Forum Discussion
Solved
CA policy when does it apply
Is this correct statement? "CA policies are evaluated only when a user authenticates?" I created a CA policy that enforces device compliance with Intune. I noticed that an un-enrolled device was sti...
- Hi Skipster311-1,
The statement is not entirely true. Yes, there should be a form of communication or authentication before a CA policy kicks in. For example, you require a user with a CA policy to use MFA with a session control of 1 day configured. In this example, the user holds his access token for the sign-in for 24 hours and will be prompted after 24 hours to re-authenticate. A Conditional Access policy triggers this.
But when you use the Continous Access Evaluation feature, it can recognize in nearly real-time changes on the client, which re-evaluates the policy. So based on the conditions, the statement of the evaluation differs.
The feature also describes it. A condition is required when trying to access company resources. I hope this helps.
Hi Skipster311-1,
The statement is not entirely true. Yes, there should be a form of communication or authentication before a CA policy kicks in. For example, you require a user with a CA policy to use MFA with a session control of 1 day configured. In this example, the user holds his access token for the sign-in for 24 hours and will be prompted after 24 hours to re-authenticate. A Conditional Access policy triggers this.
But when you use the Continous Access Evaluation feature, it can recognize in nearly real-time changes on the client, which re-evaluates the policy. So based on the conditions, the statement of the evaluation differs.
The feature also describes it. A condition is required when trying to access company resources. I hope this helps.
The statement is not entirely true. Yes, there should be a form of communication or authentication before a CA policy kicks in. For example, you require a user with a CA policy to use MFA with a session control of 1 day configured. In this example, the user holds his access token for the sign-in for 24 hours and will be prompted after 24 hours to re-authenticate. A Conditional Access policy triggers this.
But when you use the Continous Access Evaluation feature, it can recognize in nearly real-time changes on the client, which re-evaluates the policy. So based on the conditions, the statement of the evaluation differs.
The feature also describes it. A condition is required when trying to access company resources. I hope this helps.