Conflicting Policy

%3CLINGO-SUB%20id%3D%22lingo-sub-2649710%22%20slang%3D%22en-US%22%3EConflicting%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2649710%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20will%20happen%20if%20you%20and%20your%20colleague%20created%20conflicting%20endpoint%20security%20policies%3F%20Who%20will%20take%20precedence%3F%20And%20how%20to%20spot%20this%20right%20away%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EExample1%3A%20Your%20colleague%20created%20a%20compliance%20policy%20that%20users%20must%20set%20up%20alphanumeric%20passwords%20not%20less%20than%2010%20characters%20long.%20Then%20the%20policy%20you%20created%20in%20device%20configuration%20profile%20is%20password%20must%20be%20numeric%20and%20not%20less%20than%208%20char.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EExample%202%3A%20An%20admin%20created%20conditional%20access%20applies%20to%20all%20users(not%20excluding%20anyone)%20to%20not%20access%20the%20company%20network%20on%20unmanaged%20devices.%20Then%20you%20created%20another%20policy%20that%20will%20allow%20access%20to%20certain%20administrators%20to%20access%20company%20networks%20even%20on%20unmanaged%20devices.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2649710%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EConditional%20Access%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Application%20Management%20(MAM)%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2651009%22%20slang%3D%22en-US%22%3ERe%3A%20Conflicting%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2651009%22%20slang%3D%22en-US%22%3EGood%20question...%20the%20microsoft%20docs%20for%20conlficting%20app%20protection%20policies%20are%20a%20lot%20better.%20But%20If%20a%20compliance%20policy%20evaluates%20against%20the%20same%20setting%20in%20another%20compliance%20policy%2C%20then%20the%20most%20restrictive%20compliance%20policy%20setting%20applies.%3CBR%20%2F%3E%3CBR%20%2F%3ESo%20for%20example%20one...%20I%20guess%20the%2010%20characters%20will%20be%20used.%20As%20using%2010%20characters%20should%20be%20the%20most%20restrictive...but%20I%20am%20not%20100%25%20how%20Microsoft%20thinks%20about%20this%20one...%20I%20will%20test%20it%20out%20to%20be%20sure%3CBR%20%2F%3E%3CBR%20%2F%3EAnd%20for%20example%202%2C%20it's%20the%20same...%20the%20most%20restrictive%20would%20win%20so%20all%20devices%20will%20be%20blocked...You%20will%20need%20to%20apply%20a%20filters%20or%20exclude%20on%20that%20one%20to%20rule%20some%20users%20out%3C%2FLINGO-BODY%3E
Occasional Contributor

What will happen if you and your colleague created conflicting endpoint security policies? Who will take precedence? And how to spot this right away?

 

Example1: Your colleague created a compliance policy that users must set up alphanumeric passwords not less than 10 characters long. Then the policy you created in device configuration profile is password must be numeric and not less than 8 char. 

 

Example 2: An admin created conditional access applies to all users(not excluding anyone) to not access the company network on unmanaged devices. Then you created another policy that will allow access to certain administrators to access company networks even on unmanaged devices.

1 Reply

Good question... the microsoft docs for conlficting app protection policies are a lot better. But If a compliance policy evaluates against the same setting in another compliance policy, then the most restrictive compliance policy setting applies.

So for example one... I guess the 10 characters will be used. Using 10 characters should be the most restrictive...but I am not 100% how Microsoft thinks about this one...my guess both of the policies will give remediations errors... but I need to test it to be 100% sure. But beware using a password compliance policy can give you some trouble :p

And for example 2, it's the same... the most restrictive would win so all devices will be blocked...You will need to apply a filters or exclude on that one to rule some users out