conditional policy relaxation for a client-app

%3CLINGO-SUB%20id%3D%22lingo-sub-2481374%22%20slang%3D%22en-US%22%3Econditional%20policy%20relaxation%20for%20a%20client-app%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2481374%22%20slang%3D%22en-US%22%3E%3CH2%20id%3D%22toc-hId--435654187%22%20id%3D%22toc-hId--435654158%22%20id%3D%22toc-hId--435654158%22%20id%3D%22toc-hId--435654158%22%3E%3CSPAN%3EMy%20OAuth%20client%20app%20is%20sending%20%2Fauthorize%20call%20to%20AAD%20with%20openid%20in%20the%20SCOPE%3C%2FSPAN%3E%3C%2FH2%3E%3CDIV%20class%3D%22question-body%20post-body%22%3E%3CP%3EI%20have%20a%20conditional%20policy%20that%20says%20that%20access%20to%20any%20and%20ALL%20cloud-resource%20MUST%20be%20from%20COMPLIANT%20DEVICE.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20want%20to%20relax%20this%20policy%20only%20for%20this%20one%20and%20only%20client-application%20so%20that%20this%20client-app%20(web-app)%20can%20be%20hit%20from%20my%20personal%20device%20browser.%3C%2FP%3E%3CP%3EAll%20other%20client-apps%20must%26nbsp%3B%20comply%20with%26nbsp%3BCOMPLIANT%20DEVICE%20policy.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20I%20do%20that%20%3F%3C%2FP%3E%3CBR%20%2F%3E%3CP%3EThanks.%3C%2FP%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2481374%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2491375%22%20slang%3D%22en-US%22%3ERe%3A%20conditional%20policy%20relaxation%20for%20a%20client-app%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2491375%22%20slang%3D%22en-US%22%3EYou%20can%20edit%20your%20Conditional%20Access%20policy%20and%20exclude%20this%20specific%20app%20from%20the%20policy%20that%20requires%20managed%20devices.%20You%20do%20this%20by%20editing%20the%20policy%2C%20selecting%20%E2%80%98Cloud%20apps%20or%20actions%E2%80%99%20and%20then%20the%20%E2%80%98Exclude%E2%80%99%20tab.%20Here%20you%20can%20select%20any%20apps%20that%20have%20been%20registered%20in%20your%20directory%2Ftenant%20and%20to%20which%20this%20policy%20shouldn%E2%80%99t%20apply.%3C%2FLINGO-BODY%3E
Contributor

My OAuth client app is sending /authorize call to AAD with openid in the SCOPE

I have a conditional policy that says that access to any and ALL cloud-resource MUST be from COMPLIANT DEVICE.

 

I want to relax this policy only for this one and only client-application so that this client-app (web-app) can be hit from my personal device browser.

All other client-apps must  comply with COMPLIANT DEVICE policy.

 

Can I do that ?


Thanks.

1 Reply
You can edit your Conditional Access policy and exclude this specific app from the policy that requires managed devices. You do this by editing the policy, selecting ‘Cloud apps or actions’ and then the ‘Exclude’ tab. Here you can select any apps that have been registered in your directory/tenant and to which this policy shouldn’t apply.