Overview
Within a Conditional Access policy, an administrator can make use of signals from conditions like risk, device platform, or location to enhance their policy decisions.
Multiple conditions can be combined to create fine-grained and specific Conditional Access policies.
When users access a sensitive application, an administrator may factor multiple conditions into their access decisions like:
•Sign-in risk information from Identity Protection
•Network location
•Device information
See full list on learn.microsoft.com
Sign-in risk
Administrators with access to Identity Protection, can evaluate sign-in risk as part of a Conditional Access policy. Sign-in risk represents the probability that a given authentication request wasn't made by the identity owner. More information about sign-in risk can be found in the articles, What is risk and How To: Configure and enable risk polic
User risk
Administrators with access to Identity Protection, can evaluate user risk as part of a Conditional Access policy. User risk represents the probability that a given identity or account is compromised. More information about user risk can be found in the articles, What is risk and How To: Configure and enable risk policies.
See full list on learn.microsoft.com
Device platforms
Conditional Access identifies the device platform by using information provided by the device, such as user agent strings. Since user agent strings can be modified, this information is unverified. Device platform should be used in concert with Microsoft Intune device compliance policies or as part of a block statement. The default is to apply to all device platforms.
Conditional Access supports the following device platforms:
•Android
•iOS
•Windows
•macOS
See full list on learn.microsoft.com
Locations
When administrators configure location as a condition, they can choose to include or exclude locations. These named locations may include the public IPv4 or IPv6 network information, country or region, unknown areas that don't map to specific countries or regions, and Global Secure Access' compliant network.
When including any location, this option includes any IP address on the internet not just configured named locations. When administrators select any location, they can choose to exclude all trusted or selected locations.
See full list on learn.microsoft.com
Client apps
By default, all newly created Conditional Access policies apply to all client app types even if the client apps condition isn’t configured.
Important
Sign-ins from legacy authentication clients don’t support multifactor authentication (MFA) and don’t pass device state information, so they are blocked by Conditional Access grant controls, like requiring MFA or compliant devices. If you have accounts which must use legacy authentication, you must either exclude those accounts from the policy, or configure the policy to only apply to modern authentication clients.
The Configure toggle when set to Yes applies to checked items, when set to No it applies to all client apps, including modern and legacy authentication clients. This toggle doesn’t appear in policies created before August 2020.
•Modern authentication clients
•Browser
See full list on learn.microsoft.com
Device state (deprecated)
This feature has been deprecated. Customers should use the Filter for devices condition in the Conditional Access policy, to satisfy scenarios previously achieved using the device state condition.
Important
See full list on learn.microsoft.com
Filter for devices
When administrators configure filter for devices as a condition, they can choose to include or exclude devices based on a filter using a rule expression on device properties. The rule expression for filter for devices can be authored using rule builder or rule syntax. This experience is similar to the one used for dynamic membership rules for group
Next steps
•Conditional Access: Grant
•Common Conditional Access policies
See full list on learn.microsoft.com