Whitelist and Blacklist category issue


I have added “portal.msrc.microsoft.com” this url in the custom category then added the group but unfortunately still user getting block.

  1. First Scenario
    I have added the specific user which was part that group, It is working. Then i again removed the user then I update the Zscaler Policy deleted browser cache memory as well.
    Still user was getting Block page.

2.Second Scenario
then I made this changes “.portal.msrc.microsoft.com” its got fix.

Would you all please elaborate this and what is the best recommendation?


usually, I always use the “.” wildcard, to avoid issues like www.foo.bar vs. foo.bar.

For whitelists, I almost always use “custom category”. Only for “SSL-bypasses” and similar I use “retain parent category”.

Always check the logs why something is blocked, this can help if a URL is assigned to more than one category and also helps to identify if there is an issues with the rule order or “cloud app policy” order.
In the logs you can also see, if the user is correctly authenticated, which should always be the case, if you use Client connector.

Best regards

Also check this-

By default, the Cloud App Control policy takes precedence over the URL Filtering policy. If a user requests a Cloud App that you explicitly allow with Cloud App Control policy, the service only applies the Cloud App Control policy and not the URL Filtering policy. For example, if you have a Cloud App Control policy rule that allows viewing Facebook, but a URL Filtering policy rule that blocks www.facebook.com, a user will still be allowed to view Facebook. This is because, by default, the service does not apply the URL Filtering policy if a Cloud App Control policy rule allows the transaction.

However, this behavior changes if you enable Allow Cascading to URL Filtering in Advanced Settings. If you do, the service applies the URL Filtering policy even if it applies a Cloud App Control policy rule allowing the transaction. Therefore in the example above, with cascading enabled, the service will apply the URL Filtering policy and block the user from Facebook. If the example changed so that you had a Cloud Control Policy rule that blocked Facebook, while URL Filtering allowed it, Facebook would be blocked even if Allow Cascading to URL Filtering was enabled.