07-02-2019 12:44 AM
07-02-2019 02:32 AM
@Stuart King There is also "any location" and "any device", but "all users" should do the trick.
Make sure to block legacy authentication, both to make sure MFA access controls works and because basic auth tokens won't carry enough information to filter properly in all CA policies.
07-03-2019 11:34 PM - edited 07-03-2019 11:35 PM
Yes, you should analyze the Azure AD Sign-in logs first (add client application column) and make sure to exclude all service accounts that doesn't support modern authentication from the policy and prepare the users, especially those that show up in the log as legacy auth users..