I would like to use a Conditional Access policy to restrict access to resources in my app based on device compliance

Hila Karimov 20 Reputation points
2023-03-30T00:13:58.8133333+00:00

I would like my low-risk app to allow/restrict access to certain resources based on the user's device compliance (compliant/non-compliant). A user with a non-compliant device would still be able to use the app, but not be able to access all its resources.

To that end I created a conditional access policy:

Action: apply to authentication context (c2 value)

Condition: device filter - device.isCompliant -eq False

Access control: Block

I then make a claim request for the c2 auth context, as described in this guide: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims

The idea was to assess whether the user's JWT has the required 'acrs' claim value to allow/restrict parts of my app.

I would have expected to get a 401 error that I could handle if trying the request from a non-compliant device. However, what ends up happening is that my user gets forced to go through the steps for making the device compliant, even though the compliance is a condition of the policy, and not something I required it to enforce. What I need to happen is for the user to get an error 401 due to the non-compliant device, receive an error message blocking them from accessing the restricted content, but otherwise free to browse non-restricted content.

Am I doing something wrong here? Is there a way to accomplish my above requirement?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,629 questions
0 comments No comments
{count} votes

Accepted answer
  1. Akshay-MSFT 17,656 Reputation points Microsoft Employee
    2023-03-31T06:52:09.9366667+00:00

    @Hila Karimov

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

    As per https://learn.microsoft.com/en-us/azure/active-directory/develop/developer-guide-conditional-access-authentication-context#implicit-auth-context-satisfaction-by-opportunistic-evaluation

    Once you specifically added the following to the application manifest, under access, id and saml, the appropriate auth context values in the acrs claim started getting sent passively in the user's JWT if the conditional access policy was satisfied.

    {
    				"name": "acrs",
    				"source": null,
    				"essential": false,
    				"additionalProperties": []
    			}
    
    

    Thanks,

    Akshay Kaushik,

    Please "Accept the answer" (Yes/No) as this will help us and others in the community as well.

    1 person found this answer helpful.

3 additional answers

Sort by: Most helpful
  1. Konstantinos Passadis 17,456 Reputation points MVP
    2023-03-30T00:55:50.94+00:00

    Hello @Hila Karimov

    The first thing i would try is to remove the USer form the MDM Policy In Azure AD

    AZURE AD- MOBILITY and MAM - Check whether it is in the specified Group or ALL is selected

    Also you can set the Complaince Setting for devices to mark them as Non Compliant or Compliant if No Policy is assigned to them (https://endpoint.microsoft.com/)

    User's image

    Also you can reverse the Logic , add the filter to Compliant Devices and Allow , instead of Blocking Non Compliant

    If this was helpful mark the answer as Accepted , otherwise send some info of the Sign In Logs and we can continue the resolution!

    BR

    0 comments No comments

  2. Hila Karimov 20 Reputation points
    2023-03-31T05:03:24.4433333+00:00

    If anyone else encounters this - the solution was:

    https://learn.microsoft.com/en-us/azure/active-directory/develop/developer-guide-conditional-access-authentication-context#implicit-auth-context-satisfaction-by-opportunistic-evaluation

    Once I specifically added the following to the application manifest, under access, id and saml, the appropriate auth context values in the acrs claim started getting sent passively in the user's JWT if the conditional access policy was satisfied.

    {
    				"name": "acrs",
    				"source": null,
    				"essential": false,
    				"additionalProperties": []
    			}
    
    0 comments No comments

  3. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.


    Comments have been turned off. Learn more