-time session-level monitoring, granting you granular visibility into cloud apps and the ability to control different actions depending on the user, location, device, and app."