Share via

Applying conditional access for specific groups on a cloud app which is already in exclusion list

isotonicuk 20 Reputation points
2023-06-30T14:50:51.51+00:00

Hi All

We currently have a CA policy applied to all users which dictates that users must come from compliant devices to access all MS cloud app. The only exception to this is AVD as we want to allow this app access on all devices (Windows/Mac OS only) (BYOD) from any location. We have another CA policy just for AVD which states when using just this App, users must either be using a compliant device or require MFA for any user who is not coming from a managed/compliant device.

However we have a use case where for a particular set of users for a subset of AVDs which will exist in their own contained host pool that a different set of CA policies apply. Due to the nature of activities on these AVDs, we want to mandate the use of MFA and they MUST be coming from a compliant device only. Specifically Windows/Mac OS only.

Is this possible?

We are thinking of a CA policy where the grant controls are MFA and mark device as compliant which requires both set of controls to be fulfilled.

The challenge we have is we may have a user who has access to two AVD devices, one which is just a standard device and more AVD which will sit in this special hostpool so without asking the user to use two separate identities we going to run into problem where if that user tries to access AVD, which policy would apply?

Any advice on this would be most appreciated.

Thanks

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

Answer accepted by question author

Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,551 Reputation points Moderator
2023-07-01T04:55:39.1066667+00:00

Hello @isotonicuk , using Azure AD Conditional Access is it possible to require device to be marked as compliant for all users and all MSFT cloud apps with the exception of AVD and also to require MFA and device to be marked as compliant for some users and only AVD apps. For this you have to create 2 CA policies:

Policy #1:

  1. Assigments:
    1. All Users (Set 1)
      1. All MSFT cloud apps excluding AVD
  2. Access Controls:
    1. Grant: Require device to be marked as compliant

Policy #2

  1. Assigments:
    1. Selected Users (Set 2)
      1. AVD cloud app
  2. Access Controls:
    1. Grant: Require MFA + Require device to be marked as compliant

Provided the user is not excluded from any of the policies he should've access to AVD: from any device is he is only member of Set 1 or from compliant device and passing MFA if he is member of Set 2.

Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.

Was this answer helpful?

1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.