Conditional Access Policies Assignments Logic

Brass Contributor

Starting to work with conditional access policies. I note that you can create a policy that:

 

  • Only contains a user assignment
  • Only contains an application assignment

If I do this though and run the WhatIf tool it never applies to any users/app unless BOTH are configured i.e. I configure the policy to included at least 1 app and 1 user rather that just one or the other. I see from here it states you must configure both of them

 

So, is there any condition whereby a policy configured with either a user assignment or app assignment would be applicable? Am I missing something? Why can you configure a policy as such if it never applies 😐

1 Reply

@shockotechcom You should at least provide a user, an application(or user action) AND a Access control to make a policy work. 

 

If you, for example, would only say: if user X do control MFA, the policy would not work. You have to enter either all cloud apps or separate apps to make it work.

 

I agree, it should not let you save a policy that is not " complete" 

I suggest you create a uservoice to address this: https://microsoftintune.uservoice.com/forums/291681-ideas/filters/hot?category_id=155130-conditional...