Share via

Conditional Access Rule

Handian Sudianto 6,096 Reputation points
2022-12-19T03:01:55.433+00:00

HI..

How conditional rule will be execute if we have more than 2 rules? Conditional access will be try to execute from top to the bottom and will be stop processing other rule if there a matched rule?
Example i have 2 rule like this

  1. Rule to grant access from several country
  2. Rule to grant access from specific IP Address

User A assign to both rule, which rule will be applied?

Microsoft Security Microsoft Entra Microsoft Entra ID
0 comments
Accepted answer
  1. Dillon Silzer 57,826 Reputation points Volunteer Moderator
    2022-12-19T03:17:01.71+00:00

    Hi @Handian Sudianto

    The most restrictive policy will take precedent:

    Before configuring policies, identify the Azure AD groups you are using for each tier of protection. Typically, starting point protection applies to everybody in the organization. A user who is included for both starting point and enterprise protection will have all the starting point policies applied plus the enterprise policies. Protection is cumulative and the most restrictive policy is enforced.

    Cited from https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/identity-access-policies?view=o365-worldwide#assigning-policies-to-groups-and-users

    -------------------------------------------------

    If this is helpful please accept answer.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ravi Kanth Koppala 3,391 Reputation points Microsoft Employee Moderator
    2022-12-19T03:19:51.6+00:00

    @Handian Sudianto ,

    In Azure Conditional Access, the rules are evaluated in the order in which they are listed, from top to bottom. If a rule matches the conditions specified in the rule, the actions associated with that rule will be taken, and the processing of the remaining rules will stop.

    In the example you provided, if the user is located in one of the countries specified in the first rule and their IP address matches the IP address specified in the second rule, the actions associated with the first rule will be taken. If the user is located in one of the countries specified in the first rule, but their IP address does not match the IP address specified in the second rule, the actions associated with the second rule will not be taken.

    It is important to note that you can use the "Stop rule processing" option for each rule to specify whether or not to continue evaluating the remaining rules if the conditions of the current rule are met. This option can be found under each rule's "Advanced options" section.

    If you want to specify the order in which the rules should be evaluated, you can use the "Move up" and "Move down" options in the "Actions" menu for each rule. This allows you to control the order in which the rules are evaluated and determine which rule takes precedence over the others.

    ----------

    Please "Accept as Answer" and Upvote if any of the above helped so that it can help others in the community looking for remediation for similar issues.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.