This capability provides the ability to restrict issuance of an Entra ID access token, based on scenarios where a specific set of conditions are present. The issuance can either be blocked outright or dependent on the user satisfying specific access controls. A unique Entra ID access token is required to access any application which requires Entra ID sign in. An Entra ID Conditional Access policy can target just a single Entra ID application or any combination of Entra ID applications.
Access to an Entra ID application is the primary thing that can be protected with this capability, with a policy able to target one or many Entra ID applications.
A summary of the configuration options is represented in the grid below.
Assignments are an intersection of all options chosen, so you can assign a policy to as little as one user and one application.
All controls chosen are required. And if more than one policy applies, then all controls for all policies are required.
| Assignments | |
| Users and groups | Include | Exclude |
| Cloud apps | Include | Exclude |
| User actions | |
| Register security information | |
| Conditions | |
| Sign-in risk (Entra ID Identity Protection, via Entra ID P2) | High | Medium | Low | No risk |
| Note: Typical risks are atypical travel, unusual login, malware linked ip, leaked creds, known attack pattern | |
| Device platforms | Include | Exclude |
| Locations | Include | Exclude |
| Client apps | Browser | Mobile apps and desktop clients | Modern authentication clients | Exchange ActiveSync clients | Other clients |
| Device State | Include | Exclude, where {Device Hybrid Entra ID joined, Device marked as compliant} |
| Access controls | |
| Block access | |
| Grant access | Require Multi-Factor Authentication |
| Require device to be marked as compliant | |
| Require Hybrid Entra ID Joined device | |
| Require approved client app | |
| Require app protection policy | |
| Terms of Use | |
| Require one of the selected controls | |
| Require all of the selected controls | |
| Session | Use app enforced restrictions |
| Use Conditional access app control (Cloud App Security, via M365 A5)
See https://docs.microsoft.com/en-us/cloud-app-security/proxy-intro-aad & https://docs.microsoft.com/en-us/cloud-app-security/session-policy-aad |
|
| Sign-in frequency | |
| Persistent browser session | |
After a user has signed in and gotten an identity token from Entra ID, they use that identity token to request an access token so they can access an Entra ID application. Prior to issuing an access token, Entra ID will evaluate whether any Conditional Access policies apply. If so, it checks to see if the conditions are present, and if so, it requires the access controls. In some cases, the access controls are not interactive, so an error will be generated indicating what the user needs to do in order to successfully get an access token in the future.
Common patterns and how to leverage Conditional Access
Conditional Access can lead to significant unexpected impacts, so UW-IT has to exercise judicious vetting and practices to prevent undesirable outcomes. Also note that some of the CA conditions may not be viable. The most common pattern for a Conditional Access policy is a per-application policy which requires Duo 2FA. We would be happy to consider your request for a Conditional Access policy. Just send an email to help@uw.edu with a subject line of “Entra ID Conditional Access policy” to begin the process.