Forum Discussion
Solved
CA policy when does it apply
Is this correct statement? "CA policies are evaluated only when a user authenticates?" I created a CA policy that enforces device compliance with Intune. I noticed that an un-enrolled device was sti...
- Hi Skipster311-1,
The statement is not entirely true. Yes, there should be a form of communication or authentication before a CA policy kicks in. For example, you require a user with a CA policy to use MFA with a session control of 1 day configured. In this example, the user holds his access token for the sign-in for 24 hours and will be prompted after 24 hours to re-authenticate. A Conditional Access policy triggers this.
But when you use the Continous Access Evaluation feature, it can recognize in nearly real-time changes on the client, which re-evaluates the policy. So based on the conditions, the statement of the evaluation differs.
The feature also describes it. A condition is required when trying to access company resources. I hope this helps.
So this is an area that we reviewed in depth about two years back, so it might have changed, but my understanding is that CA does NOT kick in until Modern Auth has processed the UserID + the CORRECT password. It's something that ideally could/should be changed to have CA check if it's a Domain Joined device in the correct Country/Region before it's allowed to move to the next step?