Conditional Access Grant Access options
Scenario:
In Conditional Access Policies, under the grant controls section, we select 2 options:
1. Require multifactor authentication
2. Require approved client app
and then For multiple controls, we select "Require one of the selected controls"option.
Now assuming all the conditions defined in previous steps are satisfied, in this case which of the above 2 options would be evaluated? Is there a criteria? I tried checking the documentation, didn't find the answer there.
Also, does this mean if I am coming from an approved app, I don't have to do MFA?
Lastly, if this is the main MFA policy, then this configuration is not correct, right?
Hey Ashish,
I think i got the answer for you.
If you have MFA and Require Approved Client App both selected with the condition "Require one of the selected controls" then MFA will be prompted first to end user if end user satisfies MFA condition then CA policy is satisfied and user will get the access to application, IF end user dosen't satisfy the MFA condition then next condition of REQUIRE APPROVED CLIENT APP will be evaluated.
Here is a write up from the official documentation
If a policy where "Require one of the selected controls" is selected, we prompt in the order defined, as soon as the policy requirements are satisfied, access is granted.All policies are enforced in two phases:
Phase 1: Collect session details
Gather session details, like network location and device identity necessary for policy evaluation.
Phase 1 of policy evaluation occurs for enabled policies and policies in report-only mode.
Phase 2: Enforcement
Use the session details gathered in phase 1 to identify any requirements that aren't met.
If there's a policy that is configured with the block grant control, enforcement stops here and the user is blocked.
The user is prompted to complete more grant control requirements that weren't satisfied during phase 1 in the following order, until policy is satisfied:
Multifactor authentication​
Device to be marked as compliant
Microsoft Entra hybrid joined device
Approved client app
App protection policy
Password change
Terms of use
Custom controls
Once all grant controls are satisfied, apply session controls (App Enforced, Microsoft Defender for Cloud Apps, and token Lifetime)
Phase 2 of policy evaluation occurs for all enabled policies.Here is a official link of the article - https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policies
Also i would recommend go through very beautiful VIDEO created by John - https://www.youtube.com/watch?v=OTvzzopaEBY&list=PLlVtbbG169nHdXukhQtg62RTqgoUmfYnY&index=53
Thanks
Vicky Rajdev