As you know, Azure AD (P1 license minimum) allows you to set up conditional access to secure access to your applications and your workloads identities.
Well, when it comes to selecting the applications/workloads to include in the condition you have the choice to apply to all cloud application or explicitly selected ones.
The later obviously introduces a potential gap in the condition as when new cloud applications are added there is a need to also update the condition – which is often being missed and forgotten.
To help ensuring all selected applications (including newly added after the conditional access configuration) are always covered and include in the condition, you can now a custom security attribute (see https://t.co/cNBUIKn6em) to tag your applications and use this in the condition.
To start using this new capability, connect to your Azure AD portal (https://aad.portal.azure.com/) or Entra portal (https://entra.microsoft.com/) to first tag your applications with the custom security attribute
NOTE you will need either global administrator, attribute definition administrator or attribute assignment administrator role assigned to your account
If you did not have create yet such custom security attribute you will first need to create it – see https://t.co/cNBUIKn6em
Azure Active Directory\Enterprise Applications (AAD) or Applications\Enterprise Applications (Entra)
Then select the application you want to tag and define your attribute
Once done, access the conditional access configuration blade to create (or edit) your rule to use the security attribute
Azure Active Directory\Security\Conditional Access\Policies (ADD or Protect & secure\Conditional Access\Policies (Entra)
The option to use the security attribute is available in the Cloud apps or action section