cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

CA policy when does it apply

Skipster311-1
Iron Contributor

‎Oct 07 2021 07:47 AM - last edited on ‎Jan 14 2022 03:24 PM by

‎Oct 07 2021 07:47 AM - last edited on ‎Jan 14 2022 03:24 PM by

CA policy when does it apply

Is this correct statement? "CA policies are evaluated only when a user authenticates?"

I created a CA policy that enforces device compliance with Intune. I noticed that an un-enrolled device was still able to access O365 app, even after the CA policy was turned on. Only after forcing users to logout of all O365 apps and re-authenticate were the users prompted to enroll the device.

 

This tells me that the CA policy that forces device compliance wasn't evaluated until the user had to reauthenticate. Looking for confirmation on this

1,223 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by Skipster311-1 (Iron Contributor)
BilalelHadd

‎Oct 08 2021 01:22 AM

‎Oct 08 2021 01:22 AM

Solution

Re: CA policy when does it apply

Hi @Skipster311-1,

The statement is not entirely true. Yes, there should be a form of communication or authentication before a CA policy kicks in. For example, you require a user with a CA policy to use MFA with a session control of 1 day configured. In this example, the user holds his access token for the sign-in for 24 hours and will be prompted after 24 hours to re-authenticate. A Conditional Access policy triggers this.

But when you use the Continous Access Evaluation feature, it can recognize in nearly real-time changes on the client, which re-evaluates the policy. So based on the conditions, the statement of the evaluation differs.

The feature also describes it. A condition is required when trying to access company resources. I hope this helps.
0 Likes
Reply
David Caddick

‎Oct 08 2021 01:57 AM

‎Oct 08 2021 01:57 AM

Re: CA policy when does it apply

So this is an area that we reviewed in depth about two years back, so it might have changed, but my understanding is that CA does NOT kick in until Modern Auth has processed the UserID + the CORRECT password. It's something that ideally could/should be changed to have CA check if it's a Domain Joined device in the correct Country/Region before it's allowed to move to the next step?
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Skipster311-1 (Iron Contributor)
BilalelHadd

‎Oct 08 2021 01:22 AM

‎Oct 08 2021 01:22 AM

Solution

Re: CA policy when does it apply

Hi @Skipster311-1,

The statement is not entirely true. Yes, there should be a form of communication or authentication before a CA policy kicks in. For example, you require a user with a CA policy to use MFA with a session control of 1 day configured. In this example, the user holds his access token for the sign-in for 24 hours and will be prompted after 24 hours to re-authenticate. A Conditional Access policy triggers this.

But when you use the Continous Access Evaluation feature, it can recognize in nearly real-time changes on the client, which re-evaluates the policy. So based on the conditions, the statement of the evaluation differs.

The feature also describes it. A condition is required when trying to access company resources. I hope this helps.

View solution in original post

0 Likes
Reply