Entra ID Conditional Access

Last updated: November 15, 2023

This capability provides the ability to restrict issuance of an Entra ID access token, based on scenarios where a specific set of conditions are present. The issuance can either be blocked outright or dependent on the user satisfying specific access controls. A unique Entra ID access token is required to access any application which requires Entra ID sign in. An Entra ID Conditional Access policy can target just a single Entra ID application or any combination of Entra ID applications.

Entra ID Conditional Access topics

Access to an Entra ID application is the primary thing that can be protected with this capability, with a policy able to target one or many Entra ID applications.

A summary of the configuration options is represented in the grid below.

Assignments are an intersection of all options chosen, so you can assign a policy to as little as one user and one application.

All controls chosen are required. And if more than one policy applies, then all controls for all policies are required.

Users and groups Include | Exclude
Cloud apps Include | Exclude
User actions
Register security information
Sign-in risk (Entra ID Identity Protection, via Entra ID P2) High | Medium | Low | No risk
Note: Typical risks are atypical travel, unusual login, malware linked ip, leaked creds, known attack pattern
Device platforms Include | Exclude
Locations Include | Exclude
Client apps Browser | Mobile apps and desktop clients | Modern authentication clients | Exchange ActiveSync clients | Other clients
Device State Include | Exclude, where {Device Hybrid Entra ID joined, Device marked as compliant}
Access controls
Block access
Grant access Require Multi-Factor Authentication
Require device to be marked as compliant
Require Hybrid Entra ID Joined device
Require approved client app
Require app protection policy
Terms of Use
Require one of the selected controls
Require all of the selected controls
Session Use app enforced restrictions
Use Conditional access app control (Cloud App Security, via M365 A5)

See https://docs.microsoft.com/en-us/cloud-app-security/proxy-intro-aad & https://docs.microsoft.com/en-us/cloud-app-security/session-policy-aad

frequency
Persistent browser session


After a user has signed in and gotten an identity token from Entra ID, they use that identity token to request an access token so they can access an Entra ID application. Prior to issuing an access token, Entra ID will evaluate whether any Conditional Access policies apply. If so, it checks to see if the conditions are present, and if so, it requires the access controls. In some cases, the access controls are not interactive, so an error will be generated indicating what the user needs to do in order to successfully get an access token in the future.

Common patterns and how to leverage Conditional Access

Conditional Access can lead to significant unexpected impacts, so UW-IT has to exercise judicious vetting and practices to prevent undesirable outcomes. Also note that some of the CA conditions may not be viable. The most common pattern for a Conditional Access policy is a per-application policy which requires Duo 2FA. We would be happy to consider your request for a Conditional Access policy. Just send an email to help@uw.edu with a subject line of “Entra ID Conditional Access policy” to begin the process.