Forum Discussion

AshishGupta1's avatar
AshishGupta1
Copper Contributor
Jul 07, 2024

Conditional Access Grant Access options

Scenario:

In Conditional Access Policies, under the grant controls section, we select 2 options:

1. Require multifactor authentication

2. Require approved client app

and then For multiple controls, we select "Require one of the selected controls"option.

 

Now assuming all the conditions defined in previous steps are satisfied, in this case which of the above 2 options would be evaluated? Is there a criteria? I tried checking the documentation, didn't find the answer there.

Also, does this mean if I am coming from an approved app, I don't have to do MFA?

Lastly, if this is the main MFA policy, then this configuration is not correct, right?

  • AshishGupta1 

     

    Hey Ashish,

     

    I think i got the answer for you.

     

    If you have MFA and Require Approved Client App both selected with the condition "Require one of the selected controls" then MFA will be prompted first to end user if end user satisfies MFA condition then CA policy is satisfied and user will get the access to application, IF end user dosen't satisfy the MFA condition then next condition of REQUIRE APPROVED CLIENT APP will be evaluated.

     

    Here is a write up from the official documentation


    If a policy where "Require one of the selected controls" is selected, we prompt in the order defined, as soon as the policy requirements are satisfied, access is granted.

    All policies are enforced in two phases:

    Phase 1: Collect session details
    Gather session details, like network location and device identity necessary for policy evaluation.
    Phase 1 of policy evaluation occurs for enabled policies and policies in report-only mode.
    Phase 2: Enforcement
    Use the session details gathered in phase 1 to identify any requirements that aren't met.
    If there's a policy that is configured with the block grant control, enforcement stops here and the user is blocked.
    The user is prompted to complete more grant control requirements that weren't satisfied during phase 1 in the following order, until policy is satisfied:
    Multifactor authentication​
    Device to be marked as compliant
    Microsoft Entra hybrid joined device
    Approved client app
    App protection policy
    Password change
    Terms of use
    Custom controls
    Once all grant controls are satisfied, apply session controls (App Enforced, Microsoft Defender for Cloud Apps, and token Lifetime)
    Phase 2 of policy evaluation occurs for all enabled policies.

     

    Here is a official link of the article - https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policies

     

    Also i would recommend go through very beautiful VIDEO created by John - https://www.youtube.com/watch?v=OTvzzopaEBY&list=PLlVtbbG169nHdXukhQtg62RTqgoUmfYnY&index=53

     

    Thanks

    Vicky Rajdev

  • Vicky_bom3's avatar
    Vicky_bom3
    Brass Contributor

    AshishGupta1 

     

    Hey Ashish,

     

    I think i got the answer for you.

     

    If you have MFA and Require Approved Client App both selected with the condition "Require one of the selected controls" then MFA will be prompted first to end user if end user satisfies MFA condition then CA policy is satisfied and user will get the access to application, IF end user dosen't satisfy the MFA condition then next condition of REQUIRE APPROVED CLIENT APP will be evaluated.

     

    Here is a write up from the official documentation


    If a policy where "Require one of the selected controls" is selected, we prompt in the order defined, as soon as the policy requirements are satisfied, access is granted.

    All policies are enforced in two phases:

    Phase 1: Collect session details
    Gather session details, like network location and device identity necessary for policy evaluation.
    Phase 1 of policy evaluation occurs for enabled policies and policies in report-only mode.
    Phase 2: Enforcement
    Use the session details gathered in phase 1 to identify any requirements that aren't met.
    If there's a policy that is configured with the block grant control, enforcement stops here and the user is blocked.
    The user is prompted to complete more grant control requirements that weren't satisfied during phase 1 in the following order, until policy is satisfied:
    Multifactor authentication​
    Device to be marked as compliant
    Microsoft Entra hybrid joined device
    Approved client app
    App protection policy
    Password change
    Terms of use
    Custom controls
    Once all grant controls are satisfied, apply session controls (App Enforced, Microsoft Defender for Cloud Apps, and token Lifetime)
    Phase 2 of policy evaluation occurs for all enabled policies.

     

    Here is a official link of the article - https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policies

     

    Also i would recommend go through very beautiful VIDEO created by John - https://www.youtube.com/watch?v=OTvzzopaEBY&list=PLlVtbbG169nHdXukhQtg62RTqgoUmfYnY&index=53

     

    Thanks

    Vicky Rajdev

    • AshishGupta1's avatar
      AshishGupta1
      Copper Contributor

      I was checking the Continuous Access Evaluation section, didn't find it there.

      Thanks, that's what I was looking for.

      • Vicky_bom3's avatar
        Vicky_bom3
        Brass Contributor

        AshishGupta1 

         

        Thanks Ashish marking my response as answer to your query.

         

        The CAE is completly different topic, that talks about invalidating the Access Token if any account changes are observed like account disabled, locked out etc... so you will not find SEQUENCE/ORDER of CA policy GRANT options in CAE.

         

        Thanks

        Vicky