Conditional Access Policies Assignments Logic

Brass Contributor

Starting to work with conditional access policies. I note that you can create a policy that:


  • Only contains a user assignment
  • Only contains an application assignment

If I do this though and run the WhatIf tool it never applies to any users/app unless BOTH are configured i.e. I configure the policy to included at least 1 app and 1 user rather that just one or the other. I see from here it states you must configure both of them


So, is there any condition whereby a policy configured with either a user assignment or app assignment would be applicable? Am I missing something? Why can you configure a policy as such if it never applies :|

1 Reply

@shockotechcom You should at least provide a user, an application(or user action) AND a Access control to make a policy work. 


If you, for example, would only say: if user X do control MFA, the policy would not work. You have to enter either all cloud apps or separate apps to make it work.


I agree, it should not let you save a policy that is not " complete" 

I suggest you create a uservoice to address this: