I would like to use a Conditional Access policy to restrict access to resources in my app based on device compliance

Question

I would like my low-risk app to allow/restrict access to certain resources based on the user's device compliance (compliant/non-compliant). A user with a non-compliant device would still be able to use the app, but not be able to access all its resources.

To that end I created a conditional access policy:

Action: apply to authentication context (c2 value)

Condition: device filter - device.isCompliant -eq False

Access control: Block

I then make a claim request for the c2 auth context, as described in this guide: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims

The idea was to assess whether the user's JWT has the required 'acrs' claim value to allow/restrict parts of my app.

I would have expected to get a 401 error that I could handle if trying the request from a non-compliant device. However, what ends up happening is that my user gets forced to go through the steps for making the device compliant, even though the compliance is a condition of the policy, and not something I required it to enforce. What I need to happen is for the user to get an error 401 due to the non-compliant device, receive an error message blocking them from accessing the restricted content, but otherwise free to browse non-restricted content.

Am I doing something wrong here? Is there a way to accomplish my above requirement?

Answer 1

@Hila Karimov

I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

As per https://learn.microsoft.com/en-us/azure/active-directory/develop/developer-guide-conditional-access-authentication-context#implicit-auth-context-satisfaction-by-opportunistic-evaluation

Once you specifically added the following to the application manifest, under access, id and saml, the appropriate auth context values in the acrs claim started getting sent passively in the user's JWT if the conditional access policy was satisfied.

{
				"name": "acrs",
				"source": null,
				"essential": false,
				"additionalProperties": []
			}

Thanks,

Akshay Kaushik,

Please "Accept the answer" (Yes/No) as this will help us and others in the community as well.

Answer 2

Hello @Hila Karimov

The first thing i would try is to remove the USer form the MDM Policy In Azure AD

AZURE AD- MOBILITY and MAM - Check whether it is in the specified Group or ALL is selected

Also you can set the Complaince Setting for devices to mark them as Non Compliant or Compliant if No Policy is assigned to them (https://endpoint.microsoft.com/)

Also you can reverse the Logic , add the filter to Compliant Devices and Allow , instead of Blocking Non Compliant

If this was helpful mark the answer as Accepted , otherwise send some info of the Sign In Logs and we can continue the resolution!

BR

Answer 3

If anyone else encounters this - the solution was:

https://learn.microsoft.com/en-us/azure/active-directory/develop/developer-guide-conditional-access-authentication-context#implicit-auth-context-satisfaction-by-opportunistic-evaluation

Once I specifically added the following to the application manifest, under access, id and saml, the appropriate auth context values in the acrs claim started getting sent passively in the user's JWT if the conditional access policy was satisfied.

{
				"name": "acrs",
				"source": null,
				"essential": false,
				"additionalProperties": []
			}