SOLVED

CA policy when does it apply

%3CLINGO-SUB%20id%3D%22lingo-sub-2822667%22%20slang%3D%22en-US%22%3ECA%20policy%20when%20does%20it%20apply%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2822667%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EIs%20this%20correct%20statement%3F%20%22CA%20policies%20are%20evaluated%20only%20when%20a%20user%20authenticates%3F%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20created%20a%20CA%20policy%20that%20enforces%20device%20compliance%20with%20Intune.%20I%20noticed%20that%20an%20un-enrolled%20device%20was%20still%20able%20to%20access%20O365%20app%2C%20even%20after%20the%20CA%20policy%20was%20turned%20on.%20Only%20after%20forcing%20users%20to%20logout%20of%20all%20O365%20apps%20and%20re-authenticate%20were%20the%20users%20prompted%20to%20enroll%20the%20device.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EThis%20tells%20me%20that%20the%20CA%20policy%20that%20forces%20device%20compliance%20wasn't%26nbsp%3Bevaluated%20until%20the%20user%20had%20to%20reauthenticate.%20Looking%20for%20confirmation%20on%20this%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2822667%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2826007%22%20slang%3D%22en-US%22%3ERe%3A%20CA%20policy%20when%20does%20it%20apply%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2826007%22%20slang%3D%22en-US%22%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1096811%22%20target%3D%22_blank%22%3E%40Skipster311-1%3C%2FA%3E%2C%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20statement%20is%20not%20entirely%20true.%20Yes%2C%20there%20should%20be%20a%20form%20of%20communication%20or%20authentication%20before%20a%20CA%20policy%20kicks%20in.%20For%20example%2C%20you%20require%20a%20user%20with%20a%20CA%20policy%20to%20use%20MFA%20with%20a%20session%20control%20of%201%20day%20configured.%20In%20this%20example%2C%20the%20user%20holds%20his%20access%20token%20for%20the%20sign-in%20for%2024%20hours%20and%20will%20be%20prompted%20after%2024%20hours%20to%20re-authenticate.%20A%20Conditional%20Access%20policy%20triggers%20this.%3CBR%20%2F%3E%3CBR%20%2F%3EBut%20when%20you%20use%20the%20Continous%20Access%20Evaluation%20feature%2C%20it%20can%20recognize%20in%20nearly%20real-time%20changes%20on%20the%20client%2C%20which%20re-evaluates%20the%20policy.%20So%20based%20on%20the%20conditions%2C%20the%20statement%20of%20the%20evaluation%20differs.%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20feature%20also%20describes%20it.%20A%20condition%20is%20required%20when%20trying%20to%20access%20company%20resources.%20I%20hope%20this%20helps.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2826089%22%20slang%3D%22en-US%22%3ERe%3A%20CA%20policy%20when%20does%20it%20apply%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2826089%22%20slang%3D%22en-US%22%3ESo%20this%20is%20an%20area%20that%20we%20reviewed%20in%20depth%20about%20two%20years%20back%2C%20so%20it%20might%20have%20changed%2C%20but%20my%20understanding%20is%20that%20CA%20does%20NOT%20kick%20in%20until%20Modern%20Auth%20has%20processed%20the%20UserID%20%2B%20the%20CORRECT%20password.%20It's%20something%20that%20ideally%20could%2Fshould%20be%20changed%20to%20have%20CA%20check%20if%20it's%20a%20Domain%20Joined%20device%20in%20the%20correct%20Country%2FRegion%20before%20it's%20allowed%20to%20move%20to%20the%20next%20step%3F%3C%2FLINGO-BODY%3E
Frequent Contributor

Is this correct statement? "CA policies are evaluated only when a user authenticates?"

I created a CA policy that enforces device compliance with Intune. I noticed that an un-enrolled device was still able to access O365 app, even after the CA policy was turned on. Only after forcing users to logout of all O365 apps and re-authenticate were the users prompted to enroll the device.

 

This tells me that the CA policy that forces device compliance wasn't evaluated until the user had to reauthenticate. Looking for confirmation on this

2 Replies
best response confirmed by Skipster311-1 (Frequent Contributor)
Solution
Hi @Skipster311-1,

The statement is not entirely true. Yes, there should be a form of communication or authentication before a CA policy kicks in. For example, you require a user with a CA policy to use MFA with a session control of 1 day configured. In this example, the user holds his access token for the sign-in for 24 hours and will be prompted after 24 hours to re-authenticate. A Conditional Access policy triggers this.

But when you use the Continous Access Evaluation feature, it can recognize in nearly real-time changes on the client, which re-evaluates the policy. So based on the conditions, the statement of the evaluation differs.

The feature also describes it. A condition is required when trying to access company resources. I hope this helps.
So this is an area that we reviewed in depth about two years back, so it might have changed, but my understanding is that CA does NOT kick in until Modern Auth has processed the UserID + the CORRECT password. It's something that ideally could/should be changed to have CA check if it's a Domain Joined device in the correct Country/Region before it's allowed to move to the next step?