Forum Discussion
Conditional Access Grant Access options
- Jul 07, 2024
Hey Ashish,
I think i got the answer for you.
If you have MFA and Require Approved Client App both selected with the condition "Require one of the selected controls" then MFA will be prompted first to end user if end user satisfies MFA condition then CA policy is satisfied and user will get the access to application, IF end user dosen't satisfy the MFA condition then next condition of REQUIRE APPROVED CLIENT APP will be evaluated.
Here is a write up from the official documentation
If a policy where "Require one of the selected controls" is selected, we prompt in the order defined, as soon as the policy requirements are satisfied, access is granted.All policies are enforced in two phases:
Phase 1: Collect session details
Gather session details, like network location and device identity necessary for policy evaluation.
Phase 1 of policy evaluation occurs for enabled policies and policies in report-only mode.
Phase 2: Enforcement
Use the session details gathered in phase 1 to identify any requirements that aren't met.
If there's a policy that is configured with the block grant control, enforcement stops here and the user is blocked.
The user is prompted to complete more grant control requirements that weren't satisfied during phase 1 in the following order, until policy is satisfied:
Multifactor authentication​
Device to be marked as compliant
Microsoft Entra hybrid joined device
Approved client app
App protection policy
Password change
Terms of use
Custom controls
Once all grant controls are satisfied, apply session controls (App Enforced, Microsoft Defender for Cloud Apps, and token Lifetime)
Phase 2 of policy evaluation occurs for all enabled policies.Here is a official link of the article - https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policies
Also i would recommend go through very beautiful VIDEO created by John - https://www.youtube.com/watch?v=OTvzzopaEBY&list=PLlVtbbG169nHdXukhQtg62RTqgoUmfYnY&index=53
Thanks
Vicky Rajdev
Hey Ashish,
I think i got the answer for you.
If you have MFA and Require Approved Client App both selected with the condition "Require one of the selected controls" then MFA will be prompted first to end user if end user satisfies MFA condition then CA policy is satisfied and user will get the access to application, IF end user dosen't satisfy the MFA condition then next condition of REQUIRE APPROVED CLIENT APP will be evaluated.
Here is a write up from the official documentation
If a policy where "Require one of the selected controls" is selected, we prompt in the order defined, as soon as the policy requirements are satisfied, access is granted.
All policies are enforced in two phases:
Phase 1: Collect session details
Gather session details, like network location and device identity necessary for policy evaluation.
Phase 1 of policy evaluation occurs for enabled policies and policies in report-only mode.
Phase 2: Enforcement
Use the session details gathered in phase 1 to identify any requirements that aren't met.
If there's a policy that is configured with the block grant control, enforcement stops here and the user is blocked.
The user is prompted to complete more grant control requirements that weren't satisfied during phase 1 in the following order, until policy is satisfied:
Multifactor authentication​
Device to be marked as compliant
Microsoft Entra hybrid joined device
Approved client app
App protection policy
Password change
Terms of use
Custom controls
Once all grant controls are satisfied, apply session controls (App Enforced, Microsoft Defender for Cloud Apps, and token Lifetime)
Phase 2 of policy evaluation occurs for all enabled policies.
Here is a official link of the article - https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policies
Also i would recommend go through very beautiful VIDEO created by John - https://www.youtube.com/watch?v=OTvzzopaEBY&list=PLlVtbbG169nHdXukhQtg62RTqgoUmfYnY&index=53
Thanks
Vicky Rajdev
I was checking the Continuous Access Evaluation section, didn't find it there.
Thanks, that's what I was looking for.
- Vicky_bom3Jul 07, 2024Brass Contributor
Thanks Ashish marking my response as answer to your query.
The CAE is completly different topic, that talks about invalidating the Access Token if any account changes are observed like account disabled, locked out etc... so you will not find SEQUENCE/ORDER of CA policy GRANT options in CAE.
Thanks
Vicky