Home

Azure AD conditional Access Policy Evaluation and Precedence

%3CLINGO-SUB%20id%3D%22lingo-sub-132798%22%20slang%3D%22en-US%22%3EAzure%20AD%20conditional%20Access%20Policy%20Evaluation%20and%20Precedence%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-132798%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3A%3C%2FP%3E%0A%3CP%3EI'm%20working%20with%20a%20client%20currently%20using%20~5000%20Enterprise%20E3%20%26amp%3B%20EM%2BS%20E3%2C%20and%26nbsp%3BADFS%26nbsp%3Bfederation%20with%20AD%20Connect.%20I'm%20working%20with%26nbsp%3Btwo%20AD%20security%20groups%20that%20are%20populated%20on-premises%20and%20get%20synchronized%3A%20All%20Company%20Users%20and%20Global%20Admins.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThey%20are%20self%20explanatory%20and%20Office%20365%20Global%20Admin%20accounts%20are%20in%20both%20groups.%20I%20am%20enforcing%20MFA%20for%20Admins%20all%20the%20time%20and%20Users%20when%20not%20on%20the%26nbsp%3Btrusted%20networks%20(we%20are%20on%20windows%207%2C%20but%20next%20year%20will%20go%20to%20windows%2010%20and%20I%20expect%20to%20manage%20this%20by%20device).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EShould%20the%26nbsp%3Bpolicy%20below%26nbsp%3Bwork%3F%3C%2FP%3E%0A%3CP%3E%3CEM%3EAllow%20Access%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3ERequire%20MFA%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EInclude%20Group%3A%20All%20Company%20Users%20%3B%20Exclude%20Group%3A%20Global%20Admins%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3ESelected%20Cloud%20Apps%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EInclude%3A%20All%20Locations%20%3B%20Exclude%3A%20Trusted%20locations%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EUsing%20client%20Browser%2C%20Mobile%20and%20client%20Apps%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI'm%20getting%20mixed%20results.%20Thanks%20for%20any%20help!%3C%2FP%3E%0A%3CP%3ETad%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-132798%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Tad Yoke
New Contributor

Hi:

I'm working with a client currently using ~5000 Enterprise E3 & EM+S E3, and ADFS federation with AD Connect. I'm working with two AD security groups that are populated on-premises and get synchronized: All Company Users and Global Admins. 

 

They are self explanatory and Office 365 Global Admin accounts are in both groups. I am enforcing MFA for Admins all the time and Users when not on the trusted networks (we are on windows 7, but next year will go to windows 10 and I expect to manage this by device).

 

Should the policy below work?

Allow Access

Require MFA

Include Group: All Company Users ; Exclude Group: Global Admins

Selected Cloud Apps

Include: All Locations ; Exclude: Trusted locations

Using client Browser, Mobile and client Apps

 

I'm getting mixed results. Thanks for any help!

Tad