Forum Discussion

hello_imran_nawaz's avatar
hello_imran_nawaz
Copper Contributor
Jul 20, 2024

Conditiona access policy forCitrix Xenapp browser applications

Hi Everyone
I need some assistance with Conditional access policy .My scenarios
I wanted CAP to require MFA if users are coming from trusted device(Compay issues) but untrusted location (outside home country) and no MFA if coming from trusted device(Compay issues) but trusted location (home country) for applications
If users coming from untrusted devices ,it is always MFA .
After i configure two CAP ,my citrix xenapp users (loging to citrix and opening browsers ) are also requiring MFA
 
How i make sure citrix xenapp browser users are also not prompted for Multitfactor Authenction.
Thanks
Imran Nawaz
Conditional Access
  • MatejKlemencic's avatar
    MatejKlemencic
    Brass Contributor
    Jul 20, 2024

    Hello,

     

    What do you mean by a trusted device in this context? Are you referring to compliant devices managed by Intune, Entra joined devices, or Entra Hybrid joined devices?

     

    If I understood the requirements correctly, you should implement the following:

     

    CAP1: Required MFA for Untrusted devices

    • Condition > Filter for devices (exclude trusted devices)
    • Grant > Required MFA

    CAP2: Require MFA for Untrusted locations

    • Condition > Exclude Trusted Network locations
    • Grant > Require MFA
    • hello_imran_nawaz's avatar
      hello_imran_nawaz
      Copper Contributor
      Jul 22, 2024

      MatejKlemencic 

      Trusted device is domain joined /hybrid joined

      Trusted devices from untrusted locations :CAP2 will be applied.Is this correct?

      Untrusted device from Trusted location:CAP1 will be applied.Is this correct ?

      Trusted devices opening xenapp browser application :No MFA required : How i achieve this ?

      Untrusted device opening xenapp browser application: No MFA required : How i achieve this ?

      Truste device from trusted location : No MFA required  :How i achieve this ?

      Thanks

      Imran Nawaz

      • MatejKlemencic's avatar
        MatejKlemencic
        Brass Contributor
        Jul 22, 2024

        hello_imran_nawaz 

        The example I provided ensures that MFA is required every time someone accesses the app from an untrusted device, regardless of their location. Additionally, MFA is required for trusted devices only if they are accessing the app from an untrusted location. 

         

         

Resources