Conditional Access Policies Assignments Logic

%3CLINGO-SUB%20id%3D%22lingo-sub-1467261%22%20slang%3D%22en-US%22%3EConditional%20Access%20Policies%20Assignments%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1467261%22%20slang%3D%22en-US%22%3E%3CP%3EStarting%20to%20work%20with%20conditional%20access%20policies.%20I%20note%20that%20you%20can%20create%20a%20policy%20that%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3E%3CFONT%20color%3D%22%23339966%22%3EOnly%20contains%20a%20user%20assignment%3C%2FFONT%3E%3C%2FLI%3E%3CLI%3E%3CFONT%20color%3D%22%23339966%22%3EOnly%20contains%20an%20application%20assignment%3C%2FFONT%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3EIf%20I%20do%20this%20though%20and%20run%20the%20WhatIf%20tool%20it%20never%20applies%20to%20any%20users%2Fapp%20unless%20%3CFONT%20color%3D%22%23FF0000%22%3E%3CSTRONG%3EBOTH%3C%2FSTRONG%3E%20%3C%2FFONT%3Eare%20configured%20i.e.%20I%20configure%20the%20policy%20to%20included%20at%20least%201%20app%20and%201%20user%20rather%20that%20just%20one%20or%20the%20other.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%20color%3D%22%23800080%22%3ESo%2C%20is%20there%20any%20condition%20whereby%20a%20policy%20configured%20with%20either%20a%20user%20assignment%20or%20app%20assignment%20would%20be%20applicable%3F%20Am%20I%20missing%20something%3F%20Why%20can%20you%20configure%20a%20policy%20as%20such%20if%20it%20never%20applies%3C%2FFONT%3E%20%3A%7C%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1467261%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Econditional%20access%20policies%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1467508%22%20slang%3D%22en-US%22%3ERe%3A%20Conditional%20Access%20Policies%20Assignments%20Logic%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1467508%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F534442%22%20target%3D%22_blank%22%3E%40shocko%3C%2FA%3E%26nbsp%3BYou%20should%20at%20least%20provide%20a%20user%2C%20an%20application(or%20user%20action)%20AND%20a%26nbsp%3BAccess%20control%20to%20make%20a%20policy%20work.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%2C%20for%20example%2C%20would%20only%20say%3A%20if%20user%20X%20do%20control%20MFA%2C%20the%20policy%20would%20not%20work.%20You%20have%20to%20enter%20either%20all%20cloud%20apps%20or%20separate%20apps%20to%20make%20it%20work.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20agree%2C%20it%20should%20not%20let%20you%20save%20a%20policy%20that%20is%20not%20%22%20complete%22%26nbsp%3B%3C%2FP%3E%3CP%3EI%20suggest%20you%20create%20a%20uservoice%20to%20address%20this%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fmicrosoftintune.uservoice.com%2Fforums%2F291681-ideas%2Ffilters%2Fhot%3Fcategory_id%3D155130-conditional-access%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmicrosoftintune.uservoice.com%2Fforums%2F291681-ideas%2Ffilters%2Fhot%3Fcategory_id%3D155130-conditional-access%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Starting to work with conditional access policies. I note that you can create a policy that:

 

  • Only contains a user assignment
  • Only contains an application assignment

If I do this though and run the WhatIf tool it never applies to any users/app unless BOTH are configured i.e. I configure the policy to included at least 1 app and 1 user rather that just one or the other. I see from here it states you must configure both of them

 

So, is there any condition whereby a policy configured with either a user assignment or app assignment would be applicable? Am I missing something? Why can you configure a policy as such if it never applies :|

1 Reply

@shockotechcom You should at least provide a user, an application(or user action) AND a Access control to make a policy work. 

 

If you, for example, would only say: if user X do control MFA, the policy would not work. You have to enter either all cloud apps or separate apps to make it work.

 

I agree, it should not let you save a policy that is not " complete" 

I suggest you create a uservoice to address this: https://microsoftintune.uservoice.com/forums/291681-ideas/filters/hot?category_id=155130-conditional...